@cyclonedx/cdxgen 12.3.0 → 12.3.2

package/README.md

@@ -69,7 +69,17 @@ Most SBOM tools are like simple barcode scanners. For easy applications, they ca
 - _Precision:_ Try using multiple techniques to improve precision, even if it takes extra time.
 - _Personas:_ Cater to the needs of a range of personas such as security researchers, compliance auditors, developers, and SOC.
 - _Machine Learning:_ Optimize the generated data for Machine Learning (ML) purposes by considering the various model properties.
-- _Safety:_ Execute external build tools and handle untrusted inputs defensively, with hardened defaults and a [secure mode](docs/PERMISSIONS.md) for sensitive environments.
+- _Safety:_ Execute external build tools and handle untrusted inputs defensively, with hardened defaults, a [secure mode](docs/PERMISSIONS.md) for sensitive environments, and a read-only `--dry-run` mode for review-first workflows.
+
+### Review-first dry runs
+
+When you want to inspect what cdxgen would do before allowing side effects, use `--dry-run`.
+
+```shell
+cdxgen --dry-run -p -t js .
+```
+
+Dry-run mode keeps cdxgen read-only: it reads local files, blocks writes/exec/temp creation/cloning/submission, and prints an activity summary table for both beginners and power users.
 
 ## Documentation
 
@@ -170,7 +180,7 @@ Common asset names:
 #### Linux
 
 ```bash
-VERSION="v12.3.0"
+VERSION="v12.3.1"
 ASSET="cdx-audit-linux-amd64"
 BASE_URL="https://github.com/cdxgen/cdxgen/releases/download/${VERSION}"
 
@@ -184,7 +194,7 @@ chmod +x "${ASSET}"
 #### macOS
 
 ```bash
-VERSION="v12.3.0"
+VERSION="v12.3.1"
 ASSET="cdx-audit-darwin-arm64"
 BASE_URL="https://github.com/cdxgen/cdxgen/releases/download/${VERSION}"
 
@@ -198,7 +208,7 @@ chmod +x "${ASSET}"
 #### Windows (PowerShell)
 
 ```powershell
-$Version = "v12.3.0"
+$Version = "v12.3.1"
 $Asset = "cdx-audit-windows-amd64.exe"
 $BaseUrl = "https://github.com/cdxgen/cdxgen/releases/download/$Version"
 
@@ -223,7 +233,7 @@ steps:
     env:
       GH_TOKEN: ${{ github.token }}
     run: |
-      gh release download v12.3.0 \
+      gh release download v12.3.1 \
         --repo cdxgen/cdxgen \
         --pattern 'cdx-audit-linux-amd64' \
         --pattern 'cdx-audit-linux-amd64.sha256'

package/bin/audit.js

@@ -92,6 +92,12 @@ const args = yargs(hideBin(process.argv))
       "Restrict predictive audit target selection to packages marked with trusted publishing metadata.",
     type: "boolean",
   })
+  .option("prioritize-direct-runtime", {
+    default: true,
+    description:
+      "Prioritize direct runtime dependencies ahead of optional, development-only, or platform-specific transitive packages during target selection.",
+    type: "boolean",
+  })
   .check((argv) => {
     if (!argv.bom && !argv.bomDir) {
       throw new Error("Specify --bom or --bom-dir.");
@@ -163,6 +169,7 @@ function writeOrPrint(output, outputPath) {
       maxTargets: args.maxTargets,
       minSeverity: args.minSeverity,
       onProgress: progressTracker.onProgress,
+      prioritizeDirectRuntime: args.prioritizeDirectRuntime,
       report: args.report,
       reportsDir: args.reportsDir,
       scope: args.scope === "required" ? "required" : undefined,

package/bin/cdxgen.js

@@ -22,8 +22,10 @@ import { createBom, submitBom } from "../lib/cli/index.js";
 import { signBom, verifyBom } from "../lib/helpers/bomSigner.js";
 import {
   displaySelfThreatModel,
+  printActivitySummary,
   printCallStack,
   printDependencyTree,
+  printEnvironmentAuditFindings,
   printFormulation,
   printOccurrences,
   printReachables,
@@ -58,13 +60,19 @@ import {
   getTmpDir,
   isBun,
   isDeno,
+  isDryRun,
   isMac,
   isNode,
   isSecureMode,
   isWin,
+  recordActivity,
   remoteHostsAccessed,
   retrieveCdxgenVersion,
   safeExistsSync,
+  safeMkdirSync,
+  safeWriteSync,
+  setActivityContext,
+  setDryRunMode,
   toCamel,
 } from "../lib/helpers/utils.js";
 import { postProcess } from "../lib/stages/postgen/postgen.js";
@@ -230,6 +238,18 @@ const args = _yargs
     default: isSecureMode,
     description: "Fail if any dependency extractor fails.",
   })
+  .option("dry-run", {
+    type: "boolean",
+    default: isDryRun,
+    description:
+      "Read-only mode. cdxgen only performs file reads and reports blocked writes, command execution, temp creation, network access, and submissions.",
+  })
+  .option("activity-report", {
+    choices: ["json", "jsonl"],
+    description: "Render the activity report as JSON or JSON Lines.",
+    hidden: true,
+    type: "string",
+  })
   .option("no-babel", {
     type: "boolean",
     description:
@@ -442,9 +462,8 @@ const args = _yargs
   })
   .option("tlp-classification", {
     description:
-      'Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.\nThe default classification is "CLEAR"',
+      "Traffic Light Protocol (TLP) is a classification system for identifying the potential risk associated with an artefact, including whether it is subject to certain types of legal, financial, or technical threats. Refer to [https://www.first.org/tlp/](https://www.first.org/tlp/) for further information.",
     choices: ["CLEAR", "GREEN", "AMBER", "AMBER_AND_STRICT", "RED"],
-    default: "CLEAR",
     hidden: true,
   })
   .option("env-audit", {
@@ -658,6 +677,13 @@ const options = Object.assign({}, args, {
   exclude: args.exclude || args.excludeRegex,
   include: args.include || args.includeRegex,
 });
+setDryRunMode(options.dryRun);
+setActivityContext({
+  projectType: Array.isArray(options.projectType)
+    ? options.projectType.join(",")
+    : options.projectType,
+  sourcePath: filePath,
+});
 const outputPlan = createOutputPlan(options);
 for (const outputFile of Object.values(outputPlan.outputs)) {
   const outputDirectory = getOutputDirectory(outputFile);
@@ -666,7 +692,7 @@ for (const outputFile of Object.values(outputPlan.outputs)) {
     outputDirectory !== process.cwd() &&
     !safeExistsSync(outputDirectory)
   ) {
-    fs.mkdirSync(outputDirectory, { recursive: true });
+    safeMkdirSync(outputDirectory, { recursive: true });
   }
 }
 // Filter duplicate types. Eg: -t gradle -t gradle
@@ -709,6 +735,12 @@ if (process.argv[1].includes("cdxgen-secure")) {
   options.installDeps = false;
   process.env.CDXGEN_SECURE_MODE = true;
 }
+if (isDryRun) {
+  thoughtLog(
+    "Ok, the user wants cdxgen to run in dry-run mode. I must avoid writes, child processes, temp directories, network submissions, and cloning.",
+  );
+  options.installDeps = false;
+}
 if (options.standard) {
   options.specVersion = 1.7;
 }
@@ -905,9 +937,15 @@ const checkPermissions = (filePath, options) => {
       console.log(
         "\x1b[1;35mSecure mode requires permission-related arguments. These can be passed as CLI arguments directly to the node runtime or set the NODE_OPTIONS environment variable as shown below.\x1b[0m",
       );
-      const childProcessArgs =
-        options?.lifecycle !== "pre-build" ? " --allow-child-process" : "";
-      const nodeOptionsVal = `--permission --allow-fs-read="${getTmpDir()}/*" --allow-fs-write="${getTmpDir()}/*" --allow-fs-read="${fullFilePath}/*" --allow-fs-write="${options.output}"${childProcessArgs}`;
+      const childProcessArgs = isDryRun
+        ? ""
+        : options?.lifecycle !== "pre-build"
+          ? " --allow-child-process"
+          : "";
+      const fsWriteArgs = isDryRun
+        ? ""
+        : ` --allow-fs-write="${getTmpDir()}/*" --allow-fs-write="${options.output}"`;
+      const nodeOptionsVal = `--permission --allow-fs-read="${getTmpDir()}/*" --allow-fs-read="${fullFilePath}/*"${fsWriteArgs}${childProcessArgs}`;
       console.log(
         `${isWin ? "$env:" : "export "}NODE_OPTIONS='${nodeOptionsVal}'`,
       );
@@ -966,12 +1004,12 @@ const checkPermissions = (filePath, options) => {
     );
     return false;
   }
-  if (!process.permission.has("fs.write", options.output)) {
+  if (!isDryRun && !process.permission.has("fs.write", options.output)) {
     console.log(
       `\x1b[1;35mSECURE MODE: FileSystemWrite permission is required to create the output BOM file. Please invoke cdxgen with the argument --allow-fs-write="${options.output}"\x1b[0m`,
     );
   }
-  if (options.evidence) {
+  if (!isDryRun && options.evidence) {
     const slicesFilesKeys = [
       "deps-slices-file",
       "usages-slices-file",
@@ -995,7 +1033,7 @@ const checkPermissions = (filePath, options) => {
       }
     }
   }
-  if (!process.permission.has("fs.write", getTmpDir())) {
+  if (!isDryRun && !process.permission.has("fs.write", getTmpDir())) {
     console.log(
       `FileSystemWrite permission may be required for the TEMP directory. Please invoke cdxgen with the argument --allow-fs-write="${join(getTmpDir(), "*")}" in case of any crashes.`,
     );
@@ -1005,12 +1043,16 @@ const checkPermissions = (filePath, options) => {
       );
     }
   }
-  if (!process.permission.has("child") && !isSecureMode) {
+  if (!isDryRun && !process.permission.has("child") && !isSecureMode) {
     console.log(
       "ChildProcess permission is missing. This is required to spawn commands for some languages. Please invoke cdxgen with the argument --allow-child-process in case of issues.",
     );
   }
-  if (process.permission.has("child") && options?.lifecycle === "pre-build") {
+  if (
+    !isDryRun &&
+    process.permission.has("child") &&
+    options?.lifecycle === "pre-build"
+  ) {
     console.log(
       "SECURE MODE: ChildProcess permission is not required for pre-build SBOM generation. Please invoke cdxgen without the argument --allow-child-process.",
     );
@@ -1034,7 +1076,7 @@ const stringifyJson = (jsonPayload, jsonPretty) =>
 
 const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
   const jsonPayload = stringifyJson(bomJson, options.jsonPretty);
-  fs.writeFileSync(jsonFile, jsonPayload);
+  safeWriteSync(jsonFile, jsonPayload);
   if (jsonFile.endsWith("bom.json")) {
     thoughtLog(
       `Let's save the file to "${jsonFile}". Should I suggest the '.cdx.json' file extension for better semantics?`,
@@ -1045,6 +1087,15 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
   if (!jsonPayload || !needsBomSigning(options)) {
     return jsonPayload;
   }
+  if (isDryRun) {
+    recordActivity({
+      kind: "sign",
+      reason: "Dry run mode skips BOM signing and key generation.",
+      status: "blocked",
+      target: jsonFile,
+    });
+    return jsonPayload;
+  }
   let alg = process.env.SBOM_SIGN_ALGORITHM || "RS512";
   if (alg.includes("none")) {
     alg = "RS512";
@@ -1068,9 +1119,9 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
         format: "pem",
       },
     });
-    fs.writeFileSync(publicKeyFile, publicKey);
-    fs.writeFileSync(privateKeyFile, privateKey);
-    fs.writeFileSync(
+    safeWriteSync(publicKeyFile, publicKey);
+    safeWriteSync(privateKeyFile, privateKey);
+    safeWriteSync(
       privateKeyB64File,
       Buffer.from(privateKey, "utf8").toString("base64"),
     );
@@ -1122,8 +1173,13 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
       signAnnotations: true,
     };
     thoughtLog(`Signing the BOM file "${jsonFile}".`);
+    recordActivity({
+      kind: "sign",
+      status: "completed",
+      target: jsonFile,
+    });
     const signedBom = signBom(bomJsonUnsignedObj, signOptions);
-    fs.writeFileSync(
+    safeWriteSync(
       jsonFile,
       JSON.stringify(signedBom, null, options.jsonPretty ? 2 : null),
     );
@@ -1159,9 +1215,7 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
   // Our quest to audit and check the SBOM generation environment to prevent our users from getting exploited
   // during SBOM generation.
   if (envAuditFindings?.length) {
-    for (const f of envAuditFindings) {
-      console.log(`SECURE MODE: ${f.variable}: ${f.message}`);
-    }
+    printEnvironmentAuditFindings(envAuditFindings);
     // Only abort in secure mode for high or critical findings; low/medium are informational.
     if (
       isSecureMode &&
@@ -1177,6 +1231,18 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
   }
   let sourcePath = filePath;
   let purlResolution;
+  if (isDryRun && maybePurlSource(sourcePath)) {
+    recordActivity({
+      kind: "clone",
+      reason:
+        "Dry run mode blocks package-url source resolution and repository cloning.",
+      status: "blocked",
+      target: sourcePath,
+    });
+    console.warn("Dry run mode skips purl source resolution.");
+    printActivitySummary(options.activityReport);
+    return;
+  }
   if (maybePurlSource(sourcePath)) {
     const purlValidationError = validatePurlSource(sourcePath);
     if (purlValidationError) {
@@ -1237,6 +1303,17 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
   let cleanup = false;
   let gitRef = options.gitBranch;
   if (maybeRemotePath(sourcePath)) {
+    if (isDryRun) {
+      recordActivity({
+        kind: "clone",
+        reason: "Dry run mode blocks cloning git URL sources.",
+        status: "blocked",
+        target: sourcePath,
+      });
+      console.warn("Dry run mode skips remote git source cloning.");
+      printActivitySummary(options.activityReport);
+      return;
+    }
     if (!gitRef && purlResolution?.version) {
       gitRef = findGitRefForPurlVersion(sourcePath, purlResolution);
       if (!gitRef) {
@@ -1267,6 +1344,7 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
     }
     cleanup = true;
   }
+  setActivityContext({ sourcePath: srcDir });
   prepareEnv(srcDir, options);
   thoughtLog("Getting ready to generate the BOM ⚡️.");
   const originalFetchPackageMetadata = process.env.CDXGEN_FETCH_PKG_METADATA;
@@ -1290,6 +1368,12 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
   }
   // Add extra metadata and annotations with post processing
   bomNSData = postProcess(bomNSData, options, srcDir);
+  setActivityContext({
+    projectType: Array.isArray(options.projectType)
+      ? options.projectType.join(",")
+      : options.projectType,
+    sourcePath: srcDir,
+  });
   if (options.bomAudit && bomNSData?.bomJson) {
     const { finalizeAuditReport, runAuditFromBoms } = await import(
       "../lib/audit/index.js"
@@ -1440,53 +1524,73 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
         `cdxgen-${Date.now()}-${basename(filePath)}.cdx.json`,
       );
     }
-    fs.writeFileSync(
-      internalCycloneDxInputPath,
-      stringifyJson(bomNSData.bomJson, options.jsonPretty),
-    );
+    if (isDryRun) {
+      recordActivity({
+        kind: "write",
+        reason:
+          "Dry run mode skips evidence input materialization because it writes a temporary BOM file.",
+        status: "blocked",
+        target: internalCycloneDxInputPath,
+      });
+    } else {
+      safeWriteSync(
+        internalCycloneDxInputPath,
+        stringifyJson(bomNSData.bomJson, options.jsonPretty),
+      );
+    }
   }
   // Evidence generation
   if (options.evidence || options.includeCrypto) {
-    // Set the evinse output file to be the same as output file
-    if (!options.evinseOutput) {
-      options.evinseOutput = options.output;
-    }
-    const evinserModule = await import("../lib/evinser/evinser.js");
-    options.projectType = options.projectType || ["java"];
-    const evinseOptions = {
-      _: args._,
-      input: internalCycloneDxInputPath || options.output,
-      output: options.evinseOutput,
-      language: options.projectType,
-      skipMavenCollector: false,
-      force: false,
-      withReachables: options.deep,
-      usagesSlicesFile: options.usagesSlicesFile,
-      dataFlowSlicesFile: options.dataFlowSlicesFile,
-      reachablesSlicesFile: options.reachablesSlicesFile,
-      semanticsSlicesFile: options.semanticsSlicesFile,
-      openapiSpecFile: options.openapiSpecFile,
-      includeCrypto: options.includeCrypto,
-      specVersion: options.specVersion,
-      profile: options.profile,
-      jsonPretty: options.jsonPretty,
-    };
-    const dbObjMap = await evinserModule.prepareDB(evinseOptions);
-    if (dbObjMap) {
-      const sliceArtefacts = await evinserModule.analyzeProject(
-        dbObjMap,
-        evinseOptions,
-      );
-      const evinseJson = evinserModule.createEvinseFile(
-        sliceArtefacts,
-        evinseOptions,
-      );
-      bomNSData.bomJson = evinseJson;
-      if (options.print && evinseJson) {
-        printOccurrences(evinseJson);
-        printCallStack(evinseJson);
-        printReachables(sliceArtefacts);
-        printServices(evinseJson);
+    if (isDryRun) {
+      recordActivity({
+        kind: "write",
+        reason:
+          "Dry run mode skips evidence and crypto enrichment because those flows require temp files and additional processing.",
+        status: "blocked",
+        target: options.evinseOutput || options.output || "evinse",
+      });
+    } else {
+      // Set the evinse output file to be the same as output file
+      if (!options.evinseOutput) {
+        options.evinseOutput = options.output;
+      }
+      const evinserModule = await import("../lib/evinser/evinser.js");
+      options.projectType = options.projectType || ["java"];
+      const evinseOptions = {
+        _: args._,
+        input: internalCycloneDxInputPath || options.output,
+        output: options.evinseOutput,
+        language: options.projectType,
+        skipMavenCollector: false,
+        force: false,
+        withReachables: options.deep,
+        usagesSlicesFile: options.usagesSlicesFile,
+        dataFlowSlicesFile: options.dataFlowSlicesFile,
+        reachablesSlicesFile: options.reachablesSlicesFile,
+        semanticsSlicesFile: options.semanticsSlicesFile,
+        openapiSpecFile: options.openapiSpecFile,
+        includeCrypto: options.includeCrypto,
+        specVersion: options.specVersion,
+        profile: options.profile,
+        jsonPretty: options.jsonPretty,
+      };
+      const dbObjMap = await evinserModule.prepareDB(evinseOptions);
+      if (dbObjMap) {
+        const sliceArtefacts = await evinserModule.analyzeProject(
+          dbObjMap,
+          evinseOptions,
+        );
+        const evinseJson = evinserModule.createEvinseFile(
+          sliceArtefacts,
+          evinseOptions,
+        );
+        bomNSData.bomJson = evinseJson;
+        if (options.print && evinseJson) {
+          printOccurrences(evinseJson);
+          printCallStack(evinseJson);
+          printReachables(sliceArtefacts);
+          printServices(evinseJson);
+        }
       }
     }
   }
@@ -1498,8 +1602,9 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
         cleanupSourceDir(srcDir);
       }
       process.exit(1);
+    } else {
+      thoughtLog("✅ BOM file looks valid.");
     }
-    thoughtLog("✅ BOM file looks valid.");
   }
   if (
     outputPlan.formats.has("spdx") &&
@@ -1509,16 +1614,31 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
     thoughtLog(
       "Preparing the SPDX 3.0.1 export from the validated CycloneDX BOM.",
     );
-    bomNSData.spdxJson = convertCycloneDxToSpdx(bomNSData.bomJson, options);
-    if (options.validate && !validateSpdx(bomNSData.spdxJson)) {
-      process.exit(1);
+    if (isDryRun) {
+      recordActivity({
+        kind: "convert",
+        reason:
+          "Dry run mode skips SPDX conversion because the export path is read-only.",
+        status: "blocked",
+        target: "spdx",
+      });
+    } else {
+      bomNSData.spdxJson = convertCycloneDxToSpdx(bomNSData.bomJson, options);
+      recordActivity({
+        kind: "convert",
+        status: "completed",
+        target: "spdx",
+      });
+      if (options.validate && !validateSpdx(bomNSData.spdxJson)) {
+        process.exit(1);
+      }
     }
   }
   if (
     options.output &&
     (typeof options.output === "string" || options.output instanceof String)
   ) {
-    if (outputPlan.outputs.cyclonedx && bomNSData.bomJson) {
+    if (!isDryRun && outputPlan.outputs.cyclonedx && bomNSData.bomJson) {
       writeCycloneDxOutput(
         outputPlan.outputs.cyclonedx,
         bomNSData.bomJson,
@@ -1526,15 +1646,29 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
       );
       if (bomNSData.nsMapping && Object.keys(bomNSData.nsMapping).length) {
         const nsFile = `${outputPlan.outputs.cyclonedx}.map`;
-        fs.writeFileSync(nsFile, JSON.stringify(bomNSData.nsMapping));
+        safeWriteSync(nsFile, JSON.stringify(bomNSData.nsMapping));
       }
+    } else if (isDryRun && outputPlan.outputs.cyclonedx) {
+      recordActivity({
+        kind: "write",
+        reason: "Dry run mode skips CycloneDX file output.",
+        status: "blocked",
+        target: outputPlan.outputs.cyclonedx,
+      });
     }
-    if (outputPlan.outputs.spdx && bomNSData.spdxJson) {
-      fs.writeFileSync(
+    if (!isDryRun && outputPlan.outputs.spdx && bomNSData.spdxJson) {
+      safeWriteSync(
         outputPlan.outputs.spdx,
         stringifyJson(bomNSData.spdxJson, options.jsonPretty),
       );
       thoughtLog(`Let's save the SPDX file to "${outputPlan.outputs.spdx}".`);
+    } else if (isDryRun && outputPlan.outputs.spdx) {
+      recordActivity({
+        kind: "write",
+        reason: "Dry run mode skips SPDX file output.",
+        status: "blocked",
+        target: outputPlan.outputs.spdx,
+      });
     }
   } else if (!options.print) {
     if (outputPlan.formats.has("spdx") && bomNSData?.spdxJson) {
@@ -1550,21 +1684,44 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
   // Automatically submit the bom data
   // biome-ignore lint/suspicious/noDoubleEquals: yargs passes true for empty values
   if (options.serverUrl && options.serverUrl != true && options.apiKey) {
-    try {
-      await submitBom(options, bomNSData.bomJson);
-    } catch (err) {
-      console.log(err);
-      if (cleanup) {
-        cleanupSourceDir(srcDir);
+    if (isDryRun) {
+      recordActivity({
+        kind: "submit",
+        reason: "Dry run mode skips remote BOM submission.",
+        status: "blocked",
+        target: options.serverUrl,
+      });
+    } else {
+      try {
+        recordActivity({
+          kind: "submit",
+          status: "completed",
+          target: options.serverUrl,
+        });
+        await submitBom(options, bomNSData.bomJson);
+      } catch (err) {
+        console.log(err);
+        if (cleanup) {
+          cleanupSourceDir(srcDir);
+        }
+        process.exit(1);
       }
-      process.exit(1);
     }
   }
   // Protobuf serialization
   if (options.exportProto) {
-    const protobomModule = await import("../lib/helpers/protobom.js");
-    protobomModule.writeBinary(bomNSData.bomJson, options.protoBinFile);
-    thoughtLog("BOM file is also available in .proto format!");
+    if (isDryRun) {
+      recordActivity({
+        kind: "write",
+        reason: "Dry run mode skips protobuf export.",
+        status: "blocked",
+        target: options.protoBinFile,
+      });
+    } else {
+      const protobomModule = await import("../lib/helpers/protobom.js");
+      protobomModule.writeBinary(bomNSData.bomJson, options.protoBinFile);
+      thoughtLog("BOM file is also available in .proto format!");
+    }
   }
   if (options.print && bomNSData.bomJson?.components) {
     printSummary(bomNSData.bomJson);
@@ -1579,6 +1736,9 @@ const writeCycloneDxOutput = (jsonFile, bomJson, options) => {
       printDependencyTree(bomNSData.bomJson, "provides");
     }
   }
+  if (isDryRun || DEBUG_MODE) {
+    printActivitySummary(options.activityReport);
+  }
   if (
     (DEBUG_MODE || TRACE_MODE) &&
     (!process.env?.CDXGEN_ALLOWED_HOSTS ||