@cyclonedx/cdxgen 12.3.1 → 12.3.3

package/lib/cli/index.js

@@ -18,10 +18,24 @@ import { parse } from "ssri";
 import { v4 as uuidv4 } from "uuid";
 import { parse as loadYaml } from "yaml";
 
+import {
+  AI_INSTRUCTION_FILE_KINDS,
+  AI_INVENTORY_PROJECT_TYPES,
+  AI_SKILL_FILE_KIND,
+  collectAiInventory,
+  filterInventoryDependencies,
+  filterInventorySubjectsByTypes,
+  inventoryPropertyValue,
+  MCP_CONFIG_FILE_KIND,
+  optionIncludesAiInventoryProjectType,
+  summarizeAiInventory,
+} from "../helpers/aiInventory.js";
 import {
   detectMcpInventory,
+  detectPythonMcpInventory,
   findJSImportsExports,
 } from "../helpers/analyzer.js";
+import { expandBomAuditCategories } from "../helpers/auditCategories.js";
 import { parseCaxaMetadata } from "../helpers/caxa.js";
 import {
   CHROME_EXTENSION_PURL_TYPE,
@@ -50,6 +64,7 @@ import {
   addEvidenceForDotnet,
   addEvidenceForImports,
   addPlugin,
+  attachIdentityTools,
   buildGradleCommandArguments,
   buildObjectForCocoaPod,
   buildObjectForGradleModule,
@@ -74,6 +89,7 @@ import {
   executeParallelGradleProperties,
   executePodCommand,
   extractJarArchive,
+  extractToolRefs,
   frameworksList,
   generatePixiLockFile,
   getAllFiles,
@@ -120,6 +136,7 @@ import {
   parseCloudBuildData,
   parseCmakeLikeFile,
   parseCocoaDependency,
+  parseColliderLockData,
   parseComposerJson,
   parseComposerLock,
   parseConanData,
@@ -197,6 +214,9 @@ import {
   shouldFetchLicense,
   splitOutputByGradleProjects,
 } from "../helpers/utils.js";
+
+export { summarizeAiInventory } from "../helpers/aiInventory.js";
+
 import {
   cleanupTempDir,
   collectInstalledExtensions,
@@ -312,7 +332,10 @@ const createDefaultParentComponent = (
     group: options.projectGroup || "",
     name: compName,
     version: `${options.projectVersion}` || "latest",
-    type: compName.endsWith(".tar") ? "container" : "application",
+    type:
+      type === "container" || compName.endsWith(".tar")
+        ? "container"
+        : "application",
   };
   const ppurl = new PackageURL(
     type,
@@ -327,6 +350,25 @@ const createDefaultParentComponent = (
   return parentComponent;
 };
 
+const shouldIncludeNodeModulesDir = (options = {}, baseProjectTypes = []) => {
+  if (options.deep) {
+    return true;
+  }
+  const projectTypes = Array.isArray(options.projectType)
+    ? options.projectType
+    : options.projectType
+      ? [options.projectType]
+      : [];
+  if (!projectTypes.length) {
+    return true;
+  }
+  return baseProjectTypes.some((projectType) =>
+    projectTypes.every((selectedProjectType) =>
+      PROJECT_TYPE_ALIASES[projectType]?.includes(selectedProjectType),
+    ),
+  );
+};
+
 const determineParentComponent = (options) => {
   let parentComponent;
   if (options.parentComponent && Object.keys(options.parentComponent).length) {
@@ -1351,17 +1393,21 @@ export async function createJarBom(path, options) {
   let pkgList = [];
   let jarFiles;
   let nsMapping = {};
-  if (!options.exclude) {
-    options.exclude = [];
-  }
-  // We can look for jar files within node_modules directory
-  if (typeof options.includeNodeModulesDir === "undefined" || options.deep) {
-    options.includeNodeModulesDir = true;
+  const searchOptions = {
+    ...options,
+    exclude: [...(options.exclude || [])],
+  };
+  if (typeof searchOptions.includeNodeModulesDir === "undefined") {
+    searchOptions.includeNodeModulesDir = shouldIncludeNodeModulesDir(options, [
+      "jar",
+      "war",
+      "ear",
+    ]);
   }
   // Exclude certain directories during oci sbom generation
   if (hasAnyProjectType(["oci"], options, false)) {
-    options.exclude.push("**/android-sdk*/**");
-    options.exclude.push("**/.sdkman/**");
+    searchOptions.exclude.push("**/android-sdk*/**");
+    searchOptions.exclude.push("**/.sdkman/**");
   }
   const parentComponent = createDefaultParentComponent(path, "maven", options);
   if (options.useGradleCache) {
@@ -1385,14 +1431,14 @@ export async function createJarBom(path, options) {
     jarFiles = getAllFiles(
       path,
       `${options.multiProject ? "**/" : ""}*.[jw]ar`,
-      options,
+      searchOptions,
     );
   }
   // Jenkins plugins
   const hpiFiles = getAllFiles(
     path,
     `${options.multiProject ? "**/" : ""}*.hpi`,
-    options,
+    searchOptions,
   );
   if (hpiFiles.length) {
     jarFiles = jarFiles.concat(hpiFiles);
@@ -1447,6 +1493,13 @@ export function createBinaryBom(path, options) {
     const binaryBom = JSON.parse(
       readFileSync(binaryBomFile, { encoding: "utf-8" }),
     );
+    attachIdentityTools(
+      binaryBom?.components,
+      extractToolRefs(
+        binaryBom?.metadata?.tools,
+        (tool) => tool?.name !== "cdxgen",
+      ),
+    );
     return {
       bomJson: binaryBom,
       dependencies: binaryBom.dependencies,
@@ -1874,6 +1927,10 @@ export async function createJavaBom(path, options) {
             ) {
               tools = bomJsonObj.metadata.tools;
             }
+            const toolRefs = extractToolRefs(
+              bomJsonObj?.metadata?.tools,
+              (tool) => tool?.name !== "cdxgen",
+            );
             if (
               bomJsonObj.metadata?.component &&
               !Object.keys(parentComponent).length
@@ -1910,6 +1967,7 @@ export async function createJavaBom(path, options) {
                     name: "SrcFile",
                     value: srcPomFile,
                   });
+                  attachIdentityTools(acomp, toolRefs);
                 }
               }
               pkgList = pkgList.concat(bomJsonObj.components);
@@ -2717,16 +2775,32 @@ export async function createJavaBom(path, options) {
  * @param {Object} options Parse options from the cli
  * @returns {Promise<Object>} Promise resolving to BOM object
  */
+function getRequestedAiInventoryTypes(options) {
+  return AI_INVENTORY_PROJECT_TYPES.filter((type) =>
+    optionIncludesAiInventoryProjectType(options?.projectType, type),
+  );
+}
+
+function getExcludedAiInventoryTypes(options) {
+  return AI_INVENTORY_PROJECT_TYPES.filter((type) =>
+    optionIncludesAiInventoryProjectType(options?.excludeType, type),
+  );
+}
+
+function getExactAiInventoryType(options) {
+  const requestedAiInventoryTypes = getRequestedAiInventoryTypes(options);
+  return requestedAiInventoryTypes.length === 1 &&
+    Array.isArray(options?.projectType) &&
+    options.projectType.length === 1
+    ? requestedAiInventoryTypes[0]
+    : undefined;
+}
+
 function shouldDetectMcpInventory(options, allImports = {}) {
   if (hasAnyProjectType(["mcp"], options, false)) {
     return true;
   }
-  const auditCategories = Array.isArray(options?.bomAuditCategories)
-    ? options.bomAuditCategories
-    : String(options?.bomAuditCategories || "")
-        .split(",")
-        .map((category) => category.trim())
-        .filter(Boolean);
+  const auditCategories = expandBomAuditCategories(options?.bomAuditCategories);
   if (
     auditCategories.some((category) =>
       ["mcp-server", "ai-agent"].includes(category),
@@ -2740,6 +2814,91 @@ function shouldDetectMcpInventory(options, allImports = {}) {
   });
 }
 
+function summarizeAiInventoryNames(subjects, discoveryPath, kindSet) {
+  return [
+    ...new Set(
+      (subjects || [])
+        .filter((subject) =>
+          kindSet.has(inventoryPropertyValue(subject, "cdx:file:kind")),
+        )
+        .map((subject) => inventoryPropertyValue(subject, "SrcFile"))
+        .filter(Boolean)
+        .map(
+          (filePath) => relative(discoveryPath, filePath) || basename(filePath),
+        ),
+    ),
+  ].sort();
+}
+
+function summarizeAiInventoryServiceNames(services) {
+  return [
+    ...new Set(
+      (services || []).map((service) => service?.name).filter(Boolean),
+    ),
+  ].sort();
+}
+
+function formatAiInventorySummaryLine(label, count, nameList) {
+  return `  ${label.padEnd(20)} ${count}${nameList.length ? ` (${nameList.join(", ")})` : ""}`;
+}
+
+function emitAiInventorySummary(aiInventory, discoveryPath) {
+  const summary = summarizeAiInventory(aiInventory);
+  const totalInventory =
+    summary.instructionCount +
+    summary.skillCount +
+    summary.mcpConfigCount +
+    summary.mcpServiceCount;
+  if (!totalInventory) {
+    return;
+  }
+  const instructionNames = summarizeAiInventoryNames(
+    aiInventory.components,
+    discoveryPath,
+    AI_INSTRUCTION_FILE_KINDS,
+  );
+  const skillNames = summarizeAiInventoryNames(
+    aiInventory.components,
+    discoveryPath,
+    new Set([AI_SKILL_FILE_KIND]),
+  );
+  const mcpConfigNames = summarizeAiInventoryNames(
+    aiInventory.components,
+    discoveryPath,
+    new Set([MCP_CONFIG_FILE_KIND]),
+  );
+  const mcpServiceNames = summarizeAiInventoryServiceNames(
+    aiInventory.services,
+  );
+  console.warn(
+    [
+      "AI Inventory Summary:",
+      formatAiInventorySummaryLine(
+        "AI instruction files:",
+        summary.instructionCount,
+        instructionNames,
+      ),
+      formatAiInventorySummaryLine(
+        "Skill files:",
+        summary.skillCount,
+        skillNames,
+      ),
+      formatAiInventorySummaryLine(
+        "MCP configs:",
+        summary.mcpConfigCount,
+        mcpConfigNames,
+      ),
+      formatAiInventorySummaryLine(
+        "MCP services:",
+        summary.mcpServiceCount,
+        mcpServiceNames,
+      ),
+      "",
+      "Run --bom-audit --bom-audit-categories ai-inventory to audit these surfaces.",
+    ].join("\n"),
+  );
+}
+
 export async function createNodejsBom(path, options) {
   let pkgList = [];
   let manifestFiles = [];
@@ -2747,6 +2906,15 @@ export async function createNodejsBom(path, options) {
   let parentComponent = {};
   const parentSubComponents = [];
   let ppurl = "";
+  const requestedAiInventoryTypes = getRequestedAiInventoryTypes(options);
+  const excludedAiInventoryTypes = getExcludedAiInventoryTypes(options);
+  const exactAiInventoryType = getExactAiInventoryType(options);
+  const includedAiInventoryTypes = exactAiInventoryType
+    ? requestedAiInventoryTypes
+    : AI_INVENTORY_PROJECT_TYPES.filter(
+        (type) => !excludedAiInventoryTypes.includes(type),
+      );
+  let aiInventory = { components: [], dependencies: [], services: [] };
   // Docker mode requires special handling
   if (hasAnyProjectType(["docker", "oci", "container", "os"], options, false)) {
     const pkgJsonFiles = getAllFiles(path, "**/package.json", options);
@@ -2758,11 +2926,27 @@ export async function createNodejsBom(path, options) {
           pkgList = pkgList.concat(dlist);
         }
       }
+      if (includedAiInventoryTypes.length) {
+        aiInventory = collectAiInventory(
+          path,
+          options,
+          includedAiInventoryTypes,
+        );
+      }
+      if (aiInventory.components?.length) {
+        pkgList = trimComponents(pkgList.concat(aiInventory.components));
+      }
       return buildBomNSData(options, pkgList, "npm", {
         allImports: {},
         src: path,
         filename: "package.json",
+        dependencies: mergeDependencies(
+          [],
+          aiInventory.dependencies,
+          parentComponent,
+        ),
         parentComponent,
+        services: aiInventory.services,
       });
     }
   }
@@ -2785,6 +2969,40 @@ export async function createNodejsBom(path, options) {
       mcpInventory = detectMcpInventory(path, options.deep);
     }
   }
+  if (includedAiInventoryTypes.length) {
+    aiInventory = collectAiInventory(path, options, includedAiInventoryTypes);
+  }
+  if (excludedAiInventoryTypes.includes("mcp")) {
+    mcpInventory = { components: [], dependencies: [], services: [] };
+  }
+  const aiInventorySummary = summarizeAiInventory(aiInventory);
+  if (!exactAiInventoryType) {
+    if (aiInventorySummary.instructionCount || aiInventorySummary.skillCount) {
+      thoughtLog(
+        `I found ${aiInventorySummary.instructionCount + aiInventorySummary.skillCount} AI skill/instruction file component(s). Use '--exclude-type ai-skill' for a package-only BOM, or '--bom-audit --bom-audit-categories ai-inventory' for review-friendly reporting.`,
+      );
+    }
+    if (aiInventorySummary.mcpConfigCount) {
+      thoughtLog(
+        `I found ${aiInventorySummary.mcpConfigCount} MCP config component(s). Use '--exclude-type mcp' to drop them, or '--bom-audit --bom-audit-categories ai-inventory --tlp-classification AMBER' to keep and flag them.`,
+      );
+    }
+    emitAiInventorySummary(aiInventory, path);
+  }
+  if (exactAiInventoryType === "ai-skill") {
+    const exactComponents = trimComponents([...(aiInventory.components || [])]);
+    const exactDependencies = mergeDependencies([], aiInventory.dependencies);
+    const exactServices = mergeServices([], aiInventory.services);
+    parentComponent = createDefaultParentComponent(path, "generic", options);
+    return buildBomNSData(options, exactComponents, "generic", {
+      dependencies: exactDependencies,
+      filename: path,
+      parentComponent,
+      projectType: exactAiInventoryType,
+      services: exactServices,
+      src: path,
+    });
+  }
   let yarnLockFiles = getAllFiles(
     path,
     `${options.multiProject ? "**/" : ""}yarn.lock`,
@@ -3675,12 +3893,37 @@ export async function createNodejsBom(path, options) {
       parentComponent,
     );
   }
+  if (aiInventory.components?.length) {
+    pkgList = trimComponents(pkgList.concat(aiInventory.components));
+  }
+  if (aiInventory.dependencies?.length) {
+    dependencies = mergeDependencies(
+      dependencies,
+      aiInventory.dependencies,
+      parentComponent,
+    );
+  }
+  const inventoryServices = mergeServices(
+    mergeServices([], mcpInventory.services || []),
+    aiInventory.services || [],
+  );
+  if (exactAiInventoryType === "mcp") {
+    pkgList = trimComponents(filterInventorySubjectsByTypes(pkgList, ["mcp"]));
+    dependencies = filterInventoryDependencies(
+      dependencies,
+      pkgList,
+      inventoryServices,
+    );
+    if (!parentComponent || !Object.keys(parentComponent).length) {
+      parentComponent = createDefaultParentComponent(path, "generic", options);
+    }
+  }
   return buildBomNSData(options, pkgList, "npm", {
     src: path,
     filename: manifestFiles.join(", "),
     dependencies,
     parentComponent,
-    services: mergeServices([], mcpInventory.services || []),
+    services: inventoryServices,
   });
 }
 
@@ -3859,6 +4102,16 @@ export async function createPythonBom(path, options) {
   let dependencies = [];
   let pkgList = [];
   let formulationList = [];
+  const requestedAiInventoryTypes = getRequestedAiInventoryTypes(options);
+  const excludedAiInventoryTypes = getExcludedAiInventoryTypes(options);
+  const includedAiInventoryTypes = AI_INVENTORY_PROJECT_TYPES.filter(
+    (type) =>
+      (!requestedAiInventoryTypes.length ||
+        requestedAiInventoryTypes.includes(type)) &&
+      !excludedAiInventoryTypes.includes(type),
+  );
+  let aiInventory = { components: [], dependencies: [], services: [] };
+  let mcpInventory = { components: [], dependencies: [], services: [] };
   const tempDir = safeMkdtempSync(join(getTmpDir(), "cdxgen-venv-"));
   let parentComponent = createDefaultParentComponent(path, "pypi", options);
   // We are checking only the root here for pipenv
@@ -4350,6 +4603,24 @@ export async function createPythonBom(path, options) {
       pkgList = pkgList.concat(dlist);
     }
   }
+  if (includedAiInventoryTypes.length) {
+    aiInventory = collectAiInventory(path, options, includedAiInventoryTypes);
+    if (includedAiInventoryTypes.includes("mcp")) {
+      mcpInventory = detectPythonMcpInventory(path, options.deep);
+    }
+  }
+  const aiInventorySummary = summarizeAiInventory(aiInventory);
+  if (aiInventorySummary.instructionCount || aiInventorySummary.skillCount) {
+    thoughtLog(
+      `I found ${aiInventorySummary.instructionCount + aiInventorySummary.skillCount} AI skill/instruction file component(s). Use '--exclude-type ai-skill' for a package-only BOM, or '--bom-audit --bom-audit-categories ai-inventory' for review-friendly reporting.`,
+    );
+  }
+  if (aiInventorySummary.mcpConfigCount) {
+    thoughtLog(
+      `I found ${aiInventorySummary.mcpConfigCount} MCP config component(s). Use '--exclude-type mcp' to drop them, or '--bom-audit --bom-audit-categories ai-inventory --tlp-classification AMBER' to keep and flag them.`,
+    );
+  }
+  emitAiInventorySummary(aiInventory, path);
   // Check and complete the dependency tree
   if (
     isFeatureEnabled(options, "safe-pip-install") &&
@@ -4398,6 +4669,30 @@ export async function createPythonBom(path, options) {
   if (shouldFetchLicense()) {
     pkgList = await getPyMetadata(pkgList, false);
   }
+  if (mcpInventory.components?.length) {
+    pkgList = trimComponents(pkgList.concat(mcpInventory.components));
+  }
+  if (mcpInventory.dependencies?.length) {
+    dependencies = mergeDependencies(
+      dependencies,
+      mcpInventory.dependencies,
+      parentComponent,
+    );
+  }
+  if (aiInventory.components?.length) {
+    pkgList = trimComponents(pkgList.concat(aiInventory.components));
+  }
+  if (aiInventory.dependencies?.length) {
+    dependencies = mergeDependencies(
+      dependencies,
+      aiInventory.dependencies,
+      parentComponent,
+    );
+  }
+  const inventoryServices = mergeServices(
+    mergeServices([], mcpInventory.services || []),
+    aiInventory.services || [],
+  );
   return buildBomNSData(options, pkgList, "pypi", {
     allImports,
     src: path,
@@ -4405,6 +4700,7 @@ export async function createPythonBom(path, options) {
     dependencies,
     parentComponent,
     formulationList,
+    services: inventoryServices,
   });
 }
 
@@ -5161,6 +5457,11 @@ export function createCppBom(path, options) {
   let parentComponent;
   let dependencies = [];
   const addedParentComponentsMap = {};
+  const colliderLockFiles = getAllFiles(
+    path,
+    `${options.multiProject ? "**/" : ""}collider.lock`,
+    options,
+  );
   const conanLockFiles = getAllFiles(
     path,
     `${options.multiProject ? "**/" : ""}conan.lock`,
@@ -5237,6 +5538,39 @@ export function createCppBom(path, options) {
       }
     }
   }
+  if (colliderLockFiles.length) {
+    for (const f of colliderLockFiles) {
+      if (DEBUG_MODE) {
+        console.log(`Parsing ${f}`);
+      }
+      const colliderLockData = readFileSync(f, { encoding: "utf-8" });
+      const {
+        pkgList: colliderPkgList,
+        dependencies: colliderDependencies,
+        parentComponentDependencies: parentCompDeps,
+      } = parseColliderLockData(colliderLockData, f);
+
+      if (colliderPkgList.length) {
+        pkgList = pkgList.concat(colliderPkgList);
+      }
+
+      if (Object.keys(colliderDependencies).length) {
+        dependencies = mergeDependencies(
+          dependencies,
+          Object.keys(colliderDependencies).map((dependentBomRef) => ({
+            ref: dependentBomRef,
+            dependsOn: colliderDependencies[dependentBomRef],
+          })),
+        );
+      }
+
+      if (parentCompDeps.length) {
+        parentComponentDependencies = [
+          ...new Set(parentComponentDependencies.concat(parentCompDeps)),
+        ];
+      }
+    }
+  }
   if (cmakeLikeFiles.length) {
     for (const f of cmakeLikeFiles) {
       if (DEBUG_MODE) {
@@ -6575,24 +6909,26 @@ export async function createContainerSpecLikeBom(path, options) {
 export function createPHPBom(path, options) {
   let dependencies = [];
   let parentComponent = {};
-  // We can look for composer files within node_modules directory
-  if (typeof options.includeNodeModulesDir === "undefined" || options.deep) {
-    options.includeNodeModulesDir = true;
-  }
+  const searchOptions = {
+    ...options,
+    includeNodeModulesDir:
+      typeof options.includeNodeModulesDir === "undefined"
+        ? shouldIncludeNodeModulesDir(options, ["php"])
+        : options.includeNodeModulesDir,
+  };
+  const composerLockSearchOptions = {
+    ...searchOptions,
+    exclude: [...(options.exclude || []), "**/vendor/**"],
+  };
   const composerJsonFiles = getAllFiles(
     path,
     `${options.multiProject ? "**/" : ""}composer.json`,
-    options,
+    searchOptions,
   );
-  if (!options.exclude) {
-    options.exclude = [];
-  }
-  // Ignore vendor directories for lock files
-  options.exclude.push("**/vendor/**");
   let composerLockFiles = getAllFiles(
     path,
     `${options.multiProject ? "**/" : ""}composer.lock`,
-    options,
+    composerLockSearchOptions,
   );
   let pkgList = [];
   const composerJsonMode = composerJsonFiles.length;
@@ -6655,7 +6991,7 @@ export function createPHPBom(path, options) {
   composerLockFiles = getAllFiles(
     path,
     `${options.multiProject ? "**/" : ""}composer.lock`,
-    options,
+    composerLockSearchOptions,
   );
   if (composerLockFiles.length) {
     // Look for any root composer.json to capture the parentComponent
@@ -7803,6 +8139,7 @@ export async function createMultiXBom(pathList, options) {
       binPaths,
       executables,
       sharedLibs,
+      tools,
     } = await getOSPackages(
       options.allLayersExplodedDir,
       options.exportData?.inspectData?.Config,
@@ -7833,6 +8170,13 @@ export async function createMultiXBom(pathList, options) {
     if (allTypes?.length) {
       options.allOSComponentTypes = allTypes;
     }
+    if (tools?.length) {
+      options.tools = (
+        Array.isArray(options.tools)
+          ? options.tools
+          : options.tools?.components || []
+      ).concat(tools);
+    }
     components = components.concat(osPackages);
     components = components.concat(executables);
     components = components.concat(sharedLibs);
@@ -7882,22 +8226,39 @@ export async function createMultiXBom(pathList, options) {
     if (pathList.length > 2) {
       thoughtLog(`Let's thoroughly check the path ${path}.`);
     }
-    // Node.js
-    if (hasAnyProjectType(["oci", "js"], options)) {
+    // Node.js and AI inventory
+    if (hasAnyProjectType(["oci", "js", "mcp", "ai-skill"], options)) {
+      const exactAiInventoryType = getExactAiInventoryType(options);
       if (!hasAnyProjectType(["oci"], options, false)) {
-        thoughtLog(
-          "**JS**: Now looking for JavaScript projects (npm, yarn, pnpm) and files.",
-        );
+        if (exactAiInventoryType === "mcp") {
+          thoughtLog(
+            "**MCP**: Looking for MCP services, MCP configs, and related AI control-plane artifacts.",
+          );
+        } else if (exactAiInventoryType === "ai-skill") {
+          thoughtLog(
+            "**AI-SKILL**: Looking for AI instruction, skill, and agent-definition files that can influence build or release flows.",
+          );
+        } else {
+          thoughtLog(
+            "**JS**: Now looking for JavaScript projects (npm, yarn, pnpm) and files.",
+          );
+        }
       }
-      setProjectTypeActivityContext("js", path);
+      setProjectTypeActivityContext(exactAiInventoryType || "js", path);
       bomData = await createNodejsBom(path, options);
       if (bomData?.bomJson?.components?.length) {
-        thoughtLog(
-          `I found ${bomData.bomJson.components.length} npm packages. Let's keep looking.`,
-        );
+        if (exactAiInventoryType) {
+          thoughtLog(
+            `I found ${bomData.bomJson.components.length} ${exactAiInventoryType} component(s). Let's keep looking.`,
+          );
+        } else {
+          thoughtLog(
+            `I found ${bomData.bomJson.components.length} npm packages. Let's keep looking.`,
+          );
+        }
         if (DEBUG_MODE) {
           console.log(
-            `Found ${bomData.bomJson.components.length} npm packages at ${path}`,
+            `Found ${bomData.bomJson.components.length} ${exactAiInventoryType || "npm"} components at ${path}`,
           );
         }
         components = components.concat(bomData.bomJson.components);
@@ -8890,6 +9251,11 @@ export async function createXBom(path, options) {
     `${options.multiProject ? "**/" : ""}conan.lock`,
     options,
   );
+  const colliderLockFiles = getAllFiles(
+    path,
+    `${options.multiProject ? "**/" : ""}collider.lock`,
+    options,
+  );
   const conanFiles = getAllFiles(
     path,
     `${options.multiProject ? "**/" : ""}conanfile.txt`,
@@ -8906,6 +9272,7 @@ export async function createXBom(path, options) {
     options,
   );
   if (
+    colliderLockFiles.length ||
     conanLockFiles.length ||
     conanFiles.length ||
     cmakeListFiles.length ||
@@ -9075,6 +9442,10 @@ export async function createBom(path, options) {
   }
   let exportData;
   let isContainerMode = false;
+  const isLocalDirectoryInput =
+    !options.projectType?.includes("universal") &&
+    safeExistsSync(path) &&
+    lstatSync(path).isDirectory();
   // Docker and image archive support
   // TODO: Support any source archive
   if (path.endsWith(".tar") || path.endsWith(".tar.gz")) {
@@ -9087,6 +9458,22 @@ export async function createBom(path, options) {
       return {};
     }
     isContainerMode = true;
+  } else if (
+    isLocalDirectoryInput &&
+    (hasAnyProjectType(["oci-dir"], options, false) ||
+      hasAnyProjectType(["oci"], options, false))
+  ) {
+    isContainerMode = true;
+    exportData = {
+      inspectData: undefined,
+      lastWorkingDir: "",
+      allLayersDir: path,
+      allLayersExplodedDir: path,
+    };
+    if (safeExistsSync(join(path, "all-layers"))) {
+      exportData.allLayersExplodedDir = join(path, "all-layers");
+    }
+    exportData.pkgPathList = getPkgPathList(exportData, undefined);
   } else if (
     (options.projectType &&
       !options.projectType?.includes("universal") &&
@@ -9114,21 +9501,6 @@ export async function createBom(path, options) {
         console.log(path, "doesn't appear to be a valid container image.");
       }
     }
-  } else if (
-    !options.projectType?.includes("universal") &&
-    hasAnyProjectType(["oci-dir"], options, false)
-  ) {
-    isContainerMode = true;
-    exportData = {
-      inspectData: undefined,
-      lastWorkingDir: "",
-      allLayersDir: path,
-      allLayersExplodedDir: path,
-    };
-    if (safeExistsSync(join(path, "all-layers"))) {
-      exportData.allLayersDir = join(path, "all-layers");
-    }
-    exportData.pkgPathList = getPkgPathList(exportData, undefined);
   }
   if (isContainerMode) {
     options.multiProject = true;
@@ -9238,6 +9610,12 @@ export async function createBom(path, options) {
   ) {
     return await createNodejsBom(path, options);
   }
+  if (PROJECT_TYPE_ALIASES["mcp"].includes(projectType[0])) {
+    return await createNodejsBom(path, options);
+  }
+  if (PROJECT_TYPE_ALIASES["ai-skill"].includes(projectType[0])) {
+    return await createNodejsBom(path, options);
+  }
   if (
     PROJECT_TYPE_ALIASES["py"].includes(projectType[0]) ||
     projectType?.[0]?.startsWith("python")
@@ -9402,6 +9780,7 @@ export async function submitBom(args, bomContents) {
     // See issue #1963 regarding CRLF hardening
     return await got(serverUrl, {
       method: "PUT",
+      followRedirect: false,
       https: {
         rejectUnauthorized: !args.skipDtTlsCheck,
       },
@@ -9427,11 +9806,12 @@ export async function submitBom(args, bomContents) {
       try {
         return await got(serverUrl, {
           method: "POST",
+          followRedirect: false,
           https: {
             rejectUnauthorized: !args.skipDtTlsCheck,
           },
           headers: {
-            "X-Api-Key": args.apiKey,
+            "X-Api-Key": (args.apiKey || "").replace(/[\r\n]/g, ""),
             "Content-Type": "application/json",
             "user-agent": `@CycloneDX/cdxgen ${CDXGEN_VERSION}`,
           },