@cyclonedx/cdxgen 12.2.0 → 12.3.0

package/lib/helpers/utils.js

@@ -54,10 +54,32 @@ import { parse as _load, parseAllDocuments } from "yaml";
 import { getTreeWithPlugin } from "../managers/piptree.js";
 import { IriValidationStrategy, validateIri } from "../parsers/iri.js";
 import Arborist from "../third-party/arborist/lib/index.js";
+import { analyzeSuspiciousJsFile } from "./analyzer.js";
 import { parseWorkflowFile } from "./ciParsers/githubActions.js";
 import { extractPackageInfoFromHintPath } from "./dotnetutils.js";
 import { thoughtLog, traceLog } from "./logger.js";
+import { createLolbasProperties } from "./lolbas.js";
+import {
+  createOsQueryPurl,
+  deriveOsQueryDescription,
+  deriveOsQueryName,
+  deriveOsQueryPublisher,
+  deriveOsQueryVersion,
+  sanitizeOsQueryIdentity,
+} from "./osqueryTransform.js";
+import {
+  collectPyLockFileComponents,
+  collectPyLockPackageProperties,
+  collectPyLockTopLevelProperties,
+  getPyLockPackages,
+  isDefaultPypiRegistry,
+  isPyLockObject,
+} from "./pylockutils.js";
 import { get_python_command_from_env, getVenvMetadata } from "./pythonutils.js";
+import {
+  collectNpmRegistryProvenanceProperties,
+  collectPypiRegistryProvenanceProperties,
+} from "./registryProvenance.js";
 
 let url = import.meta?.url;
 if (url && !url.startsWith("file://")) {
@@ -229,16 +251,37 @@ export function safeSpawnSync(command, args, options) {
   if (!options.timeout) {
     options.timeout = TIMEOUT_MS;
   }
+  // Emit certain operational warnings only once per process to keep audit logs readable.
+  const emitNoticeOnce = (noticeKey, message, level = "warn") => {
+    if (!globalThis.__cdxgenNoticeCache) {
+      globalThis.__cdxgenNoticeCache = new Set();
+    }
+    if (globalThis.__cdxgenNoticeCache.has(noticeKey)) {
+      return;
+    }
+    globalThis.__cdxgenNoticeCache.add(noticeKey);
+    if (level === "log") {
+      console.log(message);
+      return;
+    }
+    console.warn(message);
+  };
   // Check for -S for python invocations in secure mode
   if (command.includes("python") && (!args?.length || args[0] !== "-S")) {
     if (isSecureMode) {
-      console.warn(
+      emitNoticeOnce(
+        "python-without-S-secure",
         "\x1b[1;35mNotice: Running python command without '-S' argument. This is a bug in cdxgen. Please report with an example repo here https://github.com/cdxgen/cdxgen/issues.\x1b[0m",
       );
     } else if (process.env?.CDXGEN_IN_CONTAINER === "true") {
-      console.log("Running python command without '-S' argument.");
+      emitNoticeOnce(
+        "python-without-S-container",
+        "Running python command without '-S' argument.",
+        "log",
+      );
     } else {
-      console.warn(
+      emitNoticeOnce(
+        "python-without-S-host",
         "\x1b[1;35mNotice: Running python command without '-S' argument. Only run cdxgen in trusted directories to prevent auto-executing local scripts.\x1b[0m",
       );
     }
@@ -265,14 +308,20 @@ export function safeSpawnSync(command, args, options) {
     );
     if (!hasOnlyBinary) {
       if (isSecureMode) {
-        console.warn(
+        emitNoticeOnce(
+          "pip-without-only-binary-secure",
           "\x1b[1;31mSecurity Alert: pip/uv install invoked without '--only-binary' argument in secure mode. This is a bug in cdxgen and introduces Arbitrary Code Execution (ACE) risks. Please report with an example repo here https://github.com/cdxgen/cdxgen/issues.\x1b[0m",
         );
       } else if (process.env?.CDXGEN_IN_CONTAINER === "true") {
-        console.log("Running pip/uv install without '--only-binary' argument.");
+        emitNoticeOnce(
+          "pip-without-only-binary-container",
+          "Running pip/uv install without '--only-binary' argument.",
+          "log",
+        );
       } else {
-        console.warn(
-          "\x1b[1;35mNotice: pip/uv install invoked without '--only-binary'. This allows executing untrusted setup.py scripts. Only run cdxgen in trusted directories.\x1b",
+        emitNoticeOnce(
+          "pip-without-only-binary-host",
+          "\x1b[1;35mNotice: pip/uv install invoked without '--only-binary'. This allows executing untrusted setup.py scripts. Only run cdxgen in trusted directories.\x1b[0m",
         );
       }
     }
@@ -337,6 +386,15 @@ export const DEBUG_MODE =
   ["debug", "verbose"].includes(process.env.CDXGEN_DEBUG_MODE) ||
   process.env.SCAN_DEBUG_MODE === "debug";
 
+export const CDXGEN_SPDX_CREATED_BY = process.env.CDXGEN_SPDX_CREATED_BY;
+
+// Table border style for console output.
+export const TABLE_BORDER_STYLE = ["ascii", "unicode", "auto"].includes(
+  `${process.env.CDXGEN_TABLE_BORDER || ""}`.toLowerCase(),
+)
+  ? `${process.env.CDXGEN_TABLE_BORDER}`.toLowerCase()
+  : "auto";
+
 // Timeout milliseconds. Default 20 mins
 export const TIMEOUT_MS =
   Number.parseInt(process.env.CDXGEN_TIMEOUT_MS, 10) || 20 * 60 * 1000;
@@ -383,6 +441,19 @@ export function shouldFetchLicense() {
   );
 }
 
+/**
+ * Determines whether remote package metadata should be fetched for enrichment.
+ *
+ * @returns {boolean} True when registry metadata enrichment is enabled.
+ */
+export function shouldFetchPackageMetadata() {
+  return (
+    shouldFetchLicense() ||
+    (process.env.CDXGEN_FETCH_PKG_METADATA &&
+      ["true", "1"].includes(process.env.CDXGEN_FETCH_PKG_METADATA))
+  );
+}
+
 /**
  * Determines whether VCS (version control system) information should be fetched
  * for Go packages, based on the GO_FETCH_VCS environment variable.
@@ -679,6 +750,12 @@ export const PROJECT_TYPE_ALIASES = {
     "vscode-extensions",
     "ide-extensions",
   ],
+  "chrome-extension": [
+    "chrome-extension",
+    "chrome-extensions",
+    "chromium-extension",
+    "chromium-extensions",
+  ],
 };
 
 // Package manager aliases
@@ -1120,7 +1197,44 @@ export function getLicenses(pkg) {
               licenseContent.name = l;
             }
           } else if (Object.keys(l).length) {
-            licenseContent = l;
+            licenseContent = { ...l };
+            if (
+              licenseContent.type &&
+              !licenseContent.id &&
+              !licenseContent.name &&
+              !licenseContent.expression
+            ) {
+              if (spdxLicenses.includes(licenseContent.type)) {
+                licenseContent.id = licenseContent.type;
+              } else if (isSpdxLicenseExpression(licenseContent.type)) {
+                licenseContent.expression = licenseContent.type;
+              } else {
+                licenseContent.name = licenseContent.type;
+              }
+            }
+            if (
+              !licenseContent.id &&
+              !licenseContent.name &&
+              !licenseContent.expression &&
+              licenseContent.url?.startsWith("http")
+            ) {
+              const knownLicense = getKnownLicense(licenseContent.url, pkg);
+              if (knownLicense) {
+                if (knownLicense.id) {
+                  licenseContent.id = knownLicense.id;
+                } else if (knownLicense.name) {
+                  licenseContent.name = knownLicense.name;
+                }
+              }
+            }
+            if (
+              !licenseContent.id &&
+              !licenseContent.name &&
+              !licenseContent.expression
+            ) {
+              licenseContent.name = "CUSTOM";
+            }
+            delete licenseContent.type;
           } else {
             return undefined;
           }
@@ -1331,6 +1445,10 @@ export async function getNpmMetadata(pkgList) {
       if (body.homepage) {
         p.homepage = { url: body.homepage };
       }
+      p.properties = p.properties || [];
+      p.properties.push(
+        ...collectNpmRegistryProvenanceProperties(body, p.version),
+      );
       cdepList.push(p);
     } catch (_err) {
       cdepList.push(p);
@@ -1349,6 +1467,382 @@ export async function getNpmMetadata(pkgList) {
  * @param {boolean} simple Return a simpler representation of the component by skipping extended attributes and license fetch.
  * @param {boolean} securityProps Collect security-related properties
  */
+const NPM_INSTALL_HOOK_NAMES = [
+  "preinstall",
+  "install",
+  "postinstall",
+  "prepublish",
+  "prepare",
+];
+
+const NPM_LIFECYCLE_OBFUSCATION_PATTERNS = [
+  [
+    "base64-decode",
+    /\b(?:base64(?:\s+--decode|\s+-d)?|openssl\s+enc\s+-base64\s+-d)\b/i,
+  ],
+  ["buffer-base64", /Buffer\.from\s*\([^)]*,\s*["']base64["']\s*\)/i],
+  ["atob", /\batob\s*\(/i],
+  ["string-from-char-code", /\bString\.fromCharCode\s*\(/i],
+  ["long-base64-literal", /\b[A-Za-z0-9+/]{80,}={0,2}\b/],
+];
+
+const NPM_LIFECYCLE_EXECUTION_PATTERNS = [
+  ["node-eval", /\bnode\b[^\n]*\s-[ep]\b/i],
+  ["eval", /\beval\s*\(/i],
+  ["function-constructor", /\b(?:new\s+Function|Function\s*\()/i],
+  [
+    "child-process",
+    /\b(?:child_process|node:child_process|execSync|execFileSync|spawnSync|execFile|spawn|exec)\b/i,
+  ],
+  [
+    "shell-inline",
+    /\b(?:sh|bash|cmd|powershell|pwsh)\b[^\n]*\s-(?:c|Command|EncodedCommand)\b/i,
+  ],
+];
+
+const NPM_LIFECYCLE_NETWORK_PATTERNS = [
+  ["curl", /\bcurl\b/i],
+  ["wget", /\bwget\b/i],
+  ["invoke-webrequest", /\b(?:invoke-webrequest|iwr)\b/i],
+  ["http-url", /https?:\/\//i],
+];
+
+const NPM_LIFECYCLE_JS_RUNNERS = new Set([
+  "babel-node",
+  "node",
+  "ts-node",
+  "tsx",
+  "bun",
+  "deno",
+]);
+
+const NPM_LIFECYCLE_JS_RUNNER_VALUE_OPTIONS = new Set([
+  "-c",
+  "-e",
+  "-p",
+  "-r",
+  "--config",
+  "--conditions",
+  "--cwd-file",
+  "--compilerOptions",
+  "--cwd",
+  "--env-file",
+  "--env-file-if-exists",
+  "--eval",
+  "--experimental-loader",
+  "--ignore",
+  "--import",
+  "--import-map",
+  "--input-type",
+  "--inspect",
+  "--inspect-brk",
+  "--inspect-port",
+  "--loader",
+  "--print",
+  "--preload",
+  "--project",
+  "--require",
+  "--test-name-pattern",
+  "--test-reporter",
+  "--test-reporter-destination",
+  "--test-shard",
+  "--title",
+  "--tsconfig",
+  "--watch-path",
+]);
+
+const NPM_LIFECYCLE_JS_SOURCE_FILE_PATTERN = /\.[cm]?[jt]sx?$/i;
+const SHELL_ENV_ASSIGNMENT_PATTERN = /^[A-Za-z_][A-Za-z0-9_]*=.*/;
+
+function splitLifecycleScriptCommands(scriptValue) {
+  const commands = [];
+  let current = "";
+  let escaped = false;
+  let quoteChar = "";
+
+  for (let index = 0; index < scriptValue.length; index++) {
+    const character = scriptValue[index];
+    if (escaped) {
+      current += character;
+      escaped = false;
+      continue;
+    }
+    if (character === "\\") {
+      current += character;
+      escaped = true;
+      continue;
+    }
+    if (quoteChar) {
+      current += character;
+      if (character === quoteChar) {
+        quoteChar = "";
+      }
+      continue;
+    }
+    if (character === '"' || character === "'") {
+      current += character;
+      quoteChar = character;
+      continue;
+    }
+    if (character === ";" || character === "|") {
+      if (current.trim()) {
+        commands.push(current.trim());
+      }
+      current = "";
+      continue;
+    }
+    if (character === "&") {
+      if (current.trim()) {
+        commands.push(current.trim());
+      }
+      current = "";
+      if (scriptValue[index + 1] === "&") {
+        index += 1;
+      }
+      continue;
+    }
+    current += character;
+  }
+  if (current.trim()) {
+    commands.push(current.trim());
+  }
+  return commands;
+}
+
+function lifecycleRunnerOptionConsumesValue(token) {
+  if (!token?.startsWith("-") || token === "--") {
+    return false;
+  }
+  if (token.includes("=")) {
+    return false;
+  }
+  if (token.startsWith("--")) {
+    return NPM_LIFECYCLE_JS_RUNNER_VALUE_OPTIONS.has(token);
+  }
+  if (token.length > 2) {
+    return false;
+  }
+  return NPM_LIFECYCLE_JS_RUNNER_VALUE_OPTIONS.has(token);
+}
+
+function isLifecycleScriptSourceFile(token) {
+  if (!token || token.startsWith("-")) {
+    return false;
+  }
+  const fileToken = token.split(/[?#]/u, 1)[0];
+  return NPM_LIFECYCLE_JS_SOURCE_FILE_PATTERN.test(fileToken);
+}
+
+function findLifecycleScriptSourceArg(tokens, startIndex) {
+  for (let index = startIndex; index < tokens.length; index++) {
+    const token = tokens[index]?.trim();
+    if (!token) {
+      continue;
+    }
+    if (token === "--" || SHELL_ENV_ASSIGNMENT_PATTERN.test(token)) {
+      continue;
+    }
+    if (token.startsWith("-")) {
+      if (
+        lifecycleRunnerOptionConsumesValue(token) &&
+        index + 1 < tokens.length
+      ) {
+        index += 1;
+      }
+      continue;
+    }
+    if (isLifecycleScriptSourceFile(token)) {
+      return token;
+    }
+    break;
+  }
+  return undefined;
+}
+
+function findLifecycleScriptSourceStartIndex(tokens, runnerIndex) {
+  const runnerToken = tokens[runnerIndex];
+  for (let index = runnerIndex + 1; index < tokens.length; index++) {
+    const token = tokens[index]?.trim();
+    if (!token || token === "--" || SHELL_ENV_ASSIGNMENT_PATTERN.test(token)) {
+      continue;
+    }
+    if (token.startsWith("-")) {
+      if (
+        lifecycleRunnerOptionConsumesValue(token) &&
+        index + 1 < tokens.length
+      ) {
+        index += 1;
+      }
+      continue;
+    }
+    if (runnerToken === "deno") {
+      return token === "run" ? index + 1 : undefined;
+    }
+    if (runnerToken === "bun" && token === "run") {
+      return index + 1;
+    }
+    return index;
+  }
+  return undefined;
+}
+
+function isResolvedPathWithinDirectory(baseDir, resolvedFile) {
+  const relativePath = relative(baseDir, resolvedFile);
+  if (!relativePath) {
+    return true;
+  }
+  return (
+    !relativePath.startsWith(`..${path.sep}`) &&
+    relativePath !== ".." &&
+    !path.isAbsolute(relativePath)
+  );
+}
+
+function collectLifecyclePatternIndicators(scriptValue, patterns) {
+  const indicators = [];
+  patterns.forEach(([name, pattern]) => {
+    if (pattern.test(scriptValue)) {
+      indicators.push(name);
+    }
+  });
+  return indicators;
+}
+
+function extractLifecycleScriptSourceFiles(pkgJsonFile, scriptValue) {
+  const sourceFiles = [];
+  const seen = new Set();
+  if (!scriptValue || typeof scriptValue !== "string") {
+    return sourceFiles;
+  }
+  const pkgJsonDir = resolve(dirname(pkgJsonFile));
+  const commandSegments = splitLifecycleScriptCommands(scriptValue);
+  for (const commandSegment of commandSegments) {
+    const tokens = splitCommandArgs(commandSegment);
+    for (let index = 0; index < tokens.length; index++) {
+      if (!NPM_LIFECYCLE_JS_RUNNERS.has(tokens[index])) {
+        continue;
+      }
+      const scriptStartIndex = findLifecycleScriptSourceStartIndex(
+        tokens,
+        index,
+      );
+      if (scriptStartIndex === undefined) {
+        continue;
+      }
+      const relativeFile = findLifecycleScriptSourceArg(
+        tokens,
+        scriptStartIndex,
+      );
+      if (!relativeFile) {
+        continue;
+      }
+      const resolvedFile = resolve(pkgJsonDir, relativeFile);
+      if (
+        !isResolvedPathWithinDirectory(pkgJsonDir, resolvedFile) ||
+        !safeExistsSync(resolvedFile) ||
+        seen.has(resolvedFile)
+      ) {
+        continue;
+      }
+      seen.add(resolvedFile);
+      sourceFiles.push(resolvedFile);
+    }
+  }
+  return sourceFiles;
+}
+
+function analyzeNpmLifecycleScripts(pkgJsonFile, scripts) {
+  const executionIndicators = new Set();
+  const networkIndicators = new Set();
+  const obfuscationIndicators = new Set();
+  const obfuscatedScripts = [];
+  const suspiciousScripts = [];
+  const scriptIndicatorMap = [];
+  const riskyScripts = NPM_INSTALL_HOOK_NAMES.filter(
+    (scriptName) => scripts?.[scriptName],
+  );
+  riskyScripts.forEach((scriptName) => {
+    const scriptValue = String(scripts[scriptName] || "");
+    const scriptExecutionIndicators = new Set(
+      collectLifecyclePatternIndicators(
+        scriptValue,
+        NPM_LIFECYCLE_EXECUTION_PATTERNS,
+      ),
+    );
+    const scriptNetworkIndicators = new Set(
+      collectLifecyclePatternIndicators(
+        scriptValue,
+        NPM_LIFECYCLE_NETWORK_PATTERNS,
+      ),
+    );
+    const scriptObfuscationIndicators = new Set(
+      collectLifecyclePatternIndicators(
+        scriptValue,
+        NPM_LIFECYCLE_OBFUSCATION_PATTERNS,
+      ),
+    );
+    extractLifecycleScriptSourceFiles(pkgJsonFile, scriptValue).forEach(
+      (sourceFile) => {
+        const astIndicators = analyzeSuspiciousJsFile(sourceFile);
+        astIndicators.executionIndicators.forEach((indicator) => {
+          scriptExecutionIndicators.add(`ast:${indicator}`);
+        });
+        astIndicators.networkIndicators.forEach((indicator) => {
+          scriptNetworkIndicators.add(`ast:${indicator}`);
+        });
+        astIndicators.obfuscationIndicators.forEach((indicator) => {
+          scriptObfuscationIndicators.add(`ast:${indicator}`);
+        });
+      },
+    );
+    if (scriptObfuscationIndicators.size) {
+      scriptExecutionIndicators.forEach((indicator) => {
+        executionIndicators.add(indicator);
+      });
+      scriptObfuscationIndicators.forEach((indicator) => {
+        obfuscationIndicators.add(indicator);
+      });
+    }
+    if (
+      scriptObfuscationIndicators.size &&
+      (scriptExecutionIndicators.size || scriptNetworkIndicators.size)
+    ) {
+      obfuscatedScripts.push(scriptName);
+    }
+    if (
+      scriptObfuscationIndicators.size ||
+      (scriptExecutionIndicators.size && scriptNetworkIndicators.size)
+    ) {
+      suspiciousScripts.push(scriptName);
+    }
+    scriptNetworkIndicators.forEach((indicator) => {
+      networkIndicators.add(indicator);
+    });
+    if (
+      scriptExecutionIndicators.size ||
+      scriptNetworkIndicators.size ||
+      scriptObfuscationIndicators.size
+    ) {
+      scriptIndicatorMap.push(
+        `${scriptName}:${[
+          ...scriptObfuscationIndicators,
+          ...scriptExecutionIndicators,
+          ...scriptNetworkIndicators,
+        ].join("+")}`,
+      );
+    }
+  });
+  return {
+    executionIndicators: Array.from(executionIndicators).sort(),
+    networkIndicators: Array.from(networkIndicators).sort(),
+    obfuscatedScripts: [...new Set(obfuscatedScripts)].sort(),
+    obfuscationIndicators: Array.from(obfuscationIndicators).sort(),
+    riskyScripts,
+    scriptIndicatorMap: scriptIndicatorMap.sort(),
+    suspiciousScripts: [...new Set(suspiciousScripts)].sort(),
+  };
+}
+
 export async function parsePkgJson(
   pkgJsonFile,
   simple = false,
@@ -1438,24 +1932,70 @@ export async function parsePkgJson(
         // Track lifecycle scripts (preinstall, postinstall, etc. - code execution risk)
         if (pkgData.scripts && Object.keys(pkgData.scripts).length) {
           const scriptNames = Object.keys(pkgData.scripts).join(", ");
+          const lifecycleAnalysis = analyzeNpmLifecycleScripts(
+            pkgJsonFile,
+            pkgData.scripts,
+          );
           apkg.properties.push({
             name: "cdx:npm:scripts",
             value: scriptNames,
           });
           // Flag high-risk scripts specifically
-          const riskyScripts = [
-            "preinstall",
-            "install",
-            "postinstall",
-            "prepublish",
-            "prepare",
-          ].filter((script) => pkgData.scripts[script]);
+          const riskyScripts = lifecycleAnalysis.riskyScripts;
           if (riskyScripts.length) {
+            apkg.properties.push({
+              name: "cdx:npm:hasInstallScript",
+              value: "true",
+            });
             apkg.properties.push({
               name: "cdx:npm:risky_scripts",
               value: riskyScripts.join(", "),
             });
           }
+          if (lifecycleAnalysis.suspiciousScripts.length) {
+            apkg.properties.push({
+              name: "cdx:npm:hasSuspiciousLifecycleScript",
+              value: "true",
+            });
+            apkg.properties.push({
+              name: "cdx:npm:suspiciousLifecycleScripts",
+              value: lifecycleAnalysis.suspiciousScripts.join(", "),
+            });
+          }
+          if (lifecycleAnalysis.obfuscatedScripts.length) {
+            apkg.properties.push({
+              name: "cdx:npm:hasObfuscatedLifecycleScript",
+              value: "true",
+            });
+            apkg.properties.push({
+              name: "cdx:npm:obfuscatedLifecycleScripts",
+              value: lifecycleAnalysis.obfuscatedScripts.join(", "),
+            });
+          }
+          if (lifecycleAnalysis.obfuscationIndicators.length) {
+            apkg.properties.push({
+              name: "cdx:npm:lifecycleObfuscationIndicators",
+              value: lifecycleAnalysis.obfuscationIndicators.join(", "),
+            });
+          }
+          if (lifecycleAnalysis.executionIndicators.length) {
+            apkg.properties.push({
+              name: "cdx:npm:lifecycleExecutionIndicators",
+              value: lifecycleAnalysis.executionIndicators.join(", "),
+            });
+          }
+          if (lifecycleAnalysis.networkIndicators.length) {
+            apkg.properties.push({
+              name: "cdx:npm:lifecycleNetworkIndicators",
+              value: lifecycleAnalysis.networkIndicators.join(", "),
+            });
+          }
+          if (lifecycleAnalysis.scriptIndicatorMap.length) {
+            apkg.properties.push({
+              name: "cdx:npm:lifecycleIndicatorMap",
+              value: lifecycleAnalysis.scriptIndicatorMap.join(" | "),
+            });
+          }
         }
         // Track platform/architecture constraints
         if (pkgData.cpu && Array.isArray(pkgData.cpu) && pkgData.cpu.length) {
@@ -1522,10 +2062,10 @@ export async function parsePkgJson(
       // continue regardless of error
     }
   }
-  if (!simple && shouldFetchLicense() && pkgList?.length) {
+  if (!simple && shouldFetchPackageMetadata() && pkgList?.length) {
     if (DEBUG_MODE) {
       console.log(
-        `About to fetch license information for ${pkgList.length} packages in parsePkgJson`,
+        `About to fetch npm registry metadata for ${pkgList.length} packages in parsePkgJson`,
       );
     }
     return await getNpmMetadata(pkgList);
@@ -1572,7 +2112,9 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
     const srcFilePath = node.path.includes(`${_sep}node_modules`)
       ? node.path.split(`${_sep}node_modules`)[0]
       : node.path;
-    const scope = node.dev === true ? "optional" : undefined;
+    const isDevelopmentNode = node.dev === true || node.devOptional === true;
+    const scope =
+      isDevelopmentNode || node.optional === true ? "optional" : undefined;
     const integrity = node.integrity ? node.integrity : undefined;
 
     let pkg;
@@ -1645,6 +2187,9 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
         purl: purlString,
         "bom-ref": decodeURIComponent(purlString),
       };
+      if (isDevelopmentNode) {
+        _setNpmDevelopmentProperty(pkg);
+      }
       if (node.resolved) {
         if (node.resolved.startsWith("file:")) {
           pkg.properties.push({
@@ -2080,10 +2625,10 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
     options,
   ));
 
-  if (shouldFetchLicense() && pkgList?.length) {
+  if (shouldFetchPackageMetadata() && pkgList?.length) {
     if (DEBUG_MODE) {
       console.log(
-        `About to fetch license information for ${pkgList.length} packages in parsePkgLock`,
+        `About to fetch npm registry metadata for ${pkgList.length} packages in parsePkgLock`,
       );
     }
     pkgList = await getNpmMetadata(pkgList);
@@ -2713,10 +3258,10 @@ export async function parseYarnLock(
     }
   }
 
-  if (shouldFetchLicense() && pkgList?.length) {
+  if (shouldFetchPackageMetadata() && pkgList?.length) {
     if (DEBUG_MODE) {
       console.log(
-        `About to fetch license information for ${pkgList.length} packages in parseYarnLock`,
+        `About to fetch npm registry metadata for ${pkgList.length} packages in parseYarnLock`,
       );
     }
     pkgList = await getNpmMetadata(pkgList);
@@ -2790,10 +3335,10 @@ export async function parseNodeShrinkwrap(swFile) {
       }
     }
   }
-  if (shouldFetchLicense() && pkgList?.length) {
+  if (shouldFetchPackageMetadata() && pkgList?.length) {
     if (DEBUG_MODE) {
       console.log(
-        `About to fetch license information for ${pkgList.length} packages in parseNodeShrinkwrap`,
+        `About to fetch npm registry metadata for ${pkgList.length} packages in parseNodeShrinkwrap`,
       );
     }
     return await getNpmMetadata(pkgList);
@@ -2826,6 +3371,51 @@ function _markTreeOptional(
   }
 }
 
+function _markTreeDevelopment(
+  dbomRef,
+  dependenciesMap,
+  possibleDevelopmentDeps,
+  visited,
+) {
+  // Production-required packages set this map entry to false, and that wins
+  // over any later attempt to propagate a development-only marking.
+  if (possibleDevelopmentDeps[dbomRef] === undefined) {
+    possibleDevelopmentDeps[dbomRef] = true;
+  }
+  if (dependenciesMap[dbomRef] && !visited[dbomRef]) {
+    visited[dbomRef] = true;
+    for (const eachDep of dependenciesMap[dbomRef]) {
+      // Undefined means we have not classified this dependency yet, so we
+      // continue propagating the dev-only marking unless it was already proven
+      // to be non-development via a false entry.
+      if (possibleDevelopmentDeps[eachDep] !== false) {
+        _markTreeDevelopment(
+          eachDep,
+          dependenciesMap,
+          possibleDevelopmentDeps,
+          visited,
+        );
+      }
+    }
+  }
+}
+
+function _setNpmDevelopmentProperty(pkg) {
+  if (!pkg.properties) {
+    pkg.properties = [];
+  }
+  if (
+    !pkg.properties.some((property) => {
+      return property.name === "cdx:npm:package:development";
+    })
+  ) {
+    pkg.properties.push({
+      name: "cdx:npm:package:development",
+      value: "true",
+    });
+  }
+}
+
 function _setTreeWorkspaceRef(
   dependenciesMap,
   depref,
@@ -3201,6 +3791,7 @@ export async function parsePnpmLock(
   // See: #1163
   // Moreover, we have changed >= 9 for >= 6
   // See: discussion #1359
+  const possibleDevelopmentDeps = {};
   const possibleOptionalDeps = {};
   const dependenciesMap = {};
   let ppurl = "";
@@ -3293,7 +3884,7 @@ export async function parsePnpmLock(
           null,
           null,
         ).toString();
-        possibleOptionalDeps[decodeURIComponent(dpurl)] = true;
+        possibleDevelopmentDeps[decodeURIComponent(dpurl)] = true;
       }
       // Find the root optional and peer dependencies
       for (const rdk of Object.keys({ ...rootOptionalDeps, ...rootPeerDeps })) {
@@ -3317,6 +3908,7 @@ export async function parsePnpmLock(
           null,
         ).toString();
         possibleOptionalDeps[decodeURIComponent(dpurl)] = true;
+        possibleDevelopmentDeps[decodeURIComponent(dpurl)] = false;
       }
       // Find the root direct dependencies
       for (const dk of Object.keys(rootDirectDeps)) {
@@ -3344,6 +3936,7 @@ export async function parsePnpmLock(
           // These are direct dependencies so cannot be optional
           possibleOptionalDeps[decodeURIComponent(dpurl)] = false;
         }
+        possibleDevelopmentDeps[decodeURIComponent(dpurl)] = false;
       }
       // pnpm-lock.yaml contains more than root dependencies in importers
       // we do what we did above but for all the other components
@@ -3469,6 +4062,7 @@ export async function parsePnpmLock(
           // This is a definite dependency of this component
           comDepList.add(depRef);
           possibleOptionalDeps[depRef] = false;
+          possibleDevelopmentDeps[depRef] = false;
           // Track the package.json files
           if (pkgSrcFile) {
             if (!srcFilesMap[depRef]) {
@@ -3488,7 +4082,7 @@ export async function parsePnpmLock(
             null,
           ).toString();
           const devDpRef = decodeURIComponent(dpurl);
-          possibleOptionalDeps[devDpRef] = true;
+          possibleDevelopmentDeps[devDpRef] = true;
           // This is also a dependency of this component
           comDepList.add(devDpRef);
         }
@@ -3506,6 +4100,7 @@ export async function parsePnpmLock(
             null,
           ).toString();
           possibleOptionalDeps[decodeURIComponent(dpurl)] = true;
+          possibleDevelopmentDeps[decodeURIComponent(dpurl)] = false;
         }
         dependenciesList.push({
           ref: decodeURIComponent(compPurl),
@@ -3708,7 +4303,21 @@ export async function parsePnpmLock(
             null,
           ).toString();
           const bomRef = decodeURIComponent(purlString);
+          if (
+            packageNode.dev === true &&
+            possibleDevelopmentDeps[bomRef] === undefined
+          ) {
+            possibleDevelopmentDeps[bomRef] = true;
+          }
           const isBaseOptional = possibleOptionalDeps[bomRef];
+          // optionalDependencies are tracked separately because they may still
+          // be runtime-relevant and should keep the CycloneDX optional scope.
+          // packageNode.dev captures explicit dev-only packages from the lock
+          // entry, while possibleDevelopmentDeps lets that marking propagate to
+          // transitive dependencies discovered through the dependency graph.
+          const isBaseDevelopment =
+            packageNode.dev === true ||
+            possibleDevelopmentDeps[bomRef] === true;
           const deplist = [];
           for (let dpkgName of Object.keys(deps)) {
             let vers = deps[dpkgName];
@@ -3751,6 +4360,18 @@ export async function parsePnpmLock(
                 {},
               );
             }
+            if (
+              isBaseDevelopment &&
+              possibleDevelopmentDeps[dbomRef] === undefined
+            ) {
+              possibleDevelopmentDeps[dbomRef] = true;
+              _markTreeDevelopment(
+                dbomRef,
+                dependenciesMap,
+                possibleDevelopmentDeps,
+                {},
+              );
+            }
           }
           if (!dependenciesMap[bomRef]) {
             dependenciesMap[bomRef] = [];
@@ -3910,6 +4531,19 @@ export async function parsePnpmLock(
       }
     }
   }
+  // Repeat development dependency detection after the dependency graph is fully
+  // built, since a single package iteration can encounter a dev-only component
+  // before its own dependency list has been captured in dependenciesMap.
+  for (const dependencyRef of Object.keys(possibleDevelopmentDeps)) {
+    if (possibleDevelopmentDeps[dependencyRef] === true) {
+      _markTreeDevelopment(
+        dependencyRef,
+        dependenciesMap,
+        possibleDevelopmentDeps,
+        {},
+      );
+    }
+  }
 
   // Problem: We might have over aggressively marked a package as optional even it is both required and optional
   // The below loops ensure required packages continue to stay required
@@ -3940,6 +4574,15 @@ export async function parsePnpmLock(
     if (requiredDependencies[apkg["bom-ref"]]) {
       apkg.scope = undefined;
     }
+    if (
+      !requiredDependencies[apkg["bom-ref"]] &&
+      possibleDevelopmentDeps[apkg["bom-ref"]]
+    ) {
+      if (!apkg.scope) {
+        apkg.scope = "optional";
+      }
+      _setNpmDevelopmentProperty(apkg);
+    }
     if (possibleAliasesRefs[apkg["bom-ref"]]) {
       apkg.properties.push({
         name: "cdx:pnpm:alias",
@@ -4011,10 +4654,10 @@ export async function parsePnpmLock(
     pkgList = await pnpmMetadata(pkgList, pnpmLock);
   }
 
-  if (shouldFetchLicense() && pkgList?.length) {
+  if (shouldFetchPackageMetadata() && pkgList?.length) {
     if (DEBUG_MODE) {
       console.log(
-        `About to fetch license information for ${pkgList.length} packages in parsePnpmLock`,
+        `About to fetch npm registry metadata for ${pkgList.length} packages in parsePnpmLock`,
       );
     }
     pkgList = await getNpmMetadata(pkgList);
@@ -4072,10 +4715,10 @@ export async function parseBowerJson(bowerJsonFile) {
       // continue regardless of error
     }
   }
-  if (shouldFetchLicense() && pkgList?.length) {
+  if (shouldFetchPackageMetadata() && pkgList?.length) {
     if (DEBUG_MODE) {
       console.log(
-        `About to fetch license information for ${pkgList.length} packages in parseBowerJson`,
+        `About to fetch npm registry metadata for ${pkgList.length} packages in parseBowerJson`,
       );
     }
     return await getNpmMetadata(pkgList);
@@ -4170,10 +4813,10 @@ export async function parseMinJs(minJsFile) {
       // continue regardless of error
     }
   }
-  if (shouldFetchLicense() && pkgList?.length) {
+  if (shouldFetchPackageMetadata() && pkgList?.length) {
     if (DEBUG_MODE) {
       console.log(
-        `About to fetch license information for ${pkgList.length} packages in parseMinJs`,
+        `About to fetch npm registry metadata for ${pkgList.length} packages in parseMinJs`,
       );
     }
     return await getNpmMetadata(pkgList);
@@ -5665,7 +6308,7 @@ export function guessPypiMatchingVersion(versionsList, versionSpecifiers) {
  * @param {Boolean} fetchDepsInfo Fetch dependencies info from pypi
  */
 export async function getPyMetadata(pkgList, fetchDepsInfo) {
-  if (!shouldFetchLicense() && !fetchDepsInfo) {
+  if (!shouldFetchPackageMetadata() && !fetchDepsInfo) {
     return pkgList;
   }
   const PYPI_URL = process.env.PYPI_URL || "https://pypi.org/pypi/";
@@ -5841,6 +6484,10 @@ export async function getPyMetadata(pkgList, fetchDepsInfo) {
         null,
         null,
       ).toString();
+      p.properties = p.properties || [];
+      p.properties.push(
+        ...collectPypiRegistryProvenanceProperties(body, p.version),
+      );
       p.purl = purlString;
       p["bom-ref"] = decodeURIComponent(purlString);
       cdepList.push(p);
@@ -6243,9 +6890,9 @@ export function parsePyProjectTomlFile(tomlFile) {
 }
 
 /**
- * Method to parse python lock files such as poetry.lock, pdm.lock, uv.lock.
+ * Method to parse python lock files such as poetry.lock, pdm.lock, uv.lock, and pylock.toml.
  *
- * @param {Object} lockData JSON data from poetry.lock, pdm.lock, or uv.lock file
+ * @param {string} lockData Raw TOML text from poetry.lock, pdm.lock, uv.lock, or pylock.toml
  * @param {string} lockFile Lock file name for evidence
  * @param {string} pyProjectFile pyproject.toml file
  */
@@ -6262,6 +6909,7 @@ export async function parsePyLockData(lockData, lockFile, pyProjectFile) {
   let workspacePaths;
   let workspaceWarningShown = false;
   let hasWorkspaces = false;
+  let pyLockProperties = [];
   // Keep track of any workspace components to be added to the parent component
   const workspaceComponentMap = {};
   const workspacePyProjMap = {};
@@ -6390,7 +7038,17 @@ export async function parsePyLockData(lockData, lockFile, pyProjectFile) {
       }
     }
   }
-  for (const apkg of lockTomlObj.package || []) {
+  const pyLockMode = isPyLockObject(lockTomlObj);
+  if (pyLockMode) {
+    pyLockProperties = collectPyLockTopLevelProperties(lockTomlObj);
+    if (parentComponent) {
+      parentComponent.properties = parentComponent.properties || [];
+      parentComponent.properties =
+        parentComponent.properties.concat(pyLockProperties);
+    }
+  }
+  const packageEntries = getPyLockPackages(lockTomlObj);
+  for (const apkg of packageEntries) {
     // This avoids validation errors with uv.lock
     if (parentComponent?.name && parentComponent.name === apkg.name) {
       continue;
@@ -6410,10 +7068,19 @@ export async function parsePyLockData(lockData, lockFile, pyProjectFile) {
     if (apkg.optional) {
       pkg.scope = "optional";
     }
-    if (apkg["python-versions"]) {
+    // poetry/pdm/uv use "python-versions", while pylock (PEP 751) uses "requires-python".
+    // Prefer the existing lock-family field when both are present.
+    const requiresPython = apkg["python-versions"] || apkg["requires-python"];
+    if (requiresPython) {
       pkg.properties.push({
         name: "cdx:pypi:requiresPython",
-        value: apkg["python-versions"],
+        value: requiresPython,
+      });
+    }
+    if (apkg.index && !isDefaultPypiRegistry(apkg.index)) {
+      pkg.properties.push({
+        name: "cdx:pypi:registry",
+        value: apkg.index,
       });
     }
     if (apkg?.source) {
@@ -6439,6 +7106,11 @@ export async function parsePyLockData(lockData, lockFile, pyProjectFile) {
         });
       }
     }
+    if (pyLockMode) {
+      pkg.properties = pkg.properties.concat(
+        collectPyLockPackageProperties(apkg),
+      );
+    }
     // Is this component a module?
     if (workspaceComponentMap[pkg.name]) {
       pkg.properties.push({
@@ -6526,6 +7198,12 @@ export async function parsePyLockData(lockData, lockFile, pyProjectFile) {
         });
       }
     }
+    if (pyLockMode) {
+      const pylockFileComponents = collectPyLockFileComponents(apkg, lockFile);
+      if (pylockFileComponents.length) {
+        pkg.components = (pkg.components || []).concat(pylockFileComponents);
+      }
+    }
     if (
       directDepsKeys[pkg.name] ||
       (hasWorkspaces && !Object.keys(workspaceComponentMap).length)
@@ -6582,13 +7260,14 @@ export async function parsePyLockData(lockData, lockFile, pyProjectFile) {
           // Example: "msgpack>=0.5.2"
           const nameStr =
             apkgDep.name || apkgDep.split(/(==|<=|~=|>=)/)[0].split(" ")[0];
-          depsMap[pkg["bom-ref"]].add(existingPkgMap[nameStr] || nameStr);
+          // Python package names are normalized/case-insensitive; support both forms for lookup.
+          const nameLower = nameStr.toLowerCase();
+          const depPkgRef =
+            existingPkgMap[nameLower] || existingPkgMap[nameStr];
+          depsMap[pkg["bom-ref"]].add(depPkgRef || nameStr);
           // Propagate the workspace properties to the child components
-          if (
-            existingPkgMap[nameStr] &&
-            pkgBomRefMap[existingPkgMap[nameStr]]
-          ) {
-            const dependentPkg = pkgBomRefMap[existingPkgMap[nameStr]];
+          if (depPkgRef && pkgBomRefMap[depPkgRef]) {
+            const dependentPkg = pkgBomRefMap[depPkgRef];
             dependentPkg.properties = dependentPkg.properties || [];
             const addedValue = {};
             // Is the parent a workspace
@@ -6630,6 +7309,8 @@ export async function parsePyLockData(lockData, lockFile, pyProjectFile) {
         depRef = adep;
       } else if (existingPkgMap[adep]) {
         depRef = existingPkgMap[adep];
+      } else if (existingPkgMap[adep.toLowerCase()]) {
+        depRef = existingPkgMap[adep.toLowerCase()];
       } else if (existingPkgMap[`py${adep}`]) {
         depRef = existingPkgMap[`py${adep}`];
       } else if (existingPkgMap[adep.replace(/-/g, "_")]) {
@@ -6699,6 +7380,7 @@ export async function parsePyLockData(lockData, lockFile, pyProjectFile) {
     pkgList,
     rootList,
     dependenciesList,
+    pyLockProperties,
     workspaceWarningShown,
   };
 }
@@ -12810,38 +13492,14 @@ export function convertOSQueryResults(
   const pkgList = [];
   if (results?.length) {
     for (const res of results) {
-      const version =
-        res.version ||
-        res.hotfix_id ||
-        res.hardware_version ||
-        res.port ||
-        res.pid ||
-        res.subject_key_id ||
-        res.interface ||
-        res.instance_id;
-      let name =
-        res.name ||
-        res.device_id ||
-        res.hotfix_id ||
-        res.uuid ||
-        res.serial ||
-        res.pid ||
-        res.address ||
-        res.ami_id ||
-        res.interface ||
-        res.client_app_id;
+      const version = deriveOsQueryVersion(res);
+      let name = deriveOsQueryName(res, results.length === 1, queryObj.name);
+      if (queryObj.purlType === "chrome-extension") {
+        name = (res.identifier || res.extension_id || name || "").toLowerCase();
+      }
       let group = "";
       const subpath = res.path || res.admindir || res.source;
-      let publisher =
-        res.publisher ||
-        res.maintainer ||
-        res.creator ||
-        res.manufacturer ||
-        res.provider ||
-        "";
-      if (publisher === "null") {
-        publisher = "";
-      }
+      const publisher = deriveOsQueryPublisher(res);
       // For vscode-extension purl type, the publisher is used as the namespace
       if (queryObj.purlType === "vscode-extension" && publisher) {
         group = publisher.toLowerCase();
@@ -12852,20 +13510,8 @@ export function convertOSQueryResults(
         scope = compScope;
       }
       const description =
-        res.description ||
-        res.summary ||
-        res.arguments ||
-        res.device ||
-        res.codename ||
-        res.section ||
-        res.status ||
-        res.identifier ||
-        res.components ||
-        "";
-      // Re-use the name from query obj
-      if (!name && results.length === 1 && queryObj.name) {
-        name = queryObj.name;
-      }
+        deriveOsQueryDescription(res) ||
+        (queryObj.purlType === "chrome-extension" ? res.name || "" : "");
       let qualifiers;
       if (res.identifying_number?.length) {
         qualifiers = {
@@ -12873,25 +13519,18 @@ export function convertOSQueryResults(
         };
       }
       if (name) {
-        name = name
-          .replace(/ /g, "+")
-          .replace(/[:%]/g, "-")
-          .replace(/^[@{]/g, "")
-          .replace(/[}]$/g, "");
-        group = group
-          .replace(/ /g, "+")
-          .replace(/[:%]/g, "-")
-          .replace(/^[@{]/g, "")
-          .replace(/[}]$/g, "");
-        const purl = new PackageURL(
-          queryObj.purlType || "swid",
+        name = sanitizeOsQueryIdentity(name);
+        group = sanitizeOsQueryIdentity(group);
+        const purl = createOsQueryPurl(
+          queryObj.purlType,
           group,
           name,
-          version || "",
+          version,
           qualifiers,
           subpath,
-        ).toString();
+        );
         const props = [{ name: "cdx:osquery:category", value: queryCategory }];
+        props.push(...createLolbasProperties(queryCategory, res));
         let providesList;
         if (enhance) {
           switch (queryObj.purlType) {
@@ -12928,9 +13567,15 @@ export function convertOSQueryResults(
           scope,
           type: queryObj.componentType,
         };
-        for (const k of Object.keys(res).filter(
-          (p) => !["name", "version", "description", "publisher"].includes(p),
-        )) {
+        for (const k of Object.keys(res).filter((p) => {
+          if (["version", "description", "publisher"].includes(p)) {
+            return false;
+          }
+          if (queryObj.purlType !== "chrome-extension" && p === "name") {
+            return false;
+          }
+          return true;
+        })) {
           if (res[k] && res[k] !== "null") {
             props.push({
               name: k,
@@ -13612,6 +14257,76 @@ export function parseJarManifest(jarMetadata) {
   return metadata;
 }
 
+/**
+ * Determine whether a manifest candidate looks like a namespace-qualified identifier.
+ *
+ * @param {string} candidate Manifest field value
+ * @returns {boolean} True when candidate appears namespace-qualified
+ */
+function isQualifiedJarNamespace(candidate) {
+  return (
+    !!candidate &&
+    !candidate.includes(" ") &&
+    (candidate.includes(".") || candidate.includes("-"))
+  );
+}
+
+/**
+ * Select the most reliable group candidate from JAR manifest metadata.
+ *
+ * @param {Object} jarMetadata Parsed MANIFEST.MF key-value map
+ * @returns {string} Best group candidate, or empty string if none exists
+ */
+export function inferJarGroupFromManifest(jarMetadata = {}) {
+  // Keep this ordered from most to least namespace-qualified manifest fields.
+  // Extension-Name is intentionally lower priority due to inconsistent usage.
+  const qualifiedCandidates = [
+    jarMetadata["Bundle-SymbolicName"],
+    jarMetadata["Automatic-Module-Name"],
+    jarMetadata["Implementation-Title"],
+    jarMetadata["Extension-Name"],
+  ];
+  for (const candidate of qualifiedCandidates) {
+    if (isQualifiedJarNamespace(candidate)) {
+      return candidate;
+    }
+  }
+  return (
+    jarMetadata["Implementation-Vendor-Id"] ||
+    jarMetadata["Bundle-Vendor"] ||
+    jarMetadata["Extension-Name"] ||
+    ""
+  );
+}
+
+/**
+ * Trim group suffix that duplicates the artifact name for compound artifact names.
+ *
+ * @param {string} group Group candidate
+ * @param {string} name Artifact name candidate
+ * @returns {string} Adjusted group
+ */
+export function trimJarGroupSuffix(group, name) {
+  if (!group || !name || group.startsWith("javax")) {
+    return group;
+  }
+  // Only trim when the artifact name contains a separator (hyphen or dot).
+  if (!name.includes("-") && !name.includes(".")) {
+    return group;
+  }
+  const lowerName = name.toLowerCase();
+  const dottedName = lowerName.replace(/-/g, ".");
+  const dottedSuffix = `.${dottedName}`;
+  if (group.endsWith(dottedSuffix)) {
+    return group.slice(0, -dottedSuffix.length);
+  }
+  const lowerSuffix = `.${lowerName}`;
+  if (group.endsWith(lowerSuffix)) {
+    return group.slice(0, -lowerSuffix.length);
+  }
+  return group;
+}
+
 /**
  * Parse a Maven pom.properties file and return its key-value pairs as an object.
  *
@@ -13902,14 +14617,7 @@ export async function extractJarArchive(jarFile, tempDir, jarNSMapping = {}) {
               .split(";")[0]
               .trim();
           }
-          group =
-            group ||
-            jarMetadata["Extension-Name"] ||
-            jarMetadata["Implementation-Vendor-Id"] ||
-            jarMetadata["Bundle-SymbolicName"] ||
-            jarMetadata["Bundle-Vendor"] ||
-            jarMetadata["Automatic-Module-Name"] ||
-            "";
+          group = group || inferJarGroupFromManifest(jarMetadata);
           version =
             version ||
             jarMetadata["Bundle-Version"] ||
@@ -13965,16 +14673,7 @@ export async function extractJarArchive(jarFile, tempDir, jarNSMapping = {}) {
           }
           // Sometimes the group might already contain the name
           // Eg: group: org.checkerframework.checker.qual name: checker-qual
-          if (name && group && !group.startsWith("javax")) {
-            if (group.includes(`.${name.toLowerCase().replace(/-/g, ".")}`)) {
-              group = group.replace(
-                new RegExp(`.${name.toLowerCase().replace(/-/g, ".")}$`),
-                "",
-              );
-            } else if (group.includes(`.${name.toLowerCase()}`)) {
-              group = group.replace(new RegExp(`.${name.toLowerCase()}$`), "");
-            }
-          }
+          group = trimJarGroupSuffix(group, name);
           // Patch the group string
           if (vendorAliases[name]) {
             group = vendorAliases[name];
@@ -16447,6 +17146,7 @@ export async function addEvidenceForImports(
       : [name];
     let isImported = false;
     for (const alias of aliases) {
+      const isWasmAlias = /\.wasm([?#].*)?$/i.test(alias);
       const all_includes = impPkgs.filter(
         (find_pkg) =>
           find_pkg.startsWith(alias) &&
@@ -16456,12 +17156,20 @@ export async function addEvidenceForImports(
         find_pkg.startsWith(alias),
       );
       if (all_exports?.length) {
-        let exportedModules = new Set(all_exports);
+        let exportedModules = new Set(isWasmAlias ? [] : all_exports);
         pkg.properties = pkg.properties || [];
         for (const subevidence of all_exports) {
           const evidences = allExports[subevidence];
           for (const evidence of evidences) {
             if (evidence && Object.keys(evidence).length) {
+              if (isWasmAlias) {
+                for (const wasmImportedModule of evidence.importedModules ||
+                  []) {
+                  if (wasmImportedModule?.length) {
+                    exportedModules.add(wasmImportedModule);
+                  }
+                }
+              }
               if (evidence.exportedModules.length > 1) {
                 for (const aexpsubm of evidence.exportedModules) {
                   // Be selective on the submodule names
@@ -16496,6 +17204,8 @@ export async function addEvidenceForImports(
       if (impPkgs.includes(alias) || all_includes.length) {
         isImported = true;
         let importedModules = new Set();
+        let wasmExportedModules = new Set();
+        const seenOccurrenceLocations = new Set();
         pkg.scope = "required";
         for (const subevidence of all_includes) {
           const evidences = allImports[subevidence];
@@ -16503,16 +17213,23 @@ export async function addEvidenceForImports(
             if (evidence && Object.keys(evidence).length && evidence.fileName) {
               pkg.evidence = pkg.evidence || {};
               pkg.evidence.occurrences = pkg.evidence.occurrences || [];
-              pkg.evidence.occurrences.push({
-                location: `${evidence.fileName}${
-                  evidence.lineNumber ? `#${evidence.lineNumber}` : ""
-                }`,
-              });
+              const occurrenceLocation = `${evidence.fileName}${
+                evidence.lineNumber ? `#${evidence.lineNumber}` : ""
+              }`;
+              if (!seenOccurrenceLocations.has(occurrenceLocation)) {
+                pkg.evidence.occurrences.push({
+                  location: occurrenceLocation,
+                });
+                seenOccurrenceLocations.add(occurrenceLocation);
+              }
               importedModules.add(evidence.importedAs);
               for (const importedSm of evidence.importedModules || []) {
                 if (!importedSm) {
                   continue;
                 }
+                if (isWasmAlias) {
+                  wasmExportedModules.add(importedSm);
+                }
                 // Store both the short and long form of the imported sub modules
                 if (importedSm.length > 3) {
                   importedModules.add(importedSm);
@@ -16523,6 +17240,7 @@ export async function addEvidenceForImports(
           }
         }
         importedModules = Array.from(importedModules);
+        wasmExportedModules = Array.from(wasmExportedModules);
         if (importedModules.length) {
           pkg.properties = pkg.properties || [];
           pkg.properties.push({
@@ -16530,6 +17248,15 @@ export async function addEvidenceForImports(
             value: importedModules.join(","),
           });
         }
+        if (isWasmAlias && wasmExportedModules.length) {
+          pkg.properties = pkg.properties || [];
+          if (!pkg.properties.some((p) => p.name === "ExportedModules")) {
+            pkg.properties.push({
+              name: "ExportedModules",
+              value: wasmExportedModules.join(","),
+            });
+          }
+        }
         break;
       }
       if (
@@ -17774,6 +18501,29 @@ export function parseMakeDFile(dfile) {
   return pkgFilesMap;
 }
 
+const isAsciiHexCode = (code) => {
+  return (
+    (code >= 0x30 && code <= 0x39) ||
+    (code >= 0x41 && code <= 0x46) ||
+    (code >= 0x61 && code <= 0x66)
+  );
+};
+
+const hasValidPercentEncoding = (value) => {
+  for (let index = 0; index < value.length; index++) {
+    if (value.charCodeAt(index) !== 0x25) {
+      continue;
+    }
+    const firstHex = value.charCodeAt(index + 1);
+    const secondHex = value.charCodeAt(index + 2);
+    if (!isAsciiHexCode(firstHex) || !isAsciiHexCode(secondHex)) {
+      return false;
+    }
+    index += 2;
+  }
+  return true;
+};
+
 /**
  * Function to validate an externalReference URL for conforming to the JSON schema or bomLink
  * https://github.com/CycloneDX/cyclonedx-core-java/blob/75575318b268dda9e2a290761d7db11b4f414255/src/main/resources/bom-1.5.schema.json#L1140
@@ -17798,13 +18548,9 @@ export function isValidIriReference(iri) {
     return false;
   }
 
-  // Check for malformed percent-encoding sequences more robustly
-  // This regex looks for a % that is NOT followed by:
-  // - Exactly two hex digits that are then either:
-  //   - The end of the string ($)
-  //   - Or a character that is NOT a hex digit ([^0-9A-Fa-f])
-  // This catches %ab, %ab%, %abZ, %abc, etc.
-  if (/%(?!([0-9A-Fa-f]{2})($|[^0-9A-Fa-f]))/.test(iri)) {
+  // Validate percent-encoding with a linear scan to avoid regex backtracking
+  // issues on very long attacker-controlled inputs.
+  if (!hasValidPercentEncoding(iri)) {
     return false;
   }