@cyclonedx/cdxgen 12.2.1 → 12.3.0

package/bin/cdxgen.js

@@ -4,7 +4,14 @@ import crypto from "node:crypto";
 import fs from "node:fs";
 import http from "node:http";
 import https from "node:https";
-import { basename, dirname, join, resolve } from "node:path";
+import {
+  basename,
+  dirname,
+  isAbsolute,
+  join,
+  relative,
+  resolve,
+} from "node:path";
 import process from "node:process";
 
 import { parse as _load } from "yaml";
@@ -25,7 +32,26 @@ import {
   printSummary,
   printTable,
 } from "../lib/helpers/display.js";
+import {
+  createOutputPlan,
+  getOutputDirectory,
+} from "../lib/helpers/exportUtils.js";
 import { TRACE_MODE, thoughtEnd, thoughtLog } from "../lib/helpers/logger.js";
+import {
+  cleanupSourceDir,
+  findGitRefForPurlVersion,
+  gitClone,
+  isAllowedPath,
+  isAllowedWinPath,
+  maybePurlSource,
+  maybeRemotePath,
+  PURL_REGISTRY_LOOKUP_WARNING,
+  resolveGitUrlFromPurl,
+  resolvePurlSourceDirectory,
+  sanitizeRemoteUrlForLogs,
+  validateAndRejectGitSource,
+  validatePurlSource,
+} from "../lib/helpers/source.js";
 import {
   commandsExecuted,
   DEBUG_MODE,
@@ -42,9 +68,10 @@ import {
   toCamel,
 } from "../lib/helpers/utils.js";
 import { postProcess } from "../lib/stages/postgen/postgen.js";
+import { convertCycloneDxToSpdx } from "../lib/stages/postgen/spdxConverter.js";
 import { auditEnvironment } from "../lib/stages/pregen/envAudit.js";
 import { prepareEnv } from "../lib/stages/pregen/pregen.js";
-import { validateBom } from "../lib/validator/bomValidator.js";
+import { validateBom, validateSpdx } from "../lib/validator/bomValidator.js";
 
 // Support for config files
 const configPaths = [
@@ -134,6 +161,10 @@ const args = _yargs
     description:
       "Perform deep searches for components. Useful while scanning C/C++ apps, live OS and oci images.",
   })
+  .option("git-branch", {
+    description: "Git branch to clone when the source is a git URL or purl",
+    type: "string",
+  })
   .option("server-url", {
     description: "Dependency track url. Eg: https://deptrack.cyclonedx.io",
     type: "string",
@@ -307,6 +338,25 @@ const args = _yargs
     hidden: true,
     choices: ["pre-build", "build", "post-build"],
   })
+  .option("include-release-notes", {
+    type: "boolean",
+    default: false,
+    hidden: true,
+    description:
+      "Attach CycloneDX releaseNotes to the cdxgen tool component in metadata.",
+  })
+  .option("release-notes-current-tag", {
+    type: "string",
+    hidden: true,
+    description:
+      "Current git tag used to build CycloneDX releaseNotes for cdxgen metadata.",
+  })
+  .option("release-notes-previous-tag", {
+    type: "string",
+    hidden: true,
+    description:
+      "Previous git tag used to build CycloneDX releaseNotes for cdxgen metadata.",
+  })
   .option("include-regex", {
     description:
       "glob pattern to include. This overrides the default pattern used during auto-detection.",
@@ -322,6 +372,10 @@ const args = _yargs
     default: false,
     description: "Serialize and export BOM as protobuf binary.",
   })
+  .option("format", {
+    description:
+      "Export format(s). Supports cyclonedx, spdx, repeated --format flags, or a comma-separated list such as cyclonedx,spdx.",
+  })
   .option("proto-bin-file", {
     description: "Path for the serialized protobuf binary.",
     default: "bom.cdx",
@@ -433,12 +487,41 @@ const args = _yargs
     default: "high",
     hidden: true,
   })
+  .option("bom-audit-scope", {
+    description:
+      "Predictive audit target scope. Use 'required' to scan only dependencies with scope=required (missing scope is treated as required).",
+    type: "string",
+    choices: ["all", "required"],
+    default: "all",
+    hidden: true,
+  })
+  .option("bom-audit-max-targets", {
+    description:
+      "Optional upper bound for predictive audit targets. By default cdxgen scans required dependencies first and expands to at least 50 targets.",
+    type: "number",
+    hidden: true,
+  })
+  .option("bom-audit-include-trusted", {
+    description:
+      "Include packages already marked with trusted publishing metadata in predictive BOM audit target selection.",
+    type: "boolean",
+    default: false,
+    hidden: true,
+  })
+  .option("bom-audit-only-trusted", {
+    description:
+      "Restrict predictive BOM audit target selection to packages marked with trusted publishing metadata.",
+    type: "boolean",
+    default: false,
+    hidden: true,
+  })
   .completion("completion", "Generate bash/zsh completion")
   .array("type")
   .array("excludeType")
   .array("filter")
   .array("only")
   .array("author")
+  .array("format")
   .array("standard")
   .array("feature-flags")
   .array("technique")
@@ -486,6 +569,12 @@ if (args.help) {
   _yargs.showHelp();
   process.exit(0);
 }
+if (args.bomAuditIncludeTrusted && args.bomAuditOnlyTrusted) {
+  console.error(
+    "Use either --bom-audit-include-trusted or --bom-audit-only-trusted, not both.",
+  );
+  process.exit(1);
+}
 
 // Native Enterprise Network Configuration (Node.js v22.21+, Bun, Deno)
 // https://nodejs.org/en/learn/http/enterprise-network-configuration
@@ -518,6 +607,8 @@ if (!process.env.NODE_USE_SYSTEM_CA) {
 }
 
 const filePath = args._[0] || process.cwd();
+const sourceInputIsRemoteOrPurl =
+  maybeRemotePath(filePath) || maybePurlSource(filePath);
 if (!args.projectName) {
   if (filePath !== ".") {
     args.projectName = basename(filePath);
@@ -527,9 +618,8 @@ if (!args.projectName) {
 }
 thoughtLog(`Let's try to generate a CycloneDX BOM for the path '${filePath}'`);
 if (
-  filePath.includes(" ") ||
-  filePath.includes("\r") ||
-  filePath.includes("\n")
+  !sourceInputIsRemoteOrPurl &&
+  (filePath.includes(" ") || filePath.includes("\r") || filePath.includes("\n"))
 ) {
   console.log(
     `'${filePath}' contains spaces. This could lead to bugs when invoking external build tools.`,
@@ -545,6 +635,10 @@ if (process.argv[1].includes("obom") && !args.type) {
     "Ok, the user wants to generate an Operations Bill-of-Materials (OBOM).",
   );
 }
+if (process.argv[1].includes("spdxgen") && !args.format) {
+  args.format = "spdx";
+  thoughtLog("Ok, defaulting the export format to SPDX.");
+}
 
 /**
  * Command line options
@@ -557,19 +651,23 @@ const options = Object.assign({}, args, {
   deep: args.deep || args.evidence,
   output:
     isSecureMode && args.output === "bom.json"
-      ? resolve(join(filePath, args.output))
+      ? sourceInputIsRemoteOrPurl
+        ? resolve(args.output)
+        : resolve(join(filePath, args.output))
       : args.output,
   exclude: args.exclude || args.excludeRegex,
   include: args.include || args.includeRegex,
 });
-// Should we create the output directory?
-const outputDirectory = dirname(options.output);
-if (
-  outputDirectory &&
-  outputDirectory !== process.cwd() &&
-  !safeExistsSync(outputDirectory)
-) {
-  fs.mkdirSync(outputDirectory, { recursive: true });
+const outputPlan = createOutputPlan(options);
+for (const outputFile of Object.values(outputPlan.outputs)) {
+  const outputDirectory = getOutputDirectory(outputFile);
+  if (
+    outputDirectory &&
+    outputDirectory !== process.cwd() &&
+    !safeExistsSync(outputDirectory)
+  ) {
+    fs.mkdirSync(outputDirectory, { recursive: true });
+  }
 }
 // Filter duplicate types. Eg: -t gradle -t gradle
 if (options.projectType && Array.isArray(options.projectType)) {
@@ -929,6 +1027,129 @@ const needsBomSigning = ({ generateKeyAndSign }) =>
       safeExistsSync(process.env.SBOM_SIGN_PRIVATE_KEY)) ||
       process.env.SBOM_SIGN_PRIVATE_KEY_BASE64));
 
+const stringifyJson = (jsonPayload, jsonPretty) =>
+  typeof jsonPayload === "string" || jsonPayload instanceof String
+    ? jsonPayload
+    : JSON.stringify(jsonPayload, null, jsonPretty ? 2 : null);
+
+const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
+  const jsonPayload = stringifyJson(bomJson, options.jsonPretty);
+  fs.writeFileSync(jsonFile, jsonPayload);
+  if (jsonFile.endsWith("bom.json")) {
+    thoughtLog(
+      `Let's save the file to "${jsonFile}". Should I suggest the '.cdx.json' file extension for better semantics?`,
+    );
+  } else {
+    thoughtLog(`Let's save the file to "${jsonFile}".`);
+  }
+  if (!jsonPayload || !needsBomSigning(options)) {
+    return jsonPayload;
+  }
+  let alg = process.env.SBOM_SIGN_ALGORITHM || "RS512";
+  if (alg.includes("none")) {
+    alg = "RS512";
+  }
+  let privateKeyToUse;
+  let jwkPublicKey;
+  let publicKeyFile;
+  if (options.generateKeyAndSign) {
+    const jdirName = dirname(jsonFile);
+    publicKeyFile = join(jdirName, "public.key");
+    const privateKeyFile = join(jdirName, "private.key");
+    const privateKeyB64File = join(jdirName, "private.key.base64");
+    const { privateKey, publicKey } = crypto.generateKeyPairSync("rsa", {
+      modulusLength: 4096,
+      publicKeyEncoding: {
+        type: "spki",
+        format: "pem",
+      },
+      privateKeyEncoding: {
+        type: "pkcs8",
+        format: "pem",
+      },
+    });
+    fs.writeFileSync(publicKeyFile, publicKey);
+    fs.writeFileSync(privateKeyFile, privateKey);
+    fs.writeFileSync(
+      privateKeyB64File,
+      Buffer.from(privateKey, "utf8").toString("base64"),
+    );
+    console.log(
+      "Created public/private key pairs for testing purposes",
+      publicKeyFile,
+      privateKeyFile,
+      privateKeyB64File,
+    );
+    privateKeyToUse = privateKey;
+    jwkPublicKey = crypto.createPublicKey(publicKey).export({ format: "jwk" });
+  } else {
+    if (process.env?.SBOM_SIGN_PRIVATE_KEY) {
+      privateKeyToUse = fs.readFileSync(
+        process.env.SBOM_SIGN_PRIVATE_KEY,
+        "utf8",
+      );
+    } else if (process.env?.SBOM_SIGN_PRIVATE_KEY_BASE64) {
+      privateKeyToUse = Buffer.from(
+        process.env.SBOM_SIGN_PRIVATE_KEY_BASE64,
+        "base64",
+      ).toString("utf8");
+    }
+    if (
+      process.env.SBOM_SIGN_PUBLIC_KEY &&
+      safeExistsSync(process.env.SBOM_SIGN_PUBLIC_KEY)
+    ) {
+      jwkPublicKey = crypto
+        .createPublicKey(
+          fs.readFileSync(process.env.SBOM_SIGN_PUBLIC_KEY, "utf8"),
+        )
+        .export({ format: "jwk" });
+    } else if (process.env?.SBOM_SIGN_PUBLIC_KEY_BASE64) {
+      jwkPublicKey = Buffer.from(
+        process.env.SBOM_SIGN_PUBLIC_KEY_BASE64,
+        "base64",
+      ).toString("utf8");
+    }
+  }
+  try {
+    const bomJsonUnsignedObj = JSON.parse(jsonPayload);
+    const signOptions = {
+      privateKey: privateKeyToUse,
+      algorithm: alg,
+      publicKeyJwk: jwkPublicKey,
+      mode: process.env.SBOM_SIGN_MODE || "replace",
+      signComponents: true,
+      signServices: true,
+      signAnnotations: true,
+    };
+    thoughtLog(`Signing the BOM file "${jsonFile}".`);
+    const signedBom = signBom(bomJsonUnsignedObj, signOptions);
+    fs.writeFileSync(
+      jsonFile,
+      JSON.stringify(signedBom, null, options.jsonPretty ? 2 : null),
+    );
+    if (publicKeyFile) {
+      const publicKeyStr = fs.readFileSync(publicKeyFile, "utf8");
+      const signatureVerification = verifyBom(signedBom, publicKeyStr);
+      if (signatureVerification) {
+        console.log(
+          "SBOM signature is verifiable natively with the public key and the algorithm",
+          publicKeyFile,
+          alg,
+        );
+      } else {
+        console.log("SBOM signature verification was unsuccessful");
+        console.log("Check if the public key was exported in PEM format");
+      }
+    }
+  } catch (ex) {
+    console.log("SBOM signing was unsuccessful:", ex.message);
+    console.log(
+      "Check if the private key was exported in PEM format and the algorithm is JSF-compliant.",
+    );
+  }
+  return jsonPayload;
+};
+
 /**
  * Method to start the bom creation process
  */
@@ -954,24 +1175,130 @@ const needsBomSigning = ({ generateKeyAndSign }) =>
     const serverModule = await import("../lib/server/server.js");
     return serverModule.start(options);
   }
-  // Check if cdxgen has the required permissions
-  if (!checkPermissions(filePath, options)) {
+  let sourcePath = filePath;
+  let purlResolution;
+  if (maybePurlSource(sourcePath)) {
+    const purlValidationError = validatePurlSource(sourcePath);
+    if (purlValidationError) {
+      console.error(purlValidationError.error, purlValidationError.details);
+      process.exit(1);
+    }
+    purlResolution = await resolveGitUrlFromPurl(sourcePath);
+    if (!purlResolution?.repoUrl) {
+      console.error(
+        "Unable to resolve the provided package URL to a repository URL.",
+      );
+      process.exit(1);
+    }
+    console.warn(
+      `${PURL_REGISTRY_LOOKUP_WARNING} Registry: ${purlResolution.registry}, purl type: ${purlResolution.type}, resolved URL: ${sanitizeRemoteUrlForLogs(purlResolution.repoUrl)}`,
+    );
+    sourcePath = purlResolution.repoUrl;
+  }
+  if (
+    maybeRemotePath(sourcePath) &&
+    isSecureMode &&
+    !process.env.CDXGEN_GIT_ALLOWED_HOSTS &&
+    !process.env.CDXGEN_SERVER_ALLOWED_HOSTS
+  ) {
+    console.error(
+      "SECURE MODE: Configure CDXGEN_GIT_ALLOWED_HOSTS (or CDXGEN_SERVER_ALLOWED_HOSTS) before using git URL or purl sources.",
+    );
+    process.exit(1);
+  }
+  if (!maybeRemotePath(sourcePath) && !isAllowedPath(resolve(sourcePath))) {
+    console.error(
+      "Path is not allowed as per CDXGEN_ALLOWED_PATHS/CDXGEN_SERVER_ALLOWED_PATHS.",
+    );
+    process.exit(1);
+  }
+  if (!maybeRemotePath(sourcePath) && !isAllowedWinPath(resolve(sourcePath))) {
+    console.error("Path is not allowed on this platform.");
+    process.exit(1);
+  }
+  if (maybeRemotePath(sourcePath)) {
+    const validationError = validateAndRejectGitSource(sourcePath);
+    if (validationError) {
+      console.error(validationError.error, validationError.details);
+      process.exit(1);
+    }
+  }
+  const checkPath = maybeRemotePath(sourcePath) ? getTmpDir() : sourcePath;
+  if (maybeRemotePath(sourcePath)) {
+    options.releaseNotesGitUrl = sourcePath;
+  }
+  if (!checkPermissions(checkPath, options)) {
     if (isSecureMode) {
       process.exit(1);
     }
     return;
   }
-  prepareEnv(filePath, options);
+  let srcDir = sourcePath;
+  let cleanup = false;
+  let gitRef = options.gitBranch;
+  if (maybeRemotePath(sourcePath)) {
+    if (!gitRef && purlResolution?.version) {
+      gitRef = findGitRefForPurlVersion(sourcePath, purlResolution);
+      if (!gitRef) {
+        console.warn(
+          `Unable to find a matching git tag for version '${purlResolution.version}'. Falling back to repository default branch.`,
+        );
+      }
+    }
+    srcDir = gitClone(sourcePath, gitRef);
+    if (purlResolution?.type === "npm") {
+      const cloneRootDir = srcDir;
+      const purlSourceDir = resolvePurlSourceDirectory(srcDir, purlResolution);
+      if (purlSourceDir) {
+        if (purlSourceDir !== cloneRootDir) {
+          const relativeDir = relative(cloneRootDir, purlSourceDir);
+          if (relativeDir.startsWith("..") || isAbsolute(relativeDir)) {
+            console.warn(
+              `Ignoring detected npm package directory outside clone root: ${purlSourceDir}`,
+            );
+          } else {
+            console.warn(
+              `Using npm package directory '${purlSourceDir}' for purl '${purlResolution.namespace ? `${purlResolution.namespace}/` : ""}${purlResolution.name}'.`,
+            );
+            srcDir = purlSourceDir;
+          }
+        }
+      }
+    }
+    cleanup = true;
+  }
+  prepareEnv(srcDir, options);
   thoughtLog("Getting ready to generate the BOM ⚡️.");
-  let bomNSData = (await createBom(filePath, options)) || {};
+  const originalFetchPackageMetadata = process.env.CDXGEN_FETCH_PKG_METADATA;
+  if (options.bomAudit) {
+    process.env.CDXGEN_FETCH_PKG_METADATA = "true";
+  }
+  let bomNSData;
+  try {
+    bomNSData = (await createBom(srcDir, options)) || {};
+  } finally {
+    if (originalFetchPackageMetadata === undefined) {
+      delete process.env.CDXGEN_FETCH_PKG_METADATA;
+    } else {
+      process.env.CDXGEN_FETCH_PKG_METADATA = originalFetchPackageMetadata;
+    }
+  }
   if (bomNSData?.bomJson) {
     thoughtLog(
       "Tweaking the generated BOM data with useful annotations and properties.",
     );
   }
   // Add extra metadata and annotations with post processing
-  bomNSData = postProcess(bomNSData, options, filePath);
+  bomNSData = postProcess(bomNSData, options, srcDir);
   if (options.bomAudit && bomNSData?.bomJson) {
+    const { finalizeAuditReport, runAuditFromBoms } = await import(
+      "../lib/audit/index.js"
+    );
+    const { createProgressTracker } = await import("../lib/audit/progress.js");
+    const { collectAuditTargets } = await import("../lib/audit/targets.js");
+    const { formatPredictiveAnnotations, renderConsoleReport } = await import(
+      "../lib/audit/reporters.js"
+    );
     const {
       auditBom,
       formatAnnotations,
@@ -999,160 +1326,125 @@ const needsBomSigning = ({ generateKeyAndSign }) =>
       console.error(
         "Review findings above or adjust --bom-audit-fail-severity to proceed.",
       );
+      if (cleanup) {
+        cleanupSourceDir(srcDir);
+      }
       process.exit(1);
     }
-  }
-  if (
-    options.output &&
-    (typeof options.output === "string" || options.output instanceof String)
-  ) {
-    const jsonFile = options.output;
-    // Create bom json file
-    if (bomNSData.bomJson) {
-      let jsonPayload;
-      if (
-        typeof bomNSData.bomJson === "string" ||
-        bomNSData.bomJson instanceof String
-      ) {
-        fs.writeFileSync(jsonFile, bomNSData.bomJson);
-        jsonPayload = bomNSData.bomJson;
-      } else {
-        jsonPayload = JSON.stringify(
-          bomNSData.bomJson,
-          null,
-          options.jsonPretty ? 2 : null,
-        );
-        fs.writeFileSync(jsonFile, jsonPayload);
-        if (jsonFile.endsWith("bom.json")) {
-          thoughtLog(
-            `Let's save the file to "${jsonFile}". Should I suggest the '.cdx.json' file extension for better semantics?`,
-          );
-        } else {
-          thoughtLog(`Let's save the file to "${jsonFile}".`);
-        }
-      }
-      if (jsonPayload && needsBomSigning(options)) {
-        let alg = process.env.SBOM_SIGN_ALGORITHM || "RS512";
-        if (alg.includes("none")) {
-          alg = "RS512";
-        }
-        let privateKeyToUse;
-        let jwkPublicKey;
-        let publicKeyFile;
-        if (options.generateKeyAndSign) {
-          const jdirName = dirname(jsonFile);
-          publicKeyFile = join(jdirName, "public.key");
-          const privateKeyFile = join(jdirName, "private.key");
-          const privateKeyB64File = join(jdirName, "private.key.base64");
-          const { privateKey, publicKey } = crypto.generateKeyPairSync("rsa", {
-            modulusLength: 4096,
-            publicKeyEncoding: {
-              type: "spki",
-              format: "pem",
-            },
-            privateKeyEncoding: {
-              type: "pkcs8",
-              format: "pem",
-            },
-          });
-          fs.writeFileSync(publicKeyFile, publicKey);
-          fs.writeFileSync(privateKeyFile, privateKey);
-          fs.writeFileSync(
-            privateKeyB64File,
-            Buffer.from(privateKey, "utf8").toString("base64"),
-          );
-          console.log(
-            "Created public/private key pairs for testing purposes",
-            publicKeyFile,
-            privateKeyFile,
-            privateKeyB64File,
-          );
-          privateKeyToUse = privateKey;
-          jwkPublicKey = crypto
-            .createPublicKey(publicKey)
-            .export({ format: "jwk" });
-        } else {
-          if (process.env?.SBOM_SIGN_PRIVATE_KEY) {
-            privateKeyToUse = fs.readFileSync(
-              process.env.SBOM_SIGN_PRIVATE_KEY,
-              "utf8",
-            );
-          } else if (process.env?.SBOM_SIGN_PRIVATE_KEY_BASE64) {
-            privateKeyToUse = Buffer.from(
-              process.env.SBOM_SIGN_PRIVATE_KEY_BASE64,
-              "base64",
-            ).toString("utf8");
-          }
-          if (
-            process.env.SBOM_SIGN_PUBLIC_KEY &&
-            safeExistsSync(process.env.SBOM_SIGN_PUBLIC_KEY)
-          ) {
-            jwkPublicKey = crypto
-              .createPublicKey(
-                fs.readFileSync(process.env.SBOM_SIGN_PUBLIC_KEY, "utf8"),
-              )
-              .export({ format: "jwk" });
-          } else if (process.env?.SBOM_SIGN_PUBLIC_KEY_BASE64) {
-            jwkPublicKey = Buffer.from(
-              process.env.SBOM_SIGN_PUBLIC_KEY_BASE64,
-              "base64",
-            ).toString("utf8");
-          }
-        }
-        try {
-          const bomJsonUnsignedObj = JSON.parse(jsonPayload);
-          const signOptions = {
-            privateKey: privateKeyToUse,
-            algorithm: alg,
-            publicKeyJwk: jwkPublicKey,
-            mode: process.env.SBOM_SIGN_MODE || "replace",
-            signComponents: true,
-            signServices: true,
-            signAnnotations: true,
-          };
-          thoughtLog(`Signing the BOM file "${jsonFile}".`);
-          const signedBom = signBom(bomJsonUnsignedObj, signOptions);
-          fs.writeFileSync(
-            jsonFile,
-            JSON.stringify(signedBom, null, options.jsonPretty ? 2 : null),
-          );
-          if (publicKeyFile) {
-            const publicKeyStr = fs.readFileSync(publicKeyFile, "utf8");
-            const signatureVerification = verifyBom(signedBom, publicKeyStr);
-            if (signatureVerification) {
-              console.log(
-                "SBOM signature is verifiable natively with the public key and the algorithm",
-                publicKeyFile,
-                alg,
-              );
-            } else {
-              console.log("SBOM signature verification was unsuccessful");
-              console.log("Check if the public key was exported in PEM format");
-            }
-          }
-        } catch (ex) {
-          console.log("SBOM signing was unsuccessful:", ex.message);
-          console.log(
-            "Check if the private key was exported in PEM format and the algorithm is JSF-compliant.",
-          );
-        }
-      }
+
+    thoughtLog("Let's run predictive dependency audit...");
+    const progressTracker = createProgressTracker();
+    const predictiveAuditScope =
+      options.bomAuditScope === "required" ? "required" : undefined;
+    const predictiveAuditTrusted = options.bomAuditOnlyTrusted
+      ? "only"
+      : options.bomAuditIncludeTrusted
+        ? "include"
+        : undefined;
+    const requiredAuditTargetCount = collectAuditTargets(
+      [
+        {
+          bomJson: bomNSData.bomJson,
+          source: filePath,
+        },
+      ],
+      {
+        scope: "required",
+        trusted: predictiveAuditTrusted,
+      },
+    ).targets.length;
+    const predictiveAuditMaxTargets =
+      typeof options.bomAuditMaxTargets === "number" &&
+      options.bomAuditMaxTargets > 0
+        ? options.bomAuditMaxTargets
+        : predictiveAuditScope === "required"
+          ? undefined
+          : Math.max(50, requiredAuditTargetCount);
+    let predictiveReport;
+    try {
+      predictiveReport = await runAuditFromBoms(
+        [
+          {
+            bomJson: bomNSData.bomJson,
+            source: filePath,
+          },
+        ],
+        {
+          categories: options.bomAuditCategories
+            ? options.bomAuditCategories
+                .split(",")
+                .map((category) => category.trim())
+                .filter(Boolean)
+            : undefined,
+          failSeverity: options.bomAuditFailSeverity,
+          maxTargets: predictiveAuditMaxTargets,
+          minSeverity: options.bomAuditMinSeverity,
+          onProgress: progressTracker.onProgress,
+          scope: predictiveAuditScope,
+          trusted: predictiveAuditTrusted,
+          trustedSelectionHelp:
+            "Use --bom-audit-include-trusted to include them or --bom-audit-only-trusted to audit just those packages.",
+        },
+      );
+    } finally {
+      progressTracker.stop();
     }
-    // bom ns mapping
-    if (bomNSData.nsMapping && Object.keys(bomNSData.nsMapping).length) {
-      const nsFile = `${jsonFile}.map`;
-      fs.writeFileSync(nsFile, JSON.stringify(bomNSData.nsMapping));
+    if (predictiveReport.summary.totalTargets > 0) {
+      process.stderr.write(
+        renderConsoleReport(predictiveReport, {
+          minSeverity: options.bomAuditMinSeverity,
+        }),
+      );
+    } else if (DEBUG_MODE) {
+      console.log("Predictive BOM audit: No supported npm/PyPI targets found");
     }
-  } else if (!options.print) {
-    if (bomNSData.bomJson) {
-      console.log(
-        JSON.stringify(bomNSData.bomJson, null, options.jsonPretty ? 2 : null),
+    const predictiveAnnotations = formatPredictiveAnnotations(
+      predictiveReport,
+      bomNSData.bomJson,
+      {
+        minSeverity: options.bomAuditMinSeverity,
+      },
+    );
+    if (predictiveAnnotations.length && options.specVersion >= 1.4) {
+      bomNSData.bomJson.annotations = [
+        ...(bomNSData.bomJson.annotations || []),
+        ...predictiveAnnotations,
+      ];
+      thoughtLog(
+        `Embedded ${predictiveAnnotations.length} predictive audit annotations`,
       );
-    } else {
-      console.log("Unable to produce BOM for", filePath);
-      console.log("Try running the command with -t <type> or -r argument");
+    }
+    const predictiveResult = finalizeAuditReport(predictiveReport, {
+      failSeverity: options.bomAuditFailSeverity,
+      minSeverity: options.bomAuditMinSeverity,
+      report: "console",
+    });
+    if (isSecureMode && predictiveResult.exitCode === 3) {
+      console.error(
+        "\nSecure mode: Predictive audit findings exceeded the configured threshold.",
+      );
+      console.error(
+        "Review findings above or adjust --bom-audit-fail-severity to proceed.",
+      );
+      if (cleanup) {
+        cleanupSourceDir(srcDir);
+      }
+      process.exit(1);
     }
   }
+  let internalCycloneDxInputPath = outputPlan.outputs.cyclonedx;
+  if ((options.evidence || options.includeCrypto) && bomNSData?.bomJson) {
+    if (!internalCycloneDxInputPath) {
+      internalCycloneDxInputPath = join(
+        getTmpDir(),
+        `cdxgen-${Date.now()}-${basename(filePath)}.cdx.json`,
+      );
+    }
+    fs.writeFileSync(
+      internalCycloneDxInputPath,
+      stringifyJson(bomNSData.bomJson, options.jsonPretty),
+    );
+  }
   // Evidence generation
   if (options.evidence || options.includeCrypto) {
     // Set the evinse output file to be the same as output file
@@ -1163,7 +1455,7 @@ const needsBomSigning = ({ generateKeyAndSign }) =>
     options.projectType = options.projectType || ["java"];
     const evinseOptions = {
       _: args._,
-      input: options.output,
+      input: internalCycloneDxInputPath || options.output,
       output: options.evinseOutput,
       language: options.projectType,
       skipMavenCollector: false,
@@ -1202,10 +1494,58 @@ const needsBomSigning = ({ generateKeyAndSign }) =>
   if (options.validate && bomNSData?.bomJson) {
     thoughtLog("Wait, let's check the generated BOM file for any issues.");
     if (!validateBom(bomNSData.bomJson)) {
+      if (cleanup) {
+        cleanupSourceDir(srcDir);
+      }
       process.exit(1);
     }
     thoughtLog("✅ BOM file looks valid.");
   }
+  if (
+    outputPlan.formats.has("spdx") &&
+    bomNSData?.bomJson &&
+    bomNSData?.bomJson?.bomFormat === "CycloneDX"
+  ) {
+    thoughtLog(
+      "Preparing the SPDX 3.0.1 export from the validated CycloneDX BOM.",
+    );
+    bomNSData.spdxJson = convertCycloneDxToSpdx(bomNSData.bomJson, options);
+    if (options.validate && !validateSpdx(bomNSData.spdxJson)) {
+      process.exit(1);
+    }
+  }
+  if (
+    options.output &&
+    (typeof options.output === "string" || options.output instanceof String)
+  ) {
+    if (outputPlan.outputs.cyclonedx && bomNSData.bomJson) {
+      writeCycloneDxOutput(
+        outputPlan.outputs.cyclonedx,
+        bomNSData.bomJson,
+        options,
+      );
+      if (bomNSData.nsMapping && Object.keys(bomNSData.nsMapping).length) {
+        const nsFile = `${outputPlan.outputs.cyclonedx}.map`;
+        fs.writeFileSync(nsFile, JSON.stringify(bomNSData.nsMapping));
+      }
+    }
+    if (outputPlan.outputs.spdx && bomNSData.spdxJson) {
+      fs.writeFileSync(
+        outputPlan.outputs.spdx,
+        stringifyJson(bomNSData.spdxJson, options.jsonPretty),
+      );
+      thoughtLog(`Let's save the SPDX file to "${outputPlan.outputs.spdx}".`);
+    }
+  } else if (!options.print) {
+    if (outputPlan.formats.has("spdx") && bomNSData?.spdxJson) {
+      console.log(stringifyJson(bomNSData.spdxJson, options.jsonPretty));
+    } else if (bomNSData.bomJson) {
+      console.log(stringifyJson(bomNSData.bomJson, options.jsonPretty));
+    } else {
+      console.log("Unable to produce BOM for", filePath);
+      console.log("Try running the command with -t <type> or -r argument");
+    }
+  }
   thoughtEnd();
   // Automatically submit the bom data
   // biome-ignore lint/suspicious/noDoubleEquals: yargs passes true for empty values
@@ -1214,6 +1554,9 @@ const needsBomSigning = ({ generateKeyAndSign }) =>
       await submitBom(options, bomNSData.bomJson);
     } catch (err) {
       console.log(err);
+      if (cleanup) {
+        cleanupSourceDir(srcDir);
+      }
       process.exit(1);
     }
   }
@@ -1256,4 +1599,7 @@ const needsBomSigning = ({ generateKeyAndSign }) =>
       console.log(allowListSuggestion);
     }
   }
+  if (cleanup) {
+    cleanupSourceDir(srcDir);
+  }
 })();