npm - @cyclonedx/cdxgen - Versions diffs - 12.2.1 → 12.3.0 - Mend

@cyclonedx/cdxgen 12.2.1 → 12.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (170) hide show

package/README.md +239 -90
package/bin/audit.js +191 -0
package/bin/cdxgen.js +513 -167
package/bin/convert.js +99 -0
package/bin/evinse.js +23 -0
package/bin/repl.js +339 -8
package/bin/sign.js +8 -0
package/bin/validate.js +8 -0
package/bin/verify.js +8 -0
package/data/container-knowledge-index.json +125 -0
package/data/gtfobins-index.json +6296 -0
package/data/lolbas-index.json +150 -0
package/data/queries-darwin.json +63 -3
package/data/queries-win.json +45 -3
package/data/queries.json +74 -2
package/data/rules/chrome-extensions.yaml +240 -0
package/data/rules/ci-permissions.yaml +478 -18
package/data/rules/container-risk.yaml +270 -0
package/data/rules/obom-runtime.yaml +891 -0
package/data/rules/package-integrity.yaml +49 -0
package/data/spdx-export.schema.json +6794 -0
package/data/spdx-model-v3.0.1.jsonld +15999 -0
package/lib/audit/index.js +1924 -0
package/lib/audit/index.poku.js +1488 -0
package/lib/audit/progress.js +137 -0
package/lib/audit/progress.poku.js +188 -0
package/lib/audit/reporters.js +618 -0
package/lib/audit/scoring.js +310 -0
package/lib/audit/scoring.poku.js +341 -0
package/lib/audit/targets.js +260 -0
package/lib/audit/targets.poku.js +331 -0
package/lib/cli/index.js +154 -11
package/lib/cli/index.poku.js +251 -0
package/lib/helpers/analyzer.js +446 -2
package/lib/helpers/analyzer.poku.js +72 -1
package/lib/helpers/annotationFormatter.js +49 -0
package/lib/helpers/annotationFormatter.poku.js +44 -0
package/lib/helpers/bomUtils.js +36 -0
package/lib/helpers/bomUtils.poku.js +51 -0
package/lib/helpers/caxa.js +2 -2
package/lib/helpers/chromextutils.js +1153 -0
package/lib/helpers/chromextutils.poku.js +493 -0
package/lib/helpers/ciParsers/githubActions.js +1632 -45
package/lib/helpers/ciParsers/githubActions.poku.js +853 -1
package/lib/helpers/containerRisk.js +186 -0
package/lib/helpers/containerRisk.poku.js +52 -0
package/lib/helpers/display.js +241 -59
package/lib/helpers/display.poku.js +162 -2
package/lib/helpers/exportUtils.js +123 -0
package/lib/helpers/exportUtils.poku.js +60 -0
package/lib/helpers/formulationParsers.js +69 -0
package/lib/helpers/formulationParsers.poku.js +44 -0
package/lib/helpers/gtfobins.js +189 -0
package/lib/helpers/gtfobins.poku.js +49 -0
package/lib/helpers/lolbas.js +267 -0
package/lib/helpers/lolbas.poku.js +39 -0
package/lib/helpers/osqueryTransform.js +84 -0
package/lib/helpers/osqueryTransform.poku.js +49 -0
package/lib/helpers/provenanceUtils.js +193 -0
package/lib/helpers/provenanceUtils.poku.js +145 -0
package/lib/helpers/pylockutils.js +281 -0
package/lib/helpers/pylockutils.poku.js +48 -0
package/lib/helpers/registryProvenance.js +793 -0
package/lib/helpers/registryProvenance.poku.js +452 -0
package/lib/helpers/source.js +1267 -0
package/lib/helpers/source.poku.js +771 -0
package/lib/helpers/spdxUtils.js +97 -0
package/lib/helpers/spdxUtils.poku.js +70 -0
package/lib/helpers/unicodeScan.js +147 -0
package/lib/helpers/unicodeScan.poku.js +45 -0
package/lib/helpers/utils.js +700 -128
package/lib/helpers/utils.poku.js +877 -80
package/lib/managers/binary.js +29 -5
package/lib/managers/docker.js +179 -52
package/lib/managers/docker.poku.js +327 -28
package/lib/managers/oci.js +107 -23
package/lib/managers/oci.poku.js +132 -0
package/lib/server/openapi.yaml +17 -0
package/lib/server/server.js +225 -336
package/lib/server/server.poku.js +16 -10
package/lib/stages/postgen/annotator.js +7 -0
package/lib/stages/postgen/annotator.poku.js +40 -0
package/lib/stages/postgen/auditBom.js +19 -3
package/lib/stages/postgen/auditBom.poku.js +1729 -67
package/lib/stages/postgen/postgen.js +40 -0
package/lib/stages/postgen/postgen.poku.js +47 -0
package/lib/stages/postgen/ruleEngine.js +80 -2
package/lib/stages/postgen/spdxConverter.js +796 -0
package/lib/stages/postgen/spdxConverter.poku.js +341 -0
package/lib/validator/bomValidator.js +232 -0
package/lib/validator/bomValidator.poku.js +70 -0
package/lib/validator/complianceRules.js +70 -7
package/lib/validator/complianceRules.poku.js +30 -0
package/lib/validator/reporters/annotations.js +2 -2
package/lib/validator/reporters/console.js +11 -0
package/lib/validator/reporters.poku.js +13 -0
package/package.json +10 -7
package/types/bin/audit.d.ts +3 -0
package/types/bin/audit.d.ts.map +1 -0
package/types/bin/convert.d.ts +3 -0
package/types/bin/convert.d.ts.map +1 -0
package/types/bin/repl.d.ts.map +1 -1
package/types/lib/audit/index.d.ts +115 -0
package/types/lib/audit/index.d.ts.map +1 -0
package/types/lib/audit/progress.d.ts +27 -0
package/types/lib/audit/progress.d.ts.map +1 -0
package/types/lib/audit/reporters.d.ts +35 -0
package/types/lib/audit/reporters.d.ts.map +1 -0
package/types/lib/audit/scoring.d.ts +35 -0
package/types/lib/audit/scoring.d.ts.map +1 -0
package/types/lib/audit/targets.d.ts +63 -0
package/types/lib/audit/targets.d.ts.map +1 -0
package/types/lib/cli/index.d.ts +8 -0
package/types/lib/cli/index.d.ts.map +1 -1
package/types/lib/helpers/analyzer.d.ts +13 -0
package/types/lib/helpers/analyzer.d.ts.map +1 -1
package/types/lib/helpers/annotationFormatter.d.ts +23 -0
package/types/lib/helpers/annotationFormatter.d.ts.map +1 -0
package/types/lib/helpers/bomUtils.d.ts +5 -0
package/types/lib/helpers/bomUtils.d.ts.map +1 -0
package/types/lib/helpers/chromextutils.d.ts +97 -0
package/types/lib/helpers/chromextutils.d.ts.map +1 -0
package/types/lib/helpers/ciParsers/githubActions.d.ts +3 -8
package/types/lib/helpers/ciParsers/githubActions.d.ts.map +1 -1
package/types/lib/helpers/containerRisk.d.ts +17 -0
package/types/lib/helpers/containerRisk.d.ts.map +1 -0
package/types/lib/helpers/display.d.ts +4 -1
package/types/lib/helpers/display.d.ts.map +1 -1
package/types/lib/helpers/exportUtils.d.ts +40 -0
package/types/lib/helpers/exportUtils.d.ts.map +1 -0
package/types/lib/helpers/formulationParsers.d.ts.map +1 -1
package/types/lib/helpers/gtfobins.d.ts +17 -0
package/types/lib/helpers/gtfobins.d.ts.map +1 -0
package/types/lib/helpers/lolbas.d.ts +16 -0
package/types/lib/helpers/lolbas.d.ts.map +1 -0
package/types/lib/helpers/osqueryTransform.d.ts +7 -0
package/types/lib/helpers/osqueryTransform.d.ts.map +1 -0
package/types/lib/helpers/provenanceUtils.d.ts +90 -0
package/types/lib/helpers/provenanceUtils.d.ts.map +1 -0
package/types/lib/helpers/pylockutils.d.ts +51 -0
package/types/lib/helpers/pylockutils.d.ts.map +1 -0
package/types/lib/helpers/registryProvenance.d.ts +17 -0
package/types/lib/helpers/registryProvenance.d.ts.map +1 -0
package/types/lib/helpers/source.d.ts +141 -0
package/types/lib/helpers/source.d.ts.map +1 -0
package/types/lib/helpers/spdxUtils.d.ts +2 -0
package/types/lib/helpers/spdxUtils.d.ts.map +1 -0
package/types/lib/helpers/unicodeScan.d.ts +46 -0
package/types/lib/helpers/unicodeScan.d.ts.map +1 -0
package/types/lib/helpers/utils.d.ts +29 -11
package/types/lib/helpers/utils.d.ts.map +1 -1
package/types/lib/managers/binary.d.ts.map +1 -1
package/types/lib/managers/docker.d.ts.map +1 -1
package/types/lib/managers/oci.d.ts.map +1 -1
package/types/lib/server/server.d.ts +0 -36
package/types/lib/server/server.d.ts.map +1 -1
package/types/lib/stages/postgen/annotator.d.ts.map +1 -1
package/types/lib/stages/postgen/auditBom.d.ts.map +1 -1
package/types/lib/stages/postgen/postgen.d.ts.map +1 -1
package/types/lib/stages/postgen/ruleEngine.d.ts.map +1 -1
package/types/lib/stages/postgen/spdxConverter.d.ts +11 -0
package/types/lib/stages/postgen/spdxConverter.d.ts.map +1 -0
package/types/lib/validator/bomValidator.d.ts +1 -0
package/types/lib/validator/bomValidator.d.ts.map +1 -1
package/types/lib/validator/complianceRules.d.ts.map +1 -1
package/types/lib/validator/reporters/console.d.ts.map +1 -1
package/types/bin/dependencies.d.ts +0 -3
package/types/bin/dependencies.d.ts.map +0 -1
package/types/bin/licenses.d.ts +0 -3
package/types/bin/licenses.d.ts.map +0 -1

package/lib/cli/index.js CHANGED Viewed

@@ -24,9 +24,16 @@ import { parse as loadYaml } from "yaml";
 import { findJSImportsExports } from "../helpers/analyzer.js";
 import { parseCaxaMetadata } from "../helpers/caxa.js";
+import {
+  CHROME_EXTENSION_PURL_TYPE,
+  collectChromeExtensionsFromPath,
+  collectInstalledChromeExtensions,
+  discoverChromiumExtensionDirs,
+} from "../helpers/chromextutils.js";
 import { mergeDependencies, trimComponents } from "../helpers/depsUtils.js";
 import { GIT_COMMAND } from "../helpers/envcontext.js";
 import { thoughtLog } from "../helpers/logger.js";
+import { isPyLockFile } from "../helpers/pylockutils.js";
 import {
   buildDependencyTrackBomPayload,
   getDependencyTrackBomUrl,
@@ -3019,7 +3026,7 @@ export async function createNodejsBom(path, options) {
           if (!wpkgJsonFiles?.length) {
             if (!workspaceWarningShown) {
               workspaceWarningShown = true;
-              console.log(
+              console.warn(
                 `Unable to find any package.json files belonging to the workspace '${awp}' referred in ${f}. To improve SBOM precision, run cdxgen from the directory containing the complete source code.`,
               );
             }
@@ -3109,7 +3116,7 @@ export async function createNodejsBom(path, options) {
       }
       if (!Object.keys(parentComponent).length) {
         if (safeExistsSync(packageJsonF)) {
-          const pcs = await parsePkgJson(packageJsonF, true);
+          const pcs = await parsePkgJson(packageJsonF, true, true);
           if (pcs.length && Object.keys(pcs[0]).length) {
             parentComponent = { ...pcs[0] };
             parentComponent.type = "application";
@@ -3195,7 +3202,7 @@ export async function createNodejsBom(path, options) {
         const basePath = dirname(f);
         const packageJsonF = join(basePath, "package.json");
         if (safeExistsSync(packageJsonF)) {
-          const pcs = await parsePkgJson(packageJsonF, true);
+          const pcs = await parsePkgJson(packageJsonF, true, true);
           if (pcs.length && Object.keys(pcs[0]).length) {
             tmpParentComponent = { ...pcs[0] };
             tmpParentComponent.type = "application";
@@ -3365,7 +3372,7 @@ export async function createNodejsBom(path, options) {
           if (!wpkgJsonFiles?.length) {
             if (!workspaceWarningShown) {
               workspaceWarningShown = true;
-              console.log(
+              console.warn(
                 `Unable to find any package.json files belonging to the workspace '${awp}' referred in ${packageJsonFile}. To improve SBOM precision, run cdxgen from the directory containing the complete source code.`,
               );
             }
@@ -3419,7 +3426,7 @@ export async function createNodejsBom(path, options) {
       // Determine the parent component
       const packageJsonF = join(basePath, "package.json");
       if (safeExistsSync(packageJsonF)) {
-        const pcs = await parsePkgJson(packageJsonF, true);
+        const pcs = await parsePkgJson(packageJsonF, true, true);
         if (pcs.length && Object.keys(pcs[0]).length) {
           const tmpParentComponent = { ...pcs[0] };
           tmpParentComponent.type = "application";
@@ -3528,7 +3535,7 @@ export async function createNodejsBom(path, options) {
     }
     if (!parentComponent || !Object.keys(parentComponent).length) {
       if (safeExistsSync(join(path, "package.json"))) {
-        const pcs = await parsePkgJson(join(path, "package.json"), true);
+        const pcs = await parsePkgJson(join(path, "package.json"), true, true);
         if (pcs.length && Object.keys(pcs[0]).length) {
           parentComponent = { ...pcs[0] };
           parentComponent.type = "application";
@@ -3796,6 +3803,14 @@ export async function createPythonBom(path, options) {
   if (uvLockFiles?.length) {
     poetryFiles = poetryFiles.concat(uvLockFiles);
   }
+  const pyLockFiles = getAllFiles(
+    path,
+    `${options.multiProject ? "**/" : ""}pylock*.toml`,
+    options,
+  )?.filter((f) => isPyLockFile(f));
+  if (pyLockFiles?.length) {
+    poetryFiles = poetryFiles.concat(pyLockFiles);
+  }
   let reqFiles = getAllFiles(
     path,
     `${options.multiProject ? "**/" : ""}*requirements*.txt`,
@@ -3861,7 +3876,9 @@ export async function createPythonBom(path, options) {
   }
   // When we identify uv lock files, do not parse requirements files
   const requirementsMode =
-    (reqFiles?.length || reqDirFiles?.length) && !uvLockFiles.length;
+    (reqFiles?.length || reqDirFiles?.length) &&
+    !uvLockFiles.length &&
+    !pyLockFiles?.length;
   const poetryMode = poetryFiles?.length;
   // TODO: Support for nested directories
@@ -3880,6 +3897,12 @@ export async function createPythonBom(path, options) {
       if (retMap?.workspaceWarningShown) {
         options.failOnError && process.exit(1);
       }
+      if (retMap?.pyLockProperties?.length) {
+        parentComponent.properties = parentComponent.properties || [];
+        parentComponent.properties = parentComponent.properties.concat(
+          retMap.pyLockProperties,
+        );
+      }
       if (retMap.pkgList?.length) {
         pkgList = pkgList.concat(retMap.pkgList);
         pkgList = trimComponents(pkgList);
@@ -3899,7 +3922,11 @@ export async function createPythonBom(path, options) {
           parentComponent,
         );
       }
-      if ((options.deep || !dependencies.length) && !f.endsWith("uv.lock")) {
+      if (
+        (options.deep || !dependencies.length) &&
+        !f.endsWith("uv.lock") &&
+        !isPyLockFile(f)
+      ) {
         if (options.installDeps) {
           retMap = await getPipFrozenTree(
             basePath,
@@ -5692,15 +5719,27 @@ export async function createCocoaBom(path, options) {
   for (const podFile of cocoaFiles) {
     const projectPath = dirname(podFile);
     const lockFile = `${podFile}.lock`;
-    if (!safeExistsSync(lockFile) || options.deep) {
+    let missingLockWarningShown = false;
+    if (!safeExistsSync(lockFile)) {
       if (options.installDeps) {
         executePodCommand(["install"], projectPath, options);
       } else {
         console.log(
           "No 'Podfile.lock' found and '--no-install-deps' is set -- A Podfile.lock is needed to parse dependencies!",
         );
+        missingLockWarningShown = true;
         options.failOnError && process.exit(1);
       }
+    } else if (options.deep && options.installDeps) {
+      executePodCommand(["install"], projectPath, options);
+    }
+    if (!safeExistsSync(lockFile)) {
+      if (!missingLockWarningShown) {
+        console.log(
+          `No 'Podfile.lock' found for ${projectPath}. Skipping CocoaPods dependency parsing for this project.`,
+        );
+      }
+      continue;
     }
     const parentComponent = await buildObjectForCocoaPod(
       {
@@ -7288,6 +7327,61 @@ export async function createVscodeExtensionBom(path, options) {
   });
 }
+/**
+ * Function to create BOM for installed Chrome and Chromium-based browser extensions.
+ *
+ * @param {string} path to the project path or a directly provided extension path
+ * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object>} Promise resolving to BOM object
+ */
+export async function createChromeExtensionBom(path, options) {
+  let dependencies = [];
+  let sourcePaths = [];
+  const directResult = collectChromeExtensionsFromPath(path);
+  const chromeDirs = discoverChromiumExtensionDirs();
+  let pkgList = directResult.components || [];
+  if (directResult.extensionDirs?.length) {
+    sourcePaths = directResult.extensionDirs.slice();
+    for (const extDir of directResult.extensionDirs) {
+      const deepResult = await analyzeExtensionDir(extDir, options);
+      if (deepResult.pkgList.length) {
+        pkgList = pkgList.concat(deepResult.pkgList);
+      }
+      if (deepResult.dependencies.length) {
+        dependencies = mergeDependencies(dependencies, deepResult.dependencies);
+      }
+    }
+  }
+  if (pkgList.length && DEBUG_MODE) {
+    thoughtLog(
+      `Found ${pkgList.length} component(s) from direct Chrome extension path scan`,
+    );
+  }
+  if (chromeDirs.length) {
+    if (DEBUG_MODE) {
+      thoughtLog(
+        `Discovered Chromium extension directories: ${chromeDirs.map((d) => `${d.browser} (${d.channel}): ${d.dir}`).join(", ")}`,
+      );
+    }
+    if (!pkgList.length) {
+      pkgList = collectInstalledChromeExtensions(chromeDirs);
+      sourcePaths = chromeDirs.map((d) => d.dir);
+    }
+    if (DEBUG_MODE && pkgList.length && !directResult.components?.length) {
+      thoughtLog(
+        `Found ${pkgList.length} Chrome/Chromium extension(s) from ${chromeDirs.length} browser location(s)`,
+      );
+    }
+  }
+  pkgList = trimComponents(pkgList);
+  return buildBomNSData(options, pkgList, CHROME_EXTENSION_PURL_TYPE, {
+    src: path,
+    filename: sourcePaths.join(", "),
+    nsMapping: {},
+    dependencies,
+  });
+}
 /**
  * Analyze an extracted extension directory for bundled dependencies.
  * Looks for npm lock files, node_modules, package.json files, minified JS,
@@ -8208,6 +8302,46 @@ export async function createMultiXBom(pathList, options) {
         }
       }
     }
+    if (hasAnyProjectType(["chrome-extension"], options)) {
+      let isExplicitChromeExtensionPath = false;
+      if (safeExistsSync(path)) {
+        if (basename(path) === "manifest.json") {
+          isExplicitChromeExtensionPath = true;
+        } else {
+          try {
+            isExplicitChromeExtensionPath =
+              statSync(path).isDirectory() &&
+              safeExistsSync(join(path, "manifest.json"));
+          } catch (_err) {
+            isExplicitChromeExtensionPath = false;
+          }
+        }
+      }
+      if (isExplicitChromeExtensionPath || !options.__didScanChromeExtensions) {
+        if (!isExplicitChromeExtensionPath) {
+          options.__didScanChromeExtensions = true;
+        }
+        bomData = await createChromeExtensionBom(path, options);
+        if (bomData?.bomJson?.components?.length) {
+          if (DEBUG_MODE) {
+            console.log(
+              `Found ${bomData.bomJson.components.length} Chrome extension(s) on this host`,
+            );
+          }
+          components = components.concat(bomData.bomJson.components);
+          dependencies = mergeDependencies(
+            dependencies,
+            bomData.bomJson.dependencies,
+          );
+          if (
+            bomData.parentComponent &&
+            Object.keys(bomData.parentComponent).length
+          ) {
+            parentSubComponents.push(bomData.parentComponent);
+          }
+        }
+      }
+    }
     // Collect any crypto keys
     if (options.specVersion >= 1.6 && options.includeCrypto) {
       if (!hasAnyProjectType(["oci"], options, false)) {
@@ -8362,10 +8496,16 @@ export async function createXBom(path, options) {
   // python
   const pipenvMode = safeExistsSync(join(path, "Pipfile"));
   const poetryMode = safeExistsSync(join(path, "poetry.lock"));
+  const pyLockFiles = getAllFiles(
+    path,
+    `${options.multiProject ? "**/" : ""}pylock*.toml`,
+    options,
+  ).filter((f) => isPyLockFile(f));
+  const pyLockMode = pyLockFiles.length > 0;
   const pyProjectMode =
-    !poetryMode && safeExistsSync(join(path, "pyproject.toml"));
+    !poetryMode && !pyLockMode && safeExistsSync(join(path, "pyproject.toml"));
   const setupPyMode = safeExistsSync(join(path, "setup.py"));
-  if (pipenvMode || poetryMode || pyProjectMode || setupPyMode) {
+  if (pipenvMode || poetryMode || pyLockMode || pyProjectMode || setupPyMode) {
     return await createPythonBom(path, options);
   }
   const reqFiles = getAllFiles(
@@ -8927,6 +9067,9 @@ export async function createBom(path, options) {
   if (PROJECT_TYPE_ALIASES["vscode-extension"].includes(projectType[0])) {
     return await createVscodeExtensionBom(path, options);
   }
+  if (PROJECT_TYPE_ALIASES["chrome-extension"].includes(projectType[0])) {
+    return await createChromeExtensionBom(path, options);
+  }
   switch (projectType[0]) {
     case "jar":
       return createJarBom(path, options);

package/lib/cli/index.poku.js CHANGED Viewed

@@ -1,7 +1,30 @@
+import {
+  mkdirSync,
+  mkdtempSync,
+  readFileSync,
+  rmSync,
+  writeFileSync,
+} from "node:fs";
+import { tmpdir } from "node:os";
+import { dirname, join } from "node:path";
+import process from "node:process";
+import { fileURLToPath } from "node:url";
 import esmock from "esmock";
 import { assert, describe, it } from "poku";
 import sinon from "sinon";
+import { createChromeExtensionBom } from "./index.js";
+const fixtureDir = join(
+  dirname(fileURLToPath(import.meta.url)),
+  "..",
+  "..",
+  "test",
+  "data",
+  "chrome-extensions",
+);
 describe("CLI tests", () => {
   describe("submitBom()", () => {
     it("should successfully report the SBOM with given project id, name, version and a single tag", async () => {
@@ -238,4 +261,232 @@ describe("CLI tests", () => {
       sinon.assert.notCalled(gotStub);
     });
   });
+  describe("createCocoaBom()", () => {
+    it("should skip missing Podfile.lock when failOnError is false", async () => {
+      const { createCocoaBom } = await import("./index.js");
+      const tempDir = mkdtempSync(join(tmpdir(), "cdxgen-cocoa-"));
+      const podFile = join(tempDir, "Podfile");
+      writeFileSync(
+        podFile,
+        "platform :ios, '14.0'\n\ntarget 'TestApp' do\nend\n",
+        "utf-8",
+      );
+      const consoleLogStub = sinon.stub(console, "log");
+      try {
+        const bomData = await createCocoaBom(tempDir, {
+          deep: false,
+          failOnError: false,
+          installDeps: false,
+          multiProject: false,
+        });
+        assert.equal(bomData, undefined);
+        sinon.assert.calledWithMatch(
+          consoleLogStub,
+          sinon.match("No 'Podfile.lock' found"),
+        );
+      } finally {
+        consoleLogStub.restore();
+        rmSync(tempDir, { force: true, recursive: true });
+      }
+    });
+    it("should not warn or exit for deep mode when Podfile.lock exists", async () => {
+      const { createCocoaBom } = await import("./index.js");
+      const tempDir = mkdtempSync(join(tmpdir(), "cdxgen-cocoa-deep-"));
+      const podFile = join(tempDir, "Podfile");
+      const lockFile = join(tempDir, "Podfile.lock");
+      writeFileSync(
+        podFile,
+        "platform :ios, '14.0'\n\ntarget 'TestApp' do\nend\n",
+        "utf-8",
+      );
+      writeFileSync(lockFile, "PODS: []\nDEPENDENCIES: []\n", "utf-8");
+      const processExitStub = sinon.stub(process, "exit");
+      try {
+        await createCocoaBom(tempDir, {
+          deep: true,
+          failOnError: true,
+          installDeps: false,
+          multiProject: false,
+        });
+        sinon.assert.notCalled(processExitStub);
+      } finally {
+        processExitStub.restore();
+        rmSync(tempDir, { force: true, recursive: true });
+      }
+    });
+  });
+  describe("createChromeExtensionBom()", () => {
+    it("should catalog a directly provided extension and its node dependencies", async () => {
+      const tempRoot = mkdtempSync(join(tmpdir(), "cdxgen-chrome-ext-cli-"));
+      const extensionId = "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb";
+      const extensionIdDir = join(tempRoot, extensionId);
+      const extensionVersionDir = join(extensionIdDir, "1.2.3");
+      try {
+        mkdirSync(extensionVersionDir, { recursive: true });
+        writeFileSync(
+          join(extensionVersionDir, "manifest.json"),
+          JSON.stringify({
+            manifest_version: 3,
+            name: "CLI Test Extension",
+            description: "Direct path test",
+            version: "1.2.3",
+          }),
+          "utf-8",
+        );
+        writeFileSync(
+          join(extensionVersionDir, "package.json"),
+          JSON.stringify({
+            name: "chrome-extension-cli-test",
+            version: "1.2.3",
+            dependencies: {
+              "left-pad": "1.3.0",
+            },
+          }),
+          "utf-8",
+        );
+        writeFileSync(
+          join(extensionVersionDir, "package-lock.json"),
+          JSON.stringify({
+            name: "chrome-extension-cli-test",
+            version: "1.2.3",
+            lockfileVersion: 3,
+            requires: true,
+            packages: {
+              "": {
+                name: "chrome-extension-cli-test",
+                version: "1.2.3",
+                dependencies: {
+                  "left-pad": "1.3.0",
+                },
+              },
+              "node_modules/left-pad": {
+                version: "1.3.0",
+              },
+            },
+          }),
+          "utf-8",
+        );
+        const bomData = await createChromeExtensionBom(extensionIdDir, {
+          projectType: ["chrome-extension"],
+          multiProject: false,
+        });
+        const components = bomData?.bomJson?.components || [];
+        assert.ok(
+          components.some(
+            (component) =>
+              component.purl === `pkg:chrome-extension/${extensionId}@1.2.3`,
+          ),
+        );
+        assert.ok(
+          components.some(
+            (component) =>
+              component.name === "left-pad" &&
+              component.purl?.startsWith("pkg:npm/left-pad@1.3.0"),
+          ),
+        );
+      } finally {
+        rmSync(tempRoot, { recursive: true, force: true });
+      }
+    });
+    it("should parse an AI-targeted community extension manifest from direct version path", async () => {
+      const tempRoot = mkdtempSync(join(tmpdir(), "cdxgen-chrome-ext-cli-ai-"));
+      const extensionId = "llllllllllllllllllllllllllllllll";
+      const extensionVersion = "1.0.0";
+      const extensionVersionDir = join(tempRoot, extensionId, extensionVersion);
+      try {
+        mkdirSync(extensionVersionDir, { recursive: true });
+        writeFileSync(
+          join(extensionVersionDir, "manifest.json"),
+          readFileSync(
+            join(fixtureDir, "chrome-copilottts-manifest.json"),
+            "utf-8",
+          ),
+          "utf-8",
+        );
+        const bomData = await createChromeExtensionBom(extensionVersionDir, {
+          projectType: ["chrome-extension"],
+          multiProject: false,
+        });
+        const extensionComponent = (bomData?.bomJson?.components || []).find(
+          (component) =>
+            component.purl ===
+            `pkg:chrome-extension/${extensionId}@${extensionVersion}`,
+        );
+        assert.ok(extensionComponent, "expected direct extension component");
+        const properties = extensionComponent.properties || [];
+        assert.ok(
+          properties.some(
+            (prop) =>
+              prop.name === "cdx:chrome-extension:permissions" &&
+              prop.value.includes("scripting"),
+          ),
+        );
+        assert.ok(
+          properties.some(
+            (prop) =>
+              prop.name === "cdx:chrome-extension:capability:codeInjection" &&
+              prop.value === "true",
+          ),
+        );
+        assert.ok(
+          properties.some(
+            (prop) =>
+              prop.name === "cdx:chrome-extension:hostPermissions" &&
+              prop.value.includes("https://github.com/copilot/tasks/*"),
+          ),
+        );
+      } finally {
+        rmSync(tempRoot, { recursive: true, force: true });
+      }
+    });
+  });
+  describe("createMultiXBom()", () => {
+    it("should scan installed chrome extensions only once across multiple non-extension paths", async () => {
+      const tempRoot = mkdtempSync(join(tmpdir(), "cdxgen-chrome-ext-multi-"));
+      const pathA = join(tempRoot, "project-a");
+      const pathB = join(tempRoot, "project-b");
+      mkdirSync(pathA, { recursive: true });
+      mkdirSync(pathB, { recursive: true });
+      const collectInstalledChromeExtensions = sinon.stub().returns([
+        {
+          type: "application",
+          name: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+          version: "1.0.0",
+          purl: "pkg:chrome-extension/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa@1.0.0",
+          "bom-ref":
+            "pkg:chrome-extension/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa@1.0.0",
+        },
+      ]);
+      try {
+        const { createMultiXBom } = await esmock("./index.js", {
+          "../helpers/chromextutils.js": {
+            CHROME_EXTENSION_PURL_TYPE: "chrome-extension",
+            collectChromeExtensionsFromPath: sinon
+              .stub()
+              .returns({ components: [], extensionDirs: [] }),
+            collectInstalledChromeExtensions,
+            discoverChromiumExtensionDirs: sinon.stub().returns([
+              {
+                browser: "Google Chrome",
+                channel: "stable",
+                dir: join(tempRoot, "fake-browser-dir"),
+              },
+            ]),
+          },
+        });
+        await createMultiXBom([pathA, pathB], {
+          projectType: ["chrome-extension"],
+          multiProject: true,
+        });
+        sinon.assert.calledOnce(collectInstalledChromeExtensions);
+      } finally {
+        rmSync(tempRoot, { recursive: true, force: true });
+      }
+    });
+  });
 });