@cyclonedx/cdxgen 12.2.1 → 12.3.0

package/lib/helpers/utils.js

@@ -54,10 +54,32 @@ import { parse as _load, parseAllDocuments } from "yaml";
 import { getTreeWithPlugin } from "../managers/piptree.js";
 import { IriValidationStrategy, validateIri } from "../parsers/iri.js";
 import Arborist from "../third-party/arborist/lib/index.js";
+import { analyzeSuspiciousJsFile } from "./analyzer.js";
 import { parseWorkflowFile } from "./ciParsers/githubActions.js";
 import { extractPackageInfoFromHintPath } from "./dotnetutils.js";
 import { thoughtLog, traceLog } from "./logger.js";
+import { createLolbasProperties } from "./lolbas.js";
+import {
+  createOsQueryPurl,
+  deriveOsQueryDescription,
+  deriveOsQueryName,
+  deriveOsQueryPublisher,
+  deriveOsQueryVersion,
+  sanitizeOsQueryIdentity,
+} from "./osqueryTransform.js";
+import {
+  collectPyLockFileComponents,
+  collectPyLockPackageProperties,
+  collectPyLockTopLevelProperties,
+  getPyLockPackages,
+  isDefaultPypiRegistry,
+  isPyLockObject,
+} from "./pylockutils.js";
 import { get_python_command_from_env, getVenvMetadata } from "./pythonutils.js";
+import {
+  collectNpmRegistryProvenanceProperties,
+  collectPypiRegistryProvenanceProperties,
+} from "./registryProvenance.js";
 
 let url = import.meta?.url;
 if (url && !url.startsWith("file://")) {
@@ -229,16 +251,37 @@ export function safeSpawnSync(command, args, options) {
   if (!options.timeout) {
     options.timeout = TIMEOUT_MS;
   }
+  // Emit certain operational warnings only once per process to keep audit logs readable.
+  const emitNoticeOnce = (noticeKey, message, level = "warn") => {
+    if (!globalThis.__cdxgenNoticeCache) {
+      globalThis.__cdxgenNoticeCache = new Set();
+    }
+    if (globalThis.__cdxgenNoticeCache.has(noticeKey)) {
+      return;
+    }
+    globalThis.__cdxgenNoticeCache.add(noticeKey);
+    if (level === "log") {
+      console.log(message);
+      return;
+    }
+    console.warn(message);
+  };
   // Check for -S for python invocations in secure mode
   if (command.includes("python") && (!args?.length || args[0] !== "-S")) {
     if (isSecureMode) {
-      console.warn(
+      emitNoticeOnce(
+        "python-without-S-secure",
         "\x1b[1;35mNotice: Running python command without '-S' argument. This is a bug in cdxgen. Please report with an example repo here https://github.com/cdxgen/cdxgen/issues.\x1b[0m",
       );
     } else if (process.env?.CDXGEN_IN_CONTAINER === "true") {
-      console.log("Running python command without '-S' argument.");
+      emitNoticeOnce(
+        "python-without-S-container",
+        "Running python command without '-S' argument.",
+        "log",
+      );
     } else {
-      console.warn(
+      emitNoticeOnce(
+        "python-without-S-host",
         "\x1b[1;35mNotice: Running python command without '-S' argument. Only run cdxgen in trusted directories to prevent auto-executing local scripts.\x1b[0m",
       );
     }
@@ -265,14 +308,20 @@ export function safeSpawnSync(command, args, options) {
     );
     if (!hasOnlyBinary) {
       if (isSecureMode) {
-        console.warn(
+        emitNoticeOnce(
+          "pip-without-only-binary-secure",
           "\x1b[1;31mSecurity Alert: pip/uv install invoked without '--only-binary' argument in secure mode. This is a bug in cdxgen and introduces Arbitrary Code Execution (ACE) risks. Please report with an example repo here https://github.com/cdxgen/cdxgen/issues.\x1b[0m",
         );
       } else if (process.env?.CDXGEN_IN_CONTAINER === "true") {
-        console.log("Running pip/uv install without '--only-binary' argument.");
+        emitNoticeOnce(
+          "pip-without-only-binary-container",
+          "Running pip/uv install without '--only-binary' argument.",
+          "log",
+        );
       } else {
-        console.warn(
-          "\x1b[1;35mNotice: pip/uv install invoked without '--only-binary'. This allows executing untrusted setup.py scripts. Only run cdxgen in trusted directories.\x1b",
+        emitNoticeOnce(
+          "pip-without-only-binary-host",
+          "\x1b[1;35mNotice: pip/uv install invoked without '--only-binary'. This allows executing untrusted setup.py scripts. Only run cdxgen in trusted directories.\x1b[0m",
         );
       }
     }
@@ -337,6 +386,8 @@ export const DEBUG_MODE =
   ["debug", "verbose"].includes(process.env.CDXGEN_DEBUG_MODE) ||
   process.env.SCAN_DEBUG_MODE === "debug";
 
+export const CDXGEN_SPDX_CREATED_BY = process.env.CDXGEN_SPDX_CREATED_BY;
+
 // Table border style for console output.
 export const TABLE_BORDER_STYLE = ["ascii", "unicode", "auto"].includes(
   `${process.env.CDXGEN_TABLE_BORDER || ""}`.toLowerCase(),
@@ -390,6 +441,19 @@ export function shouldFetchLicense() {
   );
 }
 
+/**
+ * Determines whether remote package metadata should be fetched for enrichment.
+ *
+ * @returns {boolean} True when registry metadata enrichment is enabled.
+ */
+export function shouldFetchPackageMetadata() {
+  return (
+    shouldFetchLicense() ||
+    (process.env.CDXGEN_FETCH_PKG_METADATA &&
+      ["true", "1"].includes(process.env.CDXGEN_FETCH_PKG_METADATA))
+  );
+}
+
 /**
  * Determines whether VCS (version control system) information should be fetched
  * for Go packages, based on the GO_FETCH_VCS environment variable.
@@ -686,6 +750,12 @@ export const PROJECT_TYPE_ALIASES = {
     "vscode-extensions",
     "ide-extensions",
   ],
+  "chrome-extension": [
+    "chrome-extension",
+    "chrome-extensions",
+    "chromium-extension",
+    "chromium-extensions",
+  ],
 };
 
 // Package manager aliases
@@ -1375,6 +1445,10 @@ export async function getNpmMetadata(pkgList) {
       if (body.homepage) {
         p.homepage = { url: body.homepage };
       }
+      p.properties = p.properties || [];
+      p.properties.push(
+        ...collectNpmRegistryProvenanceProperties(body, p.version),
+      );
       cdepList.push(p);
     } catch (_err) {
       cdepList.push(p);
@@ -1393,6 +1467,382 @@ export async function getNpmMetadata(pkgList) {
  * @param {boolean} simple Return a simpler representation of the component by skipping extended attributes and license fetch.
  * @param {boolean} securityProps Collect security-related properties
  */
+const NPM_INSTALL_HOOK_NAMES = [
+  "preinstall",
+  "install",
+  "postinstall",
+  "prepublish",
+  "prepare",
+];
+
+const NPM_LIFECYCLE_OBFUSCATION_PATTERNS = [
+  [
+    "base64-decode",
+    /\b(?:base64(?:\s+--decode|\s+-d)?|openssl\s+enc\s+-base64\s+-d)\b/i,
+  ],
+  ["buffer-base64", /Buffer\.from\s*\([^)]*,\s*["']base64["']\s*\)/i],
+  ["atob", /\batob\s*\(/i],
+  ["string-from-char-code", /\bString\.fromCharCode\s*\(/i],
+  ["long-base64-literal", /\b[A-Za-z0-9+/]{80,}={0,2}\b/],
+];
+
+const NPM_LIFECYCLE_EXECUTION_PATTERNS = [
+  ["node-eval", /\bnode\b[^\n]*\s-[ep]\b/i],
+  ["eval", /\beval\s*\(/i],
+  ["function-constructor", /\b(?:new\s+Function|Function\s*\()/i],
+  [
+    "child-process",
+    /\b(?:child_process|node:child_process|execSync|execFileSync|spawnSync|execFile|spawn|exec)\b/i,
+  ],
+  [
+    "shell-inline",
+    /\b(?:sh|bash|cmd|powershell|pwsh)\b[^\n]*\s-(?:c|Command|EncodedCommand)\b/i,
+  ],
+];
+
+const NPM_LIFECYCLE_NETWORK_PATTERNS = [
+  ["curl", /\bcurl\b/i],
+  ["wget", /\bwget\b/i],
+  ["invoke-webrequest", /\b(?:invoke-webrequest|iwr)\b/i],
+  ["http-url", /https?:\/\//i],
+];
+
+const NPM_LIFECYCLE_JS_RUNNERS = new Set([
+  "babel-node",
+  "node",
+  "ts-node",
+  "tsx",
+  "bun",
+  "deno",
+]);
+
+const NPM_LIFECYCLE_JS_RUNNER_VALUE_OPTIONS = new Set([
+  "-c",
+  "-e",
+  "-p",
+  "-r",
+  "--config",
+  "--conditions",
+  "--cwd-file",
+  "--compilerOptions",
+  "--cwd",
+  "--env-file",
+  "--env-file-if-exists",
+  "--eval",
+  "--experimental-loader",
+  "--ignore",
+  "--import",
+  "--import-map",
+  "--input-type",
+  "--inspect",
+  "--inspect-brk",
+  "--inspect-port",
+  "--loader",
+  "--print",
+  "--preload",
+  "--project",
+  "--require",
+  "--test-name-pattern",
+  "--test-reporter",
+  "--test-reporter-destination",
+  "--test-shard",
+  "--title",
+  "--tsconfig",
+  "--watch-path",
+]);
+
+const NPM_LIFECYCLE_JS_SOURCE_FILE_PATTERN = /\.[cm]?[jt]sx?$/i;
+const SHELL_ENV_ASSIGNMENT_PATTERN = /^[A-Za-z_][A-Za-z0-9_]*=.*/;
+
+function splitLifecycleScriptCommands(scriptValue) {
+  const commands = [];
+  let current = "";
+  let escaped = false;
+  let quoteChar = "";
+
+  for (let index = 0; index < scriptValue.length; index++) {
+    const character = scriptValue[index];
+    if (escaped) {
+      current += character;
+      escaped = false;
+      continue;
+    }
+    if (character === "\\") {
+      current += character;
+      escaped = true;
+      continue;
+    }
+    if (quoteChar) {
+      current += character;
+      if (character === quoteChar) {
+        quoteChar = "";
+      }
+      continue;
+    }
+    if (character === '"' || character === "'") {
+      current += character;
+      quoteChar = character;
+      continue;
+    }
+    if (character === ";" || character === "|") {
+      if (current.trim()) {
+        commands.push(current.trim());
+      }
+      current = "";
+      continue;
+    }
+    if (character === "&") {
+      if (current.trim()) {
+        commands.push(current.trim());
+      }
+      current = "";
+      if (scriptValue[index + 1] === "&") {
+        index += 1;
+      }
+      continue;
+    }
+    current += character;
+  }
+  if (current.trim()) {
+    commands.push(current.trim());
+  }
+  return commands;
+}
+
+function lifecycleRunnerOptionConsumesValue(token) {
+  if (!token?.startsWith("-") || token === "--") {
+    return false;
+  }
+  if (token.includes("=")) {
+    return false;
+  }
+  if (token.startsWith("--")) {
+    return NPM_LIFECYCLE_JS_RUNNER_VALUE_OPTIONS.has(token);
+  }
+  if (token.length > 2) {
+    return false;
+  }
+  return NPM_LIFECYCLE_JS_RUNNER_VALUE_OPTIONS.has(token);
+}
+
+function isLifecycleScriptSourceFile(token) {
+  if (!token || token.startsWith("-")) {
+    return false;
+  }
+  const fileToken = token.split(/[?#]/u, 1)[0];
+  return NPM_LIFECYCLE_JS_SOURCE_FILE_PATTERN.test(fileToken);
+}
+
+function findLifecycleScriptSourceArg(tokens, startIndex) {
+  for (let index = startIndex; index < tokens.length; index++) {
+    const token = tokens[index]?.trim();
+    if (!token) {
+      continue;
+    }
+    if (token === "--" || SHELL_ENV_ASSIGNMENT_PATTERN.test(token)) {
+      continue;
+    }
+    if (token.startsWith("-")) {
+      if (
+        lifecycleRunnerOptionConsumesValue(token) &&
+        index + 1 < tokens.length
+      ) {
+        index += 1;
+      }
+      continue;
+    }
+    if (isLifecycleScriptSourceFile(token)) {
+      return token;
+    }
+    break;
+  }
+  return undefined;
+}
+
+function findLifecycleScriptSourceStartIndex(tokens, runnerIndex) {
+  const runnerToken = tokens[runnerIndex];
+  for (let index = runnerIndex + 1; index < tokens.length; index++) {
+    const token = tokens[index]?.trim();
+    if (!token || token === "--" || SHELL_ENV_ASSIGNMENT_PATTERN.test(token)) {
+      continue;
+    }
+    if (token.startsWith("-")) {
+      if (
+        lifecycleRunnerOptionConsumesValue(token) &&
+        index + 1 < tokens.length
+      ) {
+        index += 1;
+      }
+      continue;
+    }
+    if (runnerToken === "deno") {
+      return token === "run" ? index + 1 : undefined;
+    }
+    if (runnerToken === "bun" && token === "run") {
+      return index + 1;
+    }
+    return index;
+  }
+  return undefined;
+}
+
+function isResolvedPathWithinDirectory(baseDir, resolvedFile) {
+  const relativePath = relative(baseDir, resolvedFile);
+  if (!relativePath) {
+    return true;
+  }
+  return (
+    !relativePath.startsWith(`..${path.sep}`) &&
+    relativePath !== ".." &&
+    !path.isAbsolute(relativePath)
+  );
+}
+
+function collectLifecyclePatternIndicators(scriptValue, patterns) {
+  const indicators = [];
+  patterns.forEach(([name, pattern]) => {
+    if (pattern.test(scriptValue)) {
+      indicators.push(name);
+    }
+  });
+  return indicators;
+}
+
+function extractLifecycleScriptSourceFiles(pkgJsonFile, scriptValue) {
+  const sourceFiles = [];
+  const seen = new Set();
+  if (!scriptValue || typeof scriptValue !== "string") {
+    return sourceFiles;
+  }
+  const pkgJsonDir = resolve(dirname(pkgJsonFile));
+  const commandSegments = splitLifecycleScriptCommands(scriptValue);
+  for (const commandSegment of commandSegments) {
+    const tokens = splitCommandArgs(commandSegment);
+    for (let index = 0; index < tokens.length; index++) {
+      if (!NPM_LIFECYCLE_JS_RUNNERS.has(tokens[index])) {
+        continue;
+      }
+      const scriptStartIndex = findLifecycleScriptSourceStartIndex(
+        tokens,
+        index,
+      );
+      if (scriptStartIndex === undefined) {
+        continue;
+      }
+      const relativeFile = findLifecycleScriptSourceArg(
+        tokens,
+        scriptStartIndex,
+      );
+      if (!relativeFile) {
+        continue;
+      }
+      const resolvedFile = resolve(pkgJsonDir, relativeFile);
+      if (
+        !isResolvedPathWithinDirectory(pkgJsonDir, resolvedFile) ||
+        !safeExistsSync(resolvedFile) ||
+        seen.has(resolvedFile)
+      ) {
+        continue;
+      }
+      seen.add(resolvedFile);
+      sourceFiles.push(resolvedFile);
+    }
+  }
+  return sourceFiles;
+}
+
+function analyzeNpmLifecycleScripts(pkgJsonFile, scripts) {
+  const executionIndicators = new Set();
+  const networkIndicators = new Set();
+  const obfuscationIndicators = new Set();
+  const obfuscatedScripts = [];
+  const suspiciousScripts = [];
+  const scriptIndicatorMap = [];
+  const riskyScripts = NPM_INSTALL_HOOK_NAMES.filter(
+    (scriptName) => scripts?.[scriptName],
+  );
+  riskyScripts.forEach((scriptName) => {
+    const scriptValue = String(scripts[scriptName] || "");
+    const scriptExecutionIndicators = new Set(
+      collectLifecyclePatternIndicators(
+        scriptValue,
+        NPM_LIFECYCLE_EXECUTION_PATTERNS,
+      ),
+    );
+    const scriptNetworkIndicators = new Set(
+      collectLifecyclePatternIndicators(
+        scriptValue,
+        NPM_LIFECYCLE_NETWORK_PATTERNS,
+      ),
+    );
+    const scriptObfuscationIndicators = new Set(
+      collectLifecyclePatternIndicators(
+        scriptValue,
+        NPM_LIFECYCLE_OBFUSCATION_PATTERNS,
+      ),
+    );
+    extractLifecycleScriptSourceFiles(pkgJsonFile, scriptValue).forEach(
+      (sourceFile) => {
+        const astIndicators = analyzeSuspiciousJsFile(sourceFile);
+        astIndicators.executionIndicators.forEach((indicator) => {
+          scriptExecutionIndicators.add(`ast:${indicator}`);
+        });
+        astIndicators.networkIndicators.forEach((indicator) => {
+          scriptNetworkIndicators.add(`ast:${indicator}`);
+        });
+        astIndicators.obfuscationIndicators.forEach((indicator) => {
+          scriptObfuscationIndicators.add(`ast:${indicator}`);
+        });
+      },
+    );
+    if (scriptObfuscationIndicators.size) {
+      scriptExecutionIndicators.forEach((indicator) => {
+        executionIndicators.add(indicator);
+      });
+      scriptObfuscationIndicators.forEach((indicator) => {
+        obfuscationIndicators.add(indicator);
+      });
+    }
+    if (
+      scriptObfuscationIndicators.size &&
+      (scriptExecutionIndicators.size || scriptNetworkIndicators.size)
+    ) {
+      obfuscatedScripts.push(scriptName);
+    }
+    if (
+      scriptObfuscationIndicators.size ||
+      (scriptExecutionIndicators.size && scriptNetworkIndicators.size)
+    ) {
+      suspiciousScripts.push(scriptName);
+    }
+    scriptNetworkIndicators.forEach((indicator) => {
+      networkIndicators.add(indicator);
+    });
+    if (
+      scriptExecutionIndicators.size ||
+      scriptNetworkIndicators.size ||
+      scriptObfuscationIndicators.size
+    ) {
+      scriptIndicatorMap.push(
+        `${scriptName}:${[
+          ...scriptObfuscationIndicators,
+          ...scriptExecutionIndicators,
+          ...scriptNetworkIndicators,
+        ].join("+")}`,
+      );
+    }
+  });
+  return {
+    executionIndicators: Array.from(executionIndicators).sort(),
+    networkIndicators: Array.from(networkIndicators).sort(),
+    obfuscatedScripts: [...new Set(obfuscatedScripts)].sort(),
+    obfuscationIndicators: Array.from(obfuscationIndicators).sort(),
+    riskyScripts,
+    scriptIndicatorMap: scriptIndicatorMap.sort(),
+    suspiciousScripts: [...new Set(suspiciousScripts)].sort(),
+  };
+}
+
 export async function parsePkgJson(
   pkgJsonFile,
   simple = false,
@@ -1482,24 +1932,70 @@ export async function parsePkgJson(
         // Track lifecycle scripts (preinstall, postinstall, etc. - code execution risk)
         if (pkgData.scripts && Object.keys(pkgData.scripts).length) {
           const scriptNames = Object.keys(pkgData.scripts).join(", ");
+          const lifecycleAnalysis = analyzeNpmLifecycleScripts(
+            pkgJsonFile,
+            pkgData.scripts,
+          );
           apkg.properties.push({
             name: "cdx:npm:scripts",
             value: scriptNames,
           });
           // Flag high-risk scripts specifically
-          const riskyScripts = [
-            "preinstall",
-            "install",
-            "postinstall",
-            "prepublish",
-            "prepare",
-          ].filter((script) => pkgData.scripts[script]);
+          const riskyScripts = lifecycleAnalysis.riskyScripts;
           if (riskyScripts.length) {
+            apkg.properties.push({
+              name: "cdx:npm:hasInstallScript",
+              value: "true",
+            });
             apkg.properties.push({
               name: "cdx:npm:risky_scripts",
               value: riskyScripts.join(", "),
             });
           }
+          if (lifecycleAnalysis.suspiciousScripts.length) {
+            apkg.properties.push({
+              name: "cdx:npm:hasSuspiciousLifecycleScript",
+              value: "true",
+            });
+            apkg.properties.push({
+              name: "cdx:npm:suspiciousLifecycleScripts",
+              value: lifecycleAnalysis.suspiciousScripts.join(", "),
+            });
+          }
+          if (lifecycleAnalysis.obfuscatedScripts.length) {
+            apkg.properties.push({
+              name: "cdx:npm:hasObfuscatedLifecycleScript",
+              value: "true",
+            });
+            apkg.properties.push({
+              name: "cdx:npm:obfuscatedLifecycleScripts",
+              value: lifecycleAnalysis.obfuscatedScripts.join(", "),
+            });
+          }
+          if (lifecycleAnalysis.obfuscationIndicators.length) {
+            apkg.properties.push({
+              name: "cdx:npm:lifecycleObfuscationIndicators",
+              value: lifecycleAnalysis.obfuscationIndicators.join(", "),
+            });
+          }
+          if (lifecycleAnalysis.executionIndicators.length) {
+            apkg.properties.push({
+              name: "cdx:npm:lifecycleExecutionIndicators",
+              value: lifecycleAnalysis.executionIndicators.join(", "),
+            });
+          }
+          if (lifecycleAnalysis.networkIndicators.length) {
+            apkg.properties.push({
+              name: "cdx:npm:lifecycleNetworkIndicators",
+              value: lifecycleAnalysis.networkIndicators.join(", "),
+            });
+          }
+          if (lifecycleAnalysis.scriptIndicatorMap.length) {
+            apkg.properties.push({
+              name: "cdx:npm:lifecycleIndicatorMap",
+              value: lifecycleAnalysis.scriptIndicatorMap.join(" | "),
+            });
+          }
         }
         // Track platform/architecture constraints
         if (pkgData.cpu && Array.isArray(pkgData.cpu) && pkgData.cpu.length) {
@@ -1566,10 +2062,10 @@ export async function parsePkgJson(
       // continue regardless of error
     }
   }
-  if (!simple && shouldFetchLicense() && pkgList?.length) {
+  if (!simple && shouldFetchPackageMetadata() && pkgList?.length) {
     if (DEBUG_MODE) {
       console.log(
-        `About to fetch license information for ${pkgList.length} packages in parsePkgJson`,
+        `About to fetch npm registry metadata for ${pkgList.length} packages in parsePkgJson`,
       );
     }
     return await getNpmMetadata(pkgList);
@@ -1616,8 +2112,9 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
     const srcFilePath = node.path.includes(`${_sep}node_modules`)
       ? node.path.split(`${_sep}node_modules`)[0]
       : node.path;
+    const isDevelopmentNode = node.dev === true || node.devOptional === true;
     const scope =
-      node.dev === true || node.optional === true ? "optional" : undefined;
+      isDevelopmentNode || node.optional === true ? "optional" : undefined;
     const integrity = node.integrity ? node.integrity : undefined;
 
     let pkg;
@@ -1690,7 +2187,7 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
         purl: purlString,
         "bom-ref": decodeURIComponent(purlString),
       };
-      if (node.dev === true) {
+      if (isDevelopmentNode) {
         _setNpmDevelopmentProperty(pkg);
       }
       if (node.resolved) {
@@ -2128,10 +2625,10 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
     options,
   ));
 
-  if (shouldFetchLicense() && pkgList?.length) {
+  if (shouldFetchPackageMetadata() && pkgList?.length) {
     if (DEBUG_MODE) {
       console.log(
-        `About to fetch license information for ${pkgList.length} packages in parsePkgLock`,
+        `About to fetch npm registry metadata for ${pkgList.length} packages in parsePkgLock`,
       );
     }
     pkgList = await getNpmMetadata(pkgList);
@@ -2761,10 +3258,10 @@ export async function parseYarnLock(
     }
   }
 
-  if (shouldFetchLicense() && pkgList?.length) {
+  if (shouldFetchPackageMetadata() && pkgList?.length) {
     if (DEBUG_MODE) {
       console.log(
-        `About to fetch license information for ${pkgList.length} packages in parseYarnLock`,
+        `About to fetch npm registry metadata for ${pkgList.length} packages in parseYarnLock`,
       );
     }
     pkgList = await getNpmMetadata(pkgList);
@@ -2838,10 +3335,10 @@ export async function parseNodeShrinkwrap(swFile) {
       }
     }
   }
-  if (shouldFetchLicense() && pkgList?.length) {
+  if (shouldFetchPackageMetadata() && pkgList?.length) {
     if (DEBUG_MODE) {
       console.log(
-        `About to fetch license information for ${pkgList.length} packages in parseNodeShrinkwrap`,
+        `About to fetch npm registry metadata for ${pkgList.length} packages in parseNodeShrinkwrap`,
       );
     }
     return await getNpmMetadata(pkgList);
@@ -4157,10 +4654,10 @@ export async function parsePnpmLock(
     pkgList = await pnpmMetadata(pkgList, pnpmLock);
   }
 
-  if (shouldFetchLicense() && pkgList?.length) {
+  if (shouldFetchPackageMetadata() && pkgList?.length) {
     if (DEBUG_MODE) {
       console.log(
-        `About to fetch license information for ${pkgList.length} packages in parsePnpmLock`,
+        `About to fetch npm registry metadata for ${pkgList.length} packages in parsePnpmLock`,
       );
     }
     pkgList = await getNpmMetadata(pkgList);
@@ -4218,10 +4715,10 @@ export async function parseBowerJson(bowerJsonFile) {
       // continue regardless of error
     }
   }
-  if (shouldFetchLicense() && pkgList?.length) {
+  if (shouldFetchPackageMetadata() && pkgList?.length) {
     if (DEBUG_MODE) {
       console.log(
-        `About to fetch license information for ${pkgList.length} packages in parseBowerJson`,
+        `About to fetch npm registry metadata for ${pkgList.length} packages in parseBowerJson`,
       );
     }
     return await getNpmMetadata(pkgList);
@@ -4316,10 +4813,10 @@ export async function parseMinJs(minJsFile) {
       // continue regardless of error
     }
   }
-  if (shouldFetchLicense() && pkgList?.length) {
+  if (shouldFetchPackageMetadata() && pkgList?.length) {
     if (DEBUG_MODE) {
       console.log(
-        `About to fetch license information for ${pkgList.length} packages in parseMinJs`,
+        `About to fetch npm registry metadata for ${pkgList.length} packages in parseMinJs`,
       );
     }
     return await getNpmMetadata(pkgList);
@@ -5811,7 +6308,7 @@ export function guessPypiMatchingVersion(versionsList, versionSpecifiers) {
  * @param {Boolean} fetchDepsInfo Fetch dependencies info from pypi
  */
 export async function getPyMetadata(pkgList, fetchDepsInfo) {
-  if (!shouldFetchLicense() && !fetchDepsInfo) {
+  if (!shouldFetchPackageMetadata() && !fetchDepsInfo) {
     return pkgList;
   }
   const PYPI_URL = process.env.PYPI_URL || "https://pypi.org/pypi/";
@@ -5987,6 +6484,10 @@ export async function getPyMetadata(pkgList, fetchDepsInfo) {
         null,
         null,
       ).toString();
+      p.properties = p.properties || [];
+      p.properties.push(
+        ...collectPypiRegistryProvenanceProperties(body, p.version),
+      );
       p.purl = purlString;
       p["bom-ref"] = decodeURIComponent(purlString);
       cdepList.push(p);
@@ -6389,9 +6890,9 @@ export function parsePyProjectTomlFile(tomlFile) {
 }
 
 /**
- * Method to parse python lock files such as poetry.lock, pdm.lock, uv.lock.
+ * Method to parse python lock files such as poetry.lock, pdm.lock, uv.lock, and pylock.toml.
  *
- * @param {Object} lockData JSON data from poetry.lock, pdm.lock, or uv.lock file
+ * @param {string} lockData Raw TOML text from poetry.lock, pdm.lock, uv.lock, or pylock.toml
  * @param {string} lockFile Lock file name for evidence
  * @param {string} pyProjectFile pyproject.toml file
  */
@@ -6408,6 +6909,7 @@ export async function parsePyLockData(lockData, lockFile, pyProjectFile) {
   let workspacePaths;
   let workspaceWarningShown = false;
   let hasWorkspaces = false;
+  let pyLockProperties = [];
   // Keep track of any workspace components to be added to the parent component
   const workspaceComponentMap = {};
   const workspacePyProjMap = {};
@@ -6536,7 +7038,17 @@ export async function parsePyLockData(lockData, lockFile, pyProjectFile) {
       }
     }
   }
-  for (const apkg of lockTomlObj.package || []) {
+  const pyLockMode = isPyLockObject(lockTomlObj);
+  if (pyLockMode) {
+    pyLockProperties = collectPyLockTopLevelProperties(lockTomlObj);
+    if (parentComponent) {
+      parentComponent.properties = parentComponent.properties || [];
+      parentComponent.properties =
+        parentComponent.properties.concat(pyLockProperties);
+    }
+  }
+  const packageEntries = getPyLockPackages(lockTomlObj);
+  for (const apkg of packageEntries) {
     // This avoids validation errors with uv.lock
     if (parentComponent?.name && parentComponent.name === apkg.name) {
       continue;
@@ -6556,10 +7068,19 @@ export async function parsePyLockData(lockData, lockFile, pyProjectFile) {
     if (apkg.optional) {
       pkg.scope = "optional";
     }
-    if (apkg["python-versions"]) {
+    // poetry/pdm/uv use "python-versions", while pylock (PEP 751) uses "requires-python".
+    // Prefer the existing lock-family field when both are present.
+    const requiresPython = apkg["python-versions"] || apkg["requires-python"];
+    if (requiresPython) {
       pkg.properties.push({
         name: "cdx:pypi:requiresPython",
-        value: apkg["python-versions"],
+        value: requiresPython,
+      });
+    }
+    if (apkg.index && !isDefaultPypiRegistry(apkg.index)) {
+      pkg.properties.push({
+        name: "cdx:pypi:registry",
+        value: apkg.index,
       });
     }
     if (apkg?.source) {
@@ -6585,6 +7106,11 @@ export async function parsePyLockData(lockData, lockFile, pyProjectFile) {
         });
       }
     }
+    if (pyLockMode) {
+      pkg.properties = pkg.properties.concat(
+        collectPyLockPackageProperties(apkg),
+      );
+    }
     // Is this component a module?
     if (workspaceComponentMap[pkg.name]) {
       pkg.properties.push({
@@ -6672,6 +7198,12 @@ export async function parsePyLockData(lockData, lockFile, pyProjectFile) {
         });
       }
     }
+    if (pyLockMode) {
+      const pylockFileComponents = collectPyLockFileComponents(apkg, lockFile);
+      if (pylockFileComponents.length) {
+        pkg.components = (pkg.components || []).concat(pylockFileComponents);
+      }
+    }
     if (
       directDepsKeys[pkg.name] ||
       (hasWorkspaces && !Object.keys(workspaceComponentMap).length)
@@ -6728,13 +7260,14 @@ export async function parsePyLockData(lockData, lockFile, pyProjectFile) {
           // Example: "msgpack>=0.5.2"
           const nameStr =
             apkgDep.name || apkgDep.split(/(==|<=|~=|>=)/)[0].split(" ")[0];
-          depsMap[pkg["bom-ref"]].add(existingPkgMap[nameStr] || nameStr);
+          // Python package names are normalized/case-insensitive; support both forms for lookup.
+          const nameLower = nameStr.toLowerCase();
+          const depPkgRef =
+            existingPkgMap[nameLower] || existingPkgMap[nameStr];
+          depsMap[pkg["bom-ref"]].add(depPkgRef || nameStr);
           // Propagate the workspace properties to the child components
-          if (
-            existingPkgMap[nameStr] &&
-            pkgBomRefMap[existingPkgMap[nameStr]]
-          ) {
-            const dependentPkg = pkgBomRefMap[existingPkgMap[nameStr]];
+          if (depPkgRef && pkgBomRefMap[depPkgRef]) {
+            const dependentPkg = pkgBomRefMap[depPkgRef];
             dependentPkg.properties = dependentPkg.properties || [];
             const addedValue = {};
             // Is the parent a workspace
@@ -6776,6 +7309,8 @@ export async function parsePyLockData(lockData, lockFile, pyProjectFile) {
         depRef = adep;
       } else if (existingPkgMap[adep]) {
         depRef = existingPkgMap[adep];
+      } else if (existingPkgMap[adep.toLowerCase()]) {
+        depRef = existingPkgMap[adep.toLowerCase()];
       } else if (existingPkgMap[`py${adep}`]) {
         depRef = existingPkgMap[`py${adep}`];
       } else if (existingPkgMap[adep.replace(/-/g, "_")]) {
@@ -6845,6 +7380,7 @@ export async function parsePyLockData(lockData, lockFile, pyProjectFile) {
     pkgList,
     rootList,
     dependenciesList,
+    pyLockProperties,
     workspaceWarningShown,
   };
 }
@@ -12956,38 +13492,14 @@ export function convertOSQueryResults(
   const pkgList = [];
   if (results?.length) {
     for (const res of results) {
-      const version =
-        res.version ||
-        res.hotfix_id ||
-        res.hardware_version ||
-        res.port ||
-        res.pid ||
-        res.subject_key_id ||
-        res.interface ||
-        res.instance_id;
-      let name =
-        res.name ||
-        res.device_id ||
-        res.hotfix_id ||
-        res.uuid ||
-        res.serial ||
-        res.pid ||
-        res.address ||
-        res.ami_id ||
-        res.interface ||
-        res.client_app_id;
+      const version = deriveOsQueryVersion(res);
+      let name = deriveOsQueryName(res, results.length === 1, queryObj.name);
+      if (queryObj.purlType === "chrome-extension") {
+        name = (res.identifier || res.extension_id || name || "").toLowerCase();
+      }
       let group = "";
       const subpath = res.path || res.admindir || res.source;
-      let publisher =
-        res.publisher ||
-        res.maintainer ||
-        res.creator ||
-        res.manufacturer ||
-        res.provider ||
-        "";
-      if (publisher === "null") {
-        publisher = "";
-      }
+      const publisher = deriveOsQueryPublisher(res);
       // For vscode-extension purl type, the publisher is used as the namespace
       if (queryObj.purlType === "vscode-extension" && publisher) {
         group = publisher.toLowerCase();
@@ -12998,20 +13510,8 @@ export function convertOSQueryResults(
         scope = compScope;
       }
       const description =
-        res.description ||
-        res.summary ||
-        res.arguments ||
-        res.device ||
-        res.codename ||
-        res.section ||
-        res.status ||
-        res.identifier ||
-        res.components ||
-        "";
-      // Re-use the name from query obj
-      if (!name && results.length === 1 && queryObj.name) {
-        name = queryObj.name;
-      }
+        deriveOsQueryDescription(res) ||
+        (queryObj.purlType === "chrome-extension" ? res.name || "" : "");
       let qualifiers;
       if (res.identifying_number?.length) {
         qualifiers = {
@@ -13019,25 +13519,18 @@ export function convertOSQueryResults(
         };
       }
       if (name) {
-        name = name
-          .replace(/ /g, "+")
-          .replace(/[:%]/g, "-")
-          .replace(/^[@{]/g, "")
-          .replace(/[}]$/g, "");
-        group = group
-          .replace(/ /g, "+")
-          .replace(/[:%]/g, "-")
-          .replace(/^[@{]/g, "")
-          .replace(/[}]$/g, "");
-        const purl = new PackageURL(
-          queryObj.purlType || "swid",
+        name = sanitizeOsQueryIdentity(name);
+        group = sanitizeOsQueryIdentity(group);
+        const purl = createOsQueryPurl(
+          queryObj.purlType,
           group,
           name,
-          version || "",
+          version,
           qualifiers,
           subpath,
-        ).toString();
+        );
         const props = [{ name: "cdx:osquery:category", value: queryCategory }];
+        props.push(...createLolbasProperties(queryCategory, res));
         let providesList;
         if (enhance) {
           switch (queryObj.purlType) {
@@ -13074,9 +13567,15 @@ export function convertOSQueryResults(
           scope,
           type: queryObj.componentType,
         };
-        for (const k of Object.keys(res).filter(
-          (p) => !["name", "version", "description", "publisher"].includes(p),
-        )) {
+        for (const k of Object.keys(res).filter((p) => {
+          if (["version", "description", "publisher"].includes(p)) {
+            return false;
+          }
+          if (queryObj.purlType !== "chrome-extension" && p === "name") {
+            return false;
+          }
+          return true;
+        })) {
           if (res[k] && res[k] !== "null") {
             props.push({
               name: k,
@@ -13758,6 +14257,76 @@ export function parseJarManifest(jarMetadata) {
   return metadata;
 }
 
+/**
+ * Determine whether a manifest candidate looks like a namespace-qualified identifier.
+ *
+ * @param {string} candidate Manifest field value
+ * @returns {boolean} True when candidate appears namespace-qualified
+ */
+function isQualifiedJarNamespace(candidate) {
+  return (
+    !!candidate &&
+    !candidate.includes(" ") &&
+    (candidate.includes(".") || candidate.includes("-"))
+  );
+}
+
+/**
+ * Select the most reliable group candidate from JAR manifest metadata.
+ *
+ * @param {Object} jarMetadata Parsed MANIFEST.MF key-value map
+ * @returns {string} Best group candidate, or empty string if none exists
+ */
+export function inferJarGroupFromManifest(jarMetadata = {}) {
+  // Keep this ordered from most to least namespace-qualified manifest fields.
+  // Extension-Name is intentionally lower priority due to inconsistent usage.
+  const qualifiedCandidates = [
+    jarMetadata["Bundle-SymbolicName"],
+    jarMetadata["Automatic-Module-Name"],
+    jarMetadata["Implementation-Title"],
+    jarMetadata["Extension-Name"],
+  ];
+  for (const candidate of qualifiedCandidates) {
+    if (isQualifiedJarNamespace(candidate)) {
+      return candidate;
+    }
+  }
+  return (
+    jarMetadata["Implementation-Vendor-Id"] ||
+    jarMetadata["Bundle-Vendor"] ||
+    jarMetadata["Extension-Name"] ||
+    ""
+  );
+}
+
+/**
+ * Trim group suffix that duplicates the artifact name for compound artifact names.
+ *
+ * @param {string} group Group candidate
+ * @param {string} name Artifact name candidate
+ * @returns {string} Adjusted group
+ */
+export function trimJarGroupSuffix(group, name) {
+  if (!group || !name || group.startsWith("javax")) {
+    return group;
+  }
+  // Only trim when the artifact name contains a separator (hyphen or dot).
+  if (!name.includes("-") && !name.includes(".")) {
+    return group;
+  }
+  const lowerName = name.toLowerCase();
+  const dottedName = lowerName.replace(/-/g, ".");
+  const dottedSuffix = `.${dottedName}`;
+  if (group.endsWith(dottedSuffix)) {
+    return group.slice(0, -dottedSuffix.length);
+  }
+  const lowerSuffix = `.${lowerName}`;
+  if (group.endsWith(lowerSuffix)) {
+    return group.slice(0, -lowerSuffix.length);
+  }
+  return group;
+}
+
 /**
  * Parse a Maven pom.properties file and return its key-value pairs as an object.
  *
@@ -14048,14 +14617,7 @@ export async function extractJarArchive(jarFile, tempDir, jarNSMapping = {}) {
               .split(";")[0]
               .trim();
           }
-          group =
-            group ||
-            jarMetadata["Extension-Name"] ||
-            jarMetadata["Implementation-Vendor-Id"] ||
-            jarMetadata["Bundle-SymbolicName"] ||
-            jarMetadata["Bundle-Vendor"] ||
-            jarMetadata["Automatic-Module-Name"] ||
-            "";
+          group = group || inferJarGroupFromManifest(jarMetadata);
           version =
             version ||
             jarMetadata["Bundle-Version"] ||
@@ -14111,16 +14673,7 @@ export async function extractJarArchive(jarFile, tempDir, jarNSMapping = {}) {
           }
           // Sometimes the group might already contain the name
           // Eg: group: org.checkerframework.checker.qual name: checker-qual
-          if (name && group && !group.startsWith("javax")) {
-            if (group.includes(`.${name.toLowerCase().replace(/-/g, ".")}`)) {
-              group = group.replace(
-                new RegExp(`.${name.toLowerCase().replace(/-/g, ".")}$`),
-                "",
-              );
-            } else if (group.includes(`.${name.toLowerCase()}`)) {
-              group = group.replace(new RegExp(`.${name.toLowerCase()}$`), "");
-            }
-          }
+          group = trimJarGroupSuffix(group, name);
           // Patch the group string
           if (vendorAliases[name]) {
             group = vendorAliases[name];
@@ -17948,6 +18501,29 @@ export function parseMakeDFile(dfile) {
   return pkgFilesMap;
 }
 
+const isAsciiHexCode = (code) => {
+  return (
+    (code >= 0x30 && code <= 0x39) ||
+    (code >= 0x41 && code <= 0x46) ||
+    (code >= 0x61 && code <= 0x66)
+  );
+};
+
+const hasValidPercentEncoding = (value) => {
+  for (let index = 0; index < value.length; index++) {
+    if (value.charCodeAt(index) !== 0x25) {
+      continue;
+    }
+    const firstHex = value.charCodeAt(index + 1);
+    const secondHex = value.charCodeAt(index + 2);
+    if (!isAsciiHexCode(firstHex) || !isAsciiHexCode(secondHex)) {
+      return false;
+    }
+    index += 2;
+  }
+  return true;
+};
+
 /**
  * Function to validate an externalReference URL for conforming to the JSON schema or bomLink
  * https://github.com/CycloneDX/cyclonedx-core-java/blob/75575318b268dda9e2a290761d7db11b4f414255/src/main/resources/bom-1.5.schema.json#L1140
@@ -17972,13 +18548,9 @@ export function isValidIriReference(iri) {
     return false;
   }
 
-  // Check for malformed percent-encoding sequences more robustly
-  // This regex looks for a % that is NOT followed by:
-  // - Exactly two hex digits that are then either:
-  //   - The end of the string ($)
-  //   - Or a character that is NOT a hex digit ([^0-9A-Fa-f])
-  // This catches %ab, %ab%, %abZ, %abc, etc.
-  if (/%(?!([0-9A-Fa-f]{2})($|[^0-9A-Fa-f]))/.test(iri)) {
+  // Validate percent-encoding with a linear scan to avoid regex backtracking
+  // issues on very long attacker-controlled inputs.
+  if (!hasValidPercentEncoding(iri)) {
     return false;
   }