@cyclonedx/cdxgen 12.3.1 → 12.3.3

package/lib/cli/index.poku.js

@@ -1,3 +1,4 @@
+import { execFileSync } from "node:child_process";
 import {
   mkdirSync,
   mkdtempSync,
@@ -6,7 +7,7 @@ import {
   writeFileSync,
 } from "node:fs";
 import { tmpdir } from "node:os";
-import { dirname, join } from "node:path";
+import { dirname, join, normalize, sep } from "node:path";
 import process from "node:process";
 import { fileURLToPath } from "node:url";
 
@@ -16,7 +17,13 @@ import sinon from "sinon";
 
 import { auditBom } from "../stages/postgen/auditBom.js";
 import { postProcess } from "../stages/postgen/postgen.js";
-import { createBom, createChromeExtensionBom, createRustBom } from "./index.js";
+import {
+  createBom,
+  createChromeExtensionBom,
+  createNodejsBom,
+  createPHPBom,
+  createRustBom,
+} from "./index.js";
 
 const fixtureDir = join(
   dirname(fileURLToPath(import.meta.url)),
@@ -53,8 +60,115 @@ const mcpFixtureDir = join(
   "data",
   "mcp-repotest",
 );
+const cacheDisableFixtureDir = join(
+  dirname(fileURLToPath(import.meta.url)),
+  "..",
+  "..",
+  "test",
+  "data",
+  "cache-disable-repotest",
+);
+const composerFixtureDir = join(
+  dirname(fileURLToPath(import.meta.url)),
+  "..",
+  "..",
+  "test",
+  "data",
+);
+const repoDir = join(dirname(fileURLToPath(import.meta.url)), "..", "..");
+
+function getProp(obj, name) {
+  return obj?.properties?.find((property) => property.name === name)?.value;
+}
+
+function createComposerNodeModulesFixture() {
+  const tmpDir = mkdtempSync(join(tmpdir(), "cdxgen-composer-node-modules-"));
+  const packageDir = join(tmpDir, "node_modules", "moment-timezone");
+  mkdirSync(packageDir, { recursive: true });
+  writeFileSync(
+    join(packageDir, "composer.json"),
+    readFileSync(join(composerFixtureDir, "composer.json"), "utf-8"),
+  );
+  writeFileSync(
+    join(packageDir, "composer.lock"),
+    readFileSync(join(composerFixtureDir, "composer.lock"), "utf-8"),
+  );
+  return tmpDir;
+}
+
+function createJarNodeModulesFixture() {
+  const tmpDir = mkdtempSync(join(tmpdir(), "cdxgen-jar-node-modules-"));
+  const packageDir = join(tmpDir, "node_modules", "font-mfizz");
+  mkdirSync(packageDir, { recursive: true });
+  writeFileSync(join(packageDir, "blaze.jar"), "fake jar content");
+  return tmpDir;
+}
+
+const stubbedJarPackage = {
+  group: "org.slf4j",
+  name: "slf4j-simple",
+  version: "2.0.17",
+  purl: "pkg:maven/org.slf4j/slf4j-simple@2.0.17?type=jar",
+  "bom-ref": "pkg:maven/org.slf4j/slf4j-simple@2.0.17?type=jar",
+};
+
+async function loadStubbedCreateJarBom() {
+  const actualUtils = await import("../helpers/utils.js");
+  const extractJarArchive = sinon.stub().resolves([stubbedJarPackage]);
+  const getMvnMetadata = sinon.stub().callsFake(async (pkgList) => pkgList);
+  const mockedIndex = await esmock("./index.js", {
+    "../helpers/utils.js": {
+      ...actualUtils,
+      extractJarArchive,
+      getMvnMetadata,
+    },
+  });
+  return mockedIndex.createJarBom;
+}
+
+function toPortablePath(filePath) {
+  return normalize(filePath).split(sep).join("/");
+}
+
+function getNpmPackFilePaths() {
+  const command =
+    process.platform === "win32"
+      ? {
+          args: ["/c", "npm", "pack", "--dry-run", "--json"],
+          file: process.env.ComSpec || "cmd.exe",
+        }
+      : {
+          args: ["pack", "--dry-run", "--json"],
+          file: "npm",
+        };
+  const packOutput = execFileSync(command.file, command.args, {
+    cwd: repoDir,
+    encoding: "utf8",
+  });
+  const [packSummary] = JSON.parse(packOutput);
+  return packSummary.files.map((file) => toPortablePath(file.path));
+}
 
 describe("CLI tests", () => {
+  describe("distribution filters", () => {
+    it("keeps npm types while excluding poku tests from npm pack output", () => {
+      const packedPaths = getNpmPackFilePaths();
+
+      assert.ok(
+        packedPaths.some((path) => path.startsWith("types/")),
+        "expected npm pack output to keep generated type definitions",
+      );
+      assert.ok(
+        packedPaths.every((path) => !path.endsWith(".poku.js")),
+        "expected npm pack output to exclude co-located poku tests",
+      );
+      assert.ok(
+        packedPaths.every((path) => !path.startsWith("test/")),
+        "expected npm pack output to exclude test fixtures",
+      );
+    });
+  });
+
   describe("submitBom()", () => {
     it("should report blocked Dependency-Track submission during dry-run", async () => {
       const recordActivity = sinon.stub();
@@ -137,6 +251,7 @@ describe("CLI tests", () => {
 
       assert.equal(calledUrl, `${serverUrl}/api/v1/bom`);
       assert.equal(options.method, "PUT");
+      assert.equal(options.followRedirect, false);
       assert.equal(options.https.rejectUnauthorized, !skipDtTlsCheck);
       assert.equal(options.headers["X-Api-Key"], apiKey);
       assert.match(options.headers["user-agent"], /@CycloneDX\/cdxgen/);
@@ -197,6 +312,7 @@ describe("CLI tests", () => {
       // Assert call arguments against expectations
       assert.equal(calledUrl, `${serverUrl}/api/v1/bom`);
       assert.equal(options.method, "PUT");
+      assert.equal(options.followRedirect, false);
       assert.equal(options.https.rejectUnauthorized, !skipDtTlsCheck);
       assert.equal(options.headers["X-Api-Key"], apiKey);
       assert.match(options.headers["user-agent"], /@CycloneDX\/cdxgen/);
@@ -253,6 +369,7 @@ describe("CLI tests", () => {
 
       assert.equal(calledUrl, `${serverUrl}/api/v1/bom`);
       assert.equal(options.method, "PUT");
+      assert.equal(options.followRedirect, false);
       assert.equal(options.https.rejectUnauthorized, !skipDtTlsCheck);
       assert.equal(options.headers["X-Api-Key"], apiKey);
       assert.match(options.headers["user-agent"], /@CycloneDX\/cdxgen/);
@@ -319,6 +436,41 @@ describe("CLI tests", () => {
       assert.equal(response, undefined);
       sinon.assert.notCalled(gotStub);
     });
+
+    it("disables redirects for the POST fallback request too", async () => {
+      const putError = new Error("Method not allowed");
+      putError.response = { statusCode: 405 };
+      const gotStub = sinon.stub();
+      gotStub
+        .onFirstCall()
+        .returns({
+          json: sinon.stub().rejects(putError),
+        })
+        .onSecondCall()
+        .returns({
+          json: sinon.stub().resolves({ success: true }),
+        });
+      gotStub.extend = sinon.stub().returns(gotStub);
+
+      const { submitBom } = await esmock("./index.js", {
+        got: { default: gotStub },
+      });
+
+      await submitBom(
+        {
+          serverUrl: "https://dtrack.example.com",
+          projectName: "cdxgen-test-project",
+          apiKey: "TEST_API_KEY\r\n",
+        },
+        { bom: "test6" },
+      );
+
+      assert.equal(gotStub.callCount, 2);
+      const [, postOptions] = gotStub.secondCall.args;
+      assert.equal(postOptions.method, "POST");
+      assert.equal(postOptions.followRedirect, false);
+      assert.equal(postOptions.headers["X-Api-Key"], "TEST_API_KEY");
+    });
   });
 
   describe("createCocoaBom()", () => {
@@ -645,6 +797,103 @@ describe("CLI tests", () => {
         rmSync(tempDir, { recursive: true, force: true });
       }
     });
+
+    it("treats an existing local directory as a staged rootfs for docker scans", async () => {
+      const tempDir = mkdtempSync(join(tmpdir(), "cdxgen-rootfs-"));
+      const exportImage = sinon.stub().resolves(undefined);
+      const getPkgPathList = sinon.stub().returns([]);
+      try {
+        const { createBom: createBomMocked } = await esmock("./index.js", {
+          "../managers/binary.js": {
+            executeOsQuery: sinon.stub(),
+            getBinaryBom: sinon.stub(),
+            getDotnetSlices: sinon.stub(),
+            getOSPackages: sinon.stub().resolves({
+              allTypes: [],
+              binPaths: [],
+              bundledRuntimes: [],
+              bundledSdks: [],
+              dependenciesList: [],
+              executables: [],
+              osPackages: [],
+              sharedLibs: [],
+            }),
+          },
+          "../managers/docker.js": {
+            addSkippedSrcFiles: sinon.stub(),
+            exportArchive: sinon.stub(),
+            exportImage,
+            getPkgPathList,
+            parseImageName: sinon.stub(),
+          },
+        });
+        const bomNSData = await createBomMocked(tempDir, {
+          failOnError: true,
+          installDeps: false,
+          multiProject: false,
+          projectType: ["docker"],
+          specVersion: 1.6,
+        });
+        sinon.assert.notCalled(exportImage);
+        sinon.assert.calledOnce(getPkgPathList);
+        assert.ok(bomNSData?.bomJson);
+        assert.strictEqual(bomNSData?.parentComponent?.type, "container");
+      } finally {
+        rmSync(tempDir, { recursive: true, force: true });
+      }
+    });
+
+    it("prefers an all-layers subdirectory when scanning staged rootfs inputs", async () => {
+      const tempDir = mkdtempSync(join(tmpdir(), "cdxgen-rootfs-"));
+      const allLayersDir = join(tempDir, "all-layers");
+      const exportImage = sinon.stub().resolves(undefined);
+      const getPkgPathList = sinon.stub().returns([]);
+      mkdirSync(allLayersDir);
+      try {
+        const { createBom: createBomMocked } = await esmock("./index.js", {
+          "../managers/binary.js": {
+            executeOsQuery: sinon.stub(),
+            getBinaryBom: sinon.stub(),
+            getDotnetSlices: sinon.stub(),
+            getOSPackages: sinon.stub().resolves({
+              allTypes: [],
+              binPaths: [],
+              bundledRuntimes: [],
+              bundledSdks: [],
+              dependenciesList: [],
+              executables: [],
+              osPackages: [],
+              sharedLibs: [],
+            }),
+          },
+          "../managers/docker.js": {
+            addSkippedSrcFiles: sinon.stub(),
+            exportArchive: sinon.stub(),
+            exportImage,
+            getPkgPathList,
+            parseImageName: sinon.stub(),
+          },
+        });
+        await createBomMocked(tempDir, {
+          failOnError: true,
+          installDeps: false,
+          multiProject: false,
+          projectType: ["docker"],
+          specVersion: 1.6,
+        });
+        sinon.assert.calledOnce(getPkgPathList);
+        assert.strictEqual(
+          getPkgPathList.firstCall.args[0].allLayersDir,
+          tempDir,
+        );
+        assert.strictEqual(
+          getPkgPathList.firstCall.args[0].allLayersExplodedDir,
+          allLayersDir,
+        );
+      } finally {
+        rmSync(tempDir, { recursive: true, force: true });
+      }
+    });
   });
 
   describe("createBom() cargo cache support", () => {
@@ -839,6 +1088,102 @@ checksum = "${"a".repeat(64)}"
     });
   });
 
+  describe("createBom() Collider lock support", () => {
+    it("preserves Collider integrity metadata and dependency nodes in the BOM", async () => {
+      const tmpDir = mkdtempSync(join(tmpdir(), "cdxgen-collider-"));
+      writeFileSync(
+        join(tmpDir, "collider.lock"),
+        JSON.stringify(
+          {
+            version: 1,
+            dependencies: {
+              fmt: {
+                version: "11.0.2",
+                wrap_hash: `sha256:${"a".repeat(64)}`,
+                origin: "https://packages.example.com/collider/v2/",
+              },
+            },
+            packages: {
+              fast_float: {
+                version: "8.0.2",
+                wrap_hash: `sha256:${"b".repeat(64)}`,
+                origin: "https://wrapdb.mesonbuild.com/v2/",
+              },
+            },
+          },
+          null,
+          2,
+        ),
+      );
+      try {
+        const bomNSData = await createBom(tmpDir, {
+          failOnError: true,
+          installDeps: false,
+          multiProject: false,
+          projectType: ["collider"],
+          specVersion: 1.7,
+        });
+        const bomJson = bomNSData?.bomJson || {};
+        const fmtComponent = (bomJson.components || []).find(
+          (component) => component.name === "fmt",
+        );
+        const transitiveComponent = (bomJson.components || []).find(
+          (component) => component.name === "fast_float",
+        );
+        assert.ok(fmtComponent);
+        assert.ok(transitiveComponent);
+        assert.deepStrictEqual(
+          getProp(fmtComponent, "cdx:collider:origin"),
+          "https://packages.example.com/collider/v2/",
+        );
+        assert.deepStrictEqual(
+          getProp(fmtComponent, "cdx:collider:hasWrapHash"),
+          "true",
+        );
+        assert.deepStrictEqual(
+          getProp(transitiveComponent, "cdx:collider:dependencyKind"),
+          "transitive",
+        );
+        assert.deepStrictEqual(fmtComponent.hashes, [
+          {
+            alg: "SHA-256",
+            content: "a".repeat(64),
+          },
+        ]);
+        assert.deepStrictEqual(fmtComponent.externalReferences, [
+          {
+            type: "distribution",
+            url: "https://packages.example.com/collider/v2/",
+          },
+        ]);
+        const parentDependency = (bomJson.dependencies || []).find(
+          (dependency) =>
+            dependency.ref === bomJson.metadata.component["bom-ref"],
+        );
+        assert.ok(parentDependency);
+        assert.deepStrictEqual(parentDependency.dependsOn, [
+          "pkg:generic/fmt@11.0.2",
+        ]);
+        assert.ok(
+          (bomJson.dependencies || []).some(
+            (dependency) =>
+              dependency.ref === "pkg:generic/fmt@11.0.2" &&
+              dependency.dependsOn.length === 0,
+          ),
+        );
+        assert.ok(
+          (bomJson.dependencies || []).some(
+            (dependency) =>
+              dependency.ref === "pkg:generic/fast_float@8.0.2" &&
+              dependency.dependsOn.length === 0,
+          ),
+        );
+      } finally {
+        rmSync(tmpDir, { force: true, recursive: true });
+      }
+    });
+  });
+
   describe("createBom() MCP inventory support", () => {
     it("catalogs MCP services, primitives, and audit findings for JavaScript projects", async () => {
       const options = {
@@ -902,6 +1247,32 @@ checksum = "${"a".repeat(64)}"
       assert.ok(findings.some((finding) => finding.ruleId === "MCP-003"));
     });
 
+    it("supports the ai-inventory audit category alias for MCP discovery", async () => {
+      const options = {
+        bomAudit: true,
+        bomAuditCategories: "ai-inventory",
+        bomAuditMinSeverity: "low",
+        failOnError: true,
+        installDeps: false,
+        multiProject: false,
+        projectType: ["js"],
+        specVersion: 1.7,
+      };
+      const bomNSData = await createBom(mcpFixtureDir, options);
+      const processedBomNSData = postProcess(bomNSData, options, mcpFixtureDir);
+      const bomJson = processedBomNSData?.bomJson || {};
+      assert.ok(
+        (bomJson.services || []).some(
+          (service) => service.name === "unsafe-http-server",
+        ),
+      );
+      const findings = await auditBom(bomJson, {
+        bomAuditCategories: "ai-inventory",
+        bomAuditMinSeverity: "low",
+      });
+      assert.ok(findings.some((finding) => finding.ruleId === "MCP-001"));
+    });
+
     it("supports the dedicated mcp project type alias", async () => {
       const options = {
         bomAudit: false,
@@ -927,5 +1298,507 @@ checksum = "${"a".repeat(64)}"
         ),
       );
     });
+
+    it("flags disabled setup caches for npm, Python, and Cargo fixtures", async () => {
+      const options = {
+        bomAudit: true,
+        bomAuditCategories: "ci-permission",
+        bomAuditMinSeverity: "low",
+        failOnError: true,
+        includeFormulation: true,
+        installDeps: false,
+        multiProject: true,
+        projectType: ["js", "python", "cargo", "github"],
+        specVersion: 1.7,
+      };
+      const bomNSData = await createBom(cacheDisableFixtureDir, options);
+      const processedBomNSData = postProcess(
+        bomNSData,
+        options,
+        cacheDisableFixtureDir,
+      );
+      const bomJson = processedBomNSData?.bomJson || {};
+      const setupNodeComponent = (bomJson.components || []).find(
+        (component) =>
+          getProp(component, "cdx:github:action:uses") ===
+          "actions/setup-node@v4",
+      );
+      const setupPythonComponent = (bomJson.components || []).find(
+        (component) =>
+          getProp(component, "cdx:github:action:uses") ===
+          "actions/setup-python@v5",
+      );
+      const setupRustComponent = (bomJson.components || []).find(
+        (component) =>
+          getProp(component, "cdx:github:action:uses") ===
+          "moonrepo/setup-rust@v1",
+      );
+      const npmComponent = (bomJson.components || []).find((component) =>
+        component.purl?.startsWith("pkg:npm/left-pad@1.3.0"),
+      );
+      const pythonComponent = (bomJson.components || []).find((component) =>
+        component.purl?.startsWith("pkg:pypi/anyio@4.6.0"),
+      );
+      const cargoComponent = (bomJson.components || []).find(
+        (component) =>
+          component.name === "git-crate" &&
+          getProp(component, "cdx:cargo:git") ===
+            "https://github.com/acme/git-crate.git",
+      );
+      const cargoRunComponent = (bomJson.components || []).find((component) =>
+        component.properties?.some(
+          (property) =>
+            property.name === "cdx:github:step:cargoSubcommands" &&
+            property.value === "build",
+        ),
+      );
+      assert.ok(setupNodeComponent, "expected setup-node workflow component");
+      assert.ok(
+        setupPythonComponent,
+        "expected setup-python workflow component",
+      );
+      assert.ok(setupRustComponent, "expected setup-rust workflow component");
+      assert.strictEqual(
+        getProp(setupNodeComponent, "cdx:github:action:disablesBuildCache"),
+        "true",
+      );
+      assert.strictEqual(
+        getProp(setupPythonComponent, "cdx:github:action:disablesBuildCache"),
+        "true",
+      );
+      assert.strictEqual(
+        getProp(setupRustComponent, "cdx:github:action:disablesBuildCache"),
+        "true",
+      );
+      assert.strictEqual(
+        getProp(setupRustComponent, "cdx:github:action:buildCacheEcosystem"),
+        "cargo",
+      );
+      assert.strictEqual(
+        getProp(setupRustComponent, "cdx:github:action:buildCacheDisableInput"),
+        "cache",
+      );
+      assert.ok(npmComponent, "expected npm dependency from package-lock");
+      assert.ok(pythonComponent, "expected PyPI dependency from uv.lock");
+      assert.ok(cargoComponent, "expected Cargo dependency from Cargo.toml");
+      assert.ok(cargoRunComponent, "expected Cargo run step component");
+      assert.strictEqual(
+        getProp(npmComponent, "cdx:npm:manifestSourceType"),
+        "url",
+      );
+      assert.strictEqual(
+        getProp(pythonComponent, "cdx:pypi:manifestSourceType"),
+        "url",
+      );
+      assert.strictEqual(
+        getProp(cargoComponent, "cdx:cargo:git"),
+        "https://github.com/acme/git-crate.git",
+      );
+      assert.strictEqual(
+        getProp(cargoComponent, "cdx:cargo:gitBranch"),
+        "main",
+      );
+      assert.strictEqual(
+        getProp(cargoRunComponent, "cdx:github:step:usesCargo"),
+        "true",
+      );
+
+      const findings = await auditBom(bomJson, {
+        bomAuditCategories: "ci-permission",
+        bomAuditMinSeverity: "low",
+      });
+      assert.ok(
+        findings.some((finding) => finding.ruleId === "CI-022"),
+        "expected npm disabled cache finding",
+      );
+      assert.ok(
+        findings.some((finding) => finding.ruleId === "CI-023"),
+        "expected Python disabled cache finding",
+      );
+      assert.ok(
+        findings.some((finding) => finding.ruleId === "CI-024"),
+        "expected Cargo disabled cache finding",
+      );
+    });
+
+    it("supports exact AI skill scans and js exclude-type filtering for AI inventory", async () => {
+      const tmpDir = mkdtempSync(join(tmpdir(), "cdxgen-ai-inventory-"));
+      mkdirSync(join(tmpDir, ".claude", "skills", "release"), {
+        recursive: true,
+      });
+      mkdirSync(join(tmpDir, ".vscode"), { recursive: true });
+      writeFileSync(
+        join(tmpDir, "package.json"),
+        JSON.stringify(
+          {
+            dependencies: {
+              "left-pad": "1.3.0",
+            },
+            name: "ai-inventory-demo",
+            version: "1.0.0",
+          },
+          null,
+          2,
+        ),
+      );
+      writeFileSync(
+        join(tmpDir, "package-lock.json"),
+        JSON.stringify(
+          {
+            lockfileVersion: 3,
+            name: "ai-inventory-demo",
+            packages: {
+              "": {
+                dependencies: {
+                  "left-pad": "1.3.0",
+                },
+                name: "ai-inventory-demo",
+                version: "1.0.0",
+              },
+              "node_modules/left-pad": {
+                resolved:
+                  "https://registry.npmjs.org/left-pad/-/left-pad-1.3.0.tgz",
+                version: "1.3.0",
+              },
+            },
+            requires: true,
+            version: "1.0.0",
+          },
+          null,
+          2,
+        ),
+      );
+      writeFileSync(
+        join(tmpDir, "CLAUDE.md"),
+        "Use the release skill before publishing artifacts.",
+      );
+      writeFileSync(
+        join(tmpDir, ".claude", "skills", "release", "SKILL.md"),
+        [
+          "---",
+          "name: release",
+          "description: Prepare release artifacts",
+          "---",
+          "Use this skill before shipping.",
+        ].join("\n"),
+      );
+      writeFileSync(
+        join(tmpDir, ".vscode", "mcp.json"),
+        JSON.stringify(
+          {
+            mcpServers: {
+              releaseDocs: {
+                endpoint: "https://example.com/mcp",
+                transport: "http",
+              },
+            },
+          },
+          null,
+          2,
+        ),
+      );
+      writeFileSync(
+        join(tmpDir, "pyproject.toml"),
+        [
+          "[project]",
+          'name = "demo-python-app"',
+          'version = "0.1.0"',
+          'requires-python = ">=3.10"',
+        ].join("\n"),
+      );
+      writeFileSync(
+        join(tmpDir, "server.py"),
+        [
+          "import mcp.server.stdio",
+          "import mcp.types as mtypes",
+          "from mcp.server import Server",
+          "",
+          'server = Server("python-release-docs", version="0.2.0")',
+          "",
+          "@server.list_tools()",
+          "async def handle_list_tools():",
+          '    return [mtypes.Tool(name="summarize_vulns", description="Summarize vulns", inputSchema={"type": "object"})]',
+          "",
+          "async with mcp.server.stdio.stdio_server() as (read_stream, write_stream):",
+          "    await server.run(read_stream, write_stream, None)",
+        ].join("\n"),
+      );
+      try {
+        const baseOptions = {
+          installDeps: false,
+          multiProject: false,
+          specVersion: 1.7,
+        };
+        const jsOptions = {
+          ...baseOptions,
+          projectType: ["js"],
+        };
+        const jsBomJson = postProcess(
+          await createBom(tmpDir, jsOptions),
+          jsOptions,
+          tmpDir,
+        ).bomJson;
+        assert.ok(
+          (jsBomJson.components || []).some(
+            (component) =>
+              getProp(component, "cdx:file:kind") === "skill-file" &&
+              getProp(component, "cdx:skill:name") === "release",
+          ),
+          "expected skill file in js scan",
+        );
+        assert.ok(
+          (jsBomJson.components || []).some(
+            (component) =>
+              component.name === "CLAUDE.md" &&
+              getProp(component, "cdx:file:kind") === "agent-instructions",
+          ),
+          "expected CLAUDE.md in js scan",
+        );
+        assert.ok(
+          (jsBomJson.components || []).some(
+            (component) => getProp(component, "cdx:file:kind") === "mcp-config",
+          ),
+          "expected MCP config in js scan",
+        );
+        assert.ok(
+          (jsBomJson.services || []).some(
+            (service) =>
+              service.name === "releaseDocs" &&
+              getProp(service, "cdx:mcp:inventorySource") === "config-file",
+          ),
+          "expected MCP config service in js scan",
+        );
+
+        const dockerOptions = {
+          ...baseOptions,
+          projectType: ["js", "docker"],
+        };
+        const dockerBomJson = postProcess(
+          await createNodejsBom(tmpDir, dockerOptions),
+          dockerOptions,
+          tmpDir,
+        ).bomJson;
+        assert.ok(
+          (dockerBomJson.components || []).some(
+            (component) =>
+              getProp(component, "cdx:file:kind") === "skill-file" &&
+              getProp(component, "cdx:skill:name") === "release",
+          ),
+          "expected skill file in docker js scan",
+        );
+        assert.ok(
+          (dockerBomJson.components || []).some(
+            (component) => getProp(component, "cdx:file:kind") === "mcp-config",
+          ),
+          "expected MCP config in docker js scan",
+        );
+
+        const exactAiSkillOptions = {
+          ...baseOptions,
+          projectType: ["ai-skill"],
+        };
+        const aiSkillBomJson = postProcess(
+          await createBom(tmpDir, exactAiSkillOptions),
+          exactAiSkillOptions,
+          tmpDir,
+        ).bomJson;
+        assert.ok(
+          (aiSkillBomJson.components || []).some(
+            (component) =>
+              component.name === "CLAUDE.md" &&
+              getProp(component, "cdx:file:kind") === "agent-instructions",
+          ),
+          "expected CLAUDE.md in exact ai-skill scan",
+        );
+        assert.ok(
+          !(aiSkillBomJson.components || []).some(
+            (component) => getProp(component, "cdx:file:kind") === "mcp-config",
+          ),
+          "did not expect MCP configs in exact ai-skill scan",
+        );
+
+        const filteredOptions = {
+          ...baseOptions,
+          excludeType: ["ai-skill", "mcp"],
+          projectType: ["js"],
+        };
+        const filteredBomJson = postProcess(
+          await createBom(tmpDir, filteredOptions),
+          filteredOptions,
+          tmpDir,
+        ).bomJson;
+        assert.ok(
+          !(filteredBomJson.components || []).some((component) =>
+            ["agent-instructions", "mcp-config", "skill-file"].includes(
+              getProp(component, "cdx:file:kind"),
+            ),
+          ),
+          "did not expect AI inventory components after exclude-type filtering",
+        );
+        assert.ok(
+          !(filteredBomJson.services || []).some((service) =>
+            service.properties?.some((property) =>
+              property.name.startsWith("cdx:mcp:"),
+            ),
+          ),
+          "did not expect MCP services after exclude-type filtering",
+        );
+
+        const pyOptions = {
+          ...baseOptions,
+          projectType: ["py"],
+        };
+        const pyBomJson = postProcess(
+          await createBom(tmpDir, pyOptions),
+          pyOptions,
+          tmpDir,
+        ).bomJson;
+        assert.ok(
+          (pyBomJson.components || []).some(
+            (component) =>
+              getProp(component, "cdx:file:kind") === "skill-file" &&
+              getProp(component, "cdx:skill:name") === "release",
+          ),
+          "expected skill file in python scan",
+        );
+        assert.ok(
+          (pyBomJson.components || []).some(
+            (component) => getProp(component, "cdx:file:kind") === "mcp-config",
+          ),
+          "expected MCP config in python scan",
+        );
+        assert.ok(
+          (pyBomJson.services || []).some(
+            (service) =>
+              service.name === "python-release-docs" &&
+              getProp(service, "cdx:mcp:inventorySource") ===
+                "source-code-analysis",
+          ),
+          "expected Python MCP service in python scan",
+        );
+      } finally {
+        rmSync(tmpDir, { force: true, recursive: true });
+      }
+    });
+  });
+
+  describe("node_modules multi-ecosystem filtering", () => {
+    it("ignores composer manifests in node_modules during mixed npm/php scans", () => {
+      const tmpDir = createComposerNodeModulesFixture();
+      try {
+        const bomData = createPHPBom(tmpDir, {
+          installDeps: false,
+          multiProject: true,
+          projectType: ["js", "php"],
+          specVersion: 1.7,
+        });
+        assert.deepStrictEqual(bomData, {});
+      } finally {
+        rmSync(tmpDir, { force: true, recursive: true });
+      }
+    });
+
+    it("still allows explicit php scans to inspect composer manifests in node_modules", () => {
+      const tmpDir = createComposerNodeModulesFixture();
+      try {
+        const bomData = createPHPBom(tmpDir, {
+          installDeps: false,
+          multiProject: true,
+          projectType: ["php"],
+          specVersion: 1.7,
+        });
+        assert.ok(bomData?.bomJson?.components?.length);
+      } finally {
+        rmSync(tmpDir, { force: true, recursive: true });
+      }
+    });
+
+    it("still allows direct php scans without projectType to inspect composer manifests in node_modules", () => {
+      const tmpDir = createComposerNodeModulesFixture();
+      try {
+        const bomData = createPHPBom(tmpDir, {
+          installDeps: false,
+          multiProject: true,
+          specVersion: 1.7,
+        });
+        assert.ok(bomData?.bomJson?.components?.length);
+      } finally {
+        rmSync(tmpDir, { force: true, recursive: true });
+      }
+    });
+
+    it("still allows explicit php alias combinations to inspect composer manifests in node_modules", () => {
+      const tmpDir = createComposerNodeModulesFixture();
+      try {
+        const bomData = createPHPBom(tmpDir, {
+          installDeps: false,
+          multiProject: true,
+          projectType: ["php", "composer"],
+          specVersion: 1.7,
+        });
+        assert.ok(bomData?.bomJson?.components?.length);
+      } finally {
+        rmSync(tmpDir, { force: true, recursive: true });
+      }
+    });
+
+    it("ignores jar artifacts in node_modules during mixed npm/jar scans", async () => {
+      const tmpDir = createJarNodeModulesFixture();
+      try {
+        const createJarBom = await loadStubbedCreateJarBom();
+        const bomData = await createJarBom(tmpDir, {
+          multiProject: true,
+          projectType: ["js", "jar"],
+          specVersion: 1.7,
+        });
+        assert.strictEqual(bomData?.bomJson?.components?.length || 0, 0);
+      } finally {
+        rmSync(tmpDir, { force: true, recursive: true });
+      }
+    });
+
+    it("still allows explicit jar scans to inspect node_modules artifacts", async () => {
+      const tmpDir = createJarNodeModulesFixture();
+      try {
+        const createJarBom = await loadStubbedCreateJarBom();
+        const bomData = await createJarBom(tmpDir, {
+          multiProject: true,
+          projectType: ["jar"],
+          specVersion: 1.7,
+        });
+        assert.ok(bomData?.bomJson?.components?.length);
+      } finally {
+        rmSync(tmpDir, { force: true, recursive: true });
+      }
+    });
+
+    it("still allows direct jar scans without projectType to inspect node_modules artifacts", async () => {
+      const tmpDir = createJarNodeModulesFixture();
+      try {
+        const createJarBom = await loadStubbedCreateJarBom();
+        const bomData = await createJarBom(tmpDir, {
+          multiProject: true,
+          specVersion: 1.7,
+        });
+        assert.ok(bomData?.bomJson?.components?.length);
+      } finally {
+        rmSync(tmpDir, { force: true, recursive: true });
+      }
+    });
+
+    it("still allows explicit jar alias combinations to inspect node_modules artifacts", async () => {
+      const tmpDir = createJarNodeModulesFixture();
+      try {
+        const createJarBom = await loadStubbedCreateJarBom();
+        const bomData = await createJarBom(tmpDir, {
+          multiProject: true,
+          projectType: ["jar", "war"],
+          specVersion: 1.7,
+        });
+        assert.ok(bomData?.bomJson?.components?.length);
+      } finally {
+        rmSync(tmpDir, { force: true, recursive: true });
+      }
+    });
   });
 });