@cyclonedx/cdxgen 12.3.1 → 12.3.3

package/lib/helpers/utils.js

@@ -11,6 +11,7 @@ import {
   mkdirSync,
   mkdtempSync,
   readFileSync,
+  realpathSync,
   rmSync,
   unlinkSync,
   writeFileSync,
@@ -918,7 +919,6 @@ export const PROJECT_TYPE_ALIASES = {
     "node20",
     "node22",
     "node23",
-    "mcp",
     "js",
     "javascript",
     "typescript",
@@ -927,6 +927,8 @@ export const PROJECT_TYPE_ALIASES = {
     "yarn",
     "rush",
   ],
+  mcp: ["mcp"],
+  "ai-skill": ["ai-skill", "skill", "skills"],
   py: [
     "py",
     "python",
@@ -980,7 +982,7 @@ export const PROJECT_TYPE_ALIASES = {
   dart: ["dart", "flutter", "pub"],
   haskell: ["haskell", "hackage", "cabal"],
   elixir: ["elixir", "hex", "mix"],
-  c: ["c", "cpp", "c++", "conan"],
+  c: ["c", "cpp", "c++", "conan", "collider"],
   clojure: ["clojure", "edn", "clj", "leiningen"],
   github: ["github", "actions"],
   os: ["os", "osquery", "windows", "linux", "mac", "macos", "darwin"],
@@ -1013,7 +1015,7 @@ export const PROJECT_TYPE_ALIASES = {
     "visionos",
   ],
   binary: ["binary", "blint"],
-  oci: ["docker", "oci", "container", "podman"],
+  oci: ["docker", "oci", "container", "podman", "rootfs", "oci-dir"],
   cocoa: ["cocoa", "cocoapods", "objective-c", "swift", "ios"],
   scala: ["scala", "scala3", "sbt", "mill"],
   nix: ["nix", "nixos", "flake"],
@@ -2584,6 +2586,23 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
           value: "true",
         });
       }
+      const npmManifestSources = collectNpmManifestSources(node);
+      if (npmManifestSources.length) {
+        addComponentProperty(
+          pkg,
+          "cdx:npm:manifestSourceType",
+          npmManifestSources
+            .map((manifestSource) => manifestSource.type)
+            .join(","),
+        );
+        addComponentProperty(
+          pkg,
+          "cdx:npm:manifestSource",
+          npmManifestSources
+            .map((manifestSource) => manifestSource.value)
+            .join(","),
+        );
+      }
       // This getter method could fail with errors at times.
       // Example Error: Invalid tag name "^>=6.0.0" of package "^>=6.0.0": Tags may not have any characters that encodeURIComponent encodes.
       try {
@@ -6810,8 +6829,17 @@ export async function getPyMetadata(pkgList, fetchDepsInfo) {
           value: origName,
         });
       }
-      if (body.releases?.[p.version] && body.releases[p.version].length) {
-        const digest = body.releases[p.version][0].digests;
+      const releaseEntries = body.releases?.[p.version]?.length
+        ? body.releases[p.version]
+        : Array.isArray(body.urls)
+          ? body.urls
+          : [];
+      mergeExternalReferences(
+        p,
+        collectPypiReleaseExternalReferences(releaseEntries),
+      );
+      if (releaseEntries.length) {
+        const digest = releaseEntries[0].digests;
         if (digest["sha256"]) {
           p._integrity = `sha256-${digest["sha256"]}`;
         } else if (digest["md5"]) {
@@ -7042,6 +7070,287 @@ export async function parsePiplockData(lockData) {
   return await getPyMetadata(pkgList, false);
 }
 
+function addComponentProperty(component, name, value) {
+  if (value === undefined || value === null || value === "" || !component) {
+    return;
+  }
+  component.properties = component.properties || [];
+  if (
+    component.properties.some(
+      (property) => property.name === name && property.value === value,
+    )
+  ) {
+    return;
+  }
+  component.properties.push({
+    name,
+    value,
+  });
+}
+
+const PYTHON_DIRECT_REFERENCE_PATTERN =
+  /^([A-Za-z0-9_.-]+)(?:\[[^\]]+\])?\s*@\s*(\S+)$/;
+
+function isWindowsAbsolutePath(value) {
+  return /^[a-zA-Z]:[\\/]/.test(value) || value.startsWith("\\\\");
+}
+
+function createExternalReferenceKey(reference) {
+  return JSON.stringify([
+    reference.type,
+    reference.url,
+    reference.comment || "",
+  ]);
+}
+
+function classifyNpmManifestSource(spec) {
+  if (typeof spec !== "string" || !spec.trim()) {
+    return undefined;
+  }
+  const normalizedSpec = spec.trim();
+  const lowerSpec = normalizedSpec.toLowerCase();
+  if (
+    lowerSpec.startsWith("git+") ||
+    lowerSpec.startsWith("git://") ||
+    lowerSpec.startsWith("github:") ||
+    lowerSpec.startsWith("gitlab:") ||
+    lowerSpec.startsWith("bitbucket:") ||
+    lowerSpec.startsWith("gist:")
+  ) {
+    return {
+      type: "git",
+      value: normalizedSpec,
+    };
+  }
+  if (lowerSpec.startsWith("http://") || lowerSpec.startsWith("https://")) {
+    return {
+      type: "url",
+      value: normalizedSpec,
+    };
+  }
+  if (
+    lowerSpec.startsWith("file:") ||
+    lowerSpec.startsWith("link:") ||
+    lowerSpec.startsWith("workspace:") ||
+    normalizedSpec.startsWith("./") ||
+    normalizedSpec.startsWith("../") ||
+    normalizedSpec.startsWith("/") ||
+    isWindowsAbsolutePath(normalizedSpec)
+  ) {
+    return {
+      type: "path",
+      value: normalizedSpec,
+    };
+  }
+  return undefined;
+}
+
+function collectNpmManifestSources(node) {
+  const manifestSources = [];
+  const seen = new Set();
+  if (!node?.edgesIn) {
+    return manifestSources;
+  }
+  for (const edge of node.edgesIn) {
+    const manifestSource = classifyNpmManifestSource(edge?.spec);
+    if (!manifestSource) {
+      continue;
+    }
+    const dedupeKey = `${manifestSource.type}|${manifestSource.value}`;
+    if (seen.has(dedupeKey)) {
+      continue;
+    }
+    seen.add(dedupeKey);
+    manifestSources.push(manifestSource);
+  }
+  return manifestSources;
+}
+
+function normalizePythonDependencyKey(value) {
+  if (typeof value !== "string" || !value.trim()) {
+    return undefined;
+  }
+  return value.trim().toLowerCase().replaceAll("_", "-");
+}
+
+function extractPythonDependencyKey(value) {
+  const manifestSource = parsePyProjectDependencySourceString(value);
+  if (manifestSource?.name) {
+    return normalizePythonDependencyKey(manifestSource.name);
+  }
+  const packageMatch =
+    typeof value === "string"
+      ? value.trim().match(/^([A-Za-z0-9_.-]+)(?:\[[^\]]+\])?/)
+      : undefined;
+  return normalizePythonDependencyKey(packageMatch?.[1]);
+}
+function classifyPythonManifestSourceValue(value) {
+  if (typeof value !== "string" || !value.trim()) {
+    return undefined;
+  }
+  const normalizedValue = value.trim();
+  const lowerValue = normalizedValue.toLowerCase();
+  if (
+    lowerValue.startsWith("git+") ||
+    lowerValue.startsWith("git://") ||
+    lowerValue.startsWith("git@") ||
+    lowerValue.startsWith("ssh://git@")
+  ) {
+    return {
+      type: "git",
+      value: normalizedValue,
+    };
+  }
+  if (
+    lowerValue.startsWith("http://") ||
+    lowerValue.startsWith("https://") ||
+    lowerValue.startsWith("ftp://")
+  ) {
+    return {
+      type: "url",
+      value: normalizedValue,
+    };
+  }
+  if (
+    lowerValue.startsWith("file:") ||
+    normalizedValue.startsWith("./") ||
+    normalizedValue.startsWith("../") ||
+    normalizedValue.startsWith("/") ||
+    isWindowsAbsolutePath(normalizedValue)
+  ) {
+    return {
+      type: "path",
+      value: normalizedValue,
+    };
+  }
+  return undefined;
+}
+
+function applyManifestSourceProperties(
+  component,
+  propertyPrefix,
+  manifestSource,
+) {
+  if (!manifestSource?.type || !manifestSource?.value) {
+    return;
+  }
+  addComponentProperty(
+    component,
+    `${propertyPrefix}:manifestSourceType`,
+    manifestSource.type,
+  );
+  addComponentProperty(
+    component,
+    `${propertyPrefix}:manifestSource`,
+    manifestSource.value,
+  );
+}
+
+function recordPythonDependencySource(
+  dependencySourceMap,
+  dependencyName,
+  sourceType,
+  sourceValue,
+) {
+  const normalizedKey = normalizePythonDependencyKey(dependencyName);
+  if (!normalizedKey || !sourceType || !sourceValue) {
+    return;
+  }
+  dependencySourceMap[normalizedKey] = {
+    type: sourceType,
+    value: sourceValue,
+  };
+}
+
+function parsePyProjectDependencySourceString(value) {
+  if (typeof value !== "string" || !value.includes("@")) {
+    return undefined;
+  }
+  const directReferenceMatch = value
+    .trim()
+    .match(PYTHON_DIRECT_REFERENCE_PATTERN);
+  if (!directReferenceMatch) {
+    return undefined;
+  }
+  const manifestSource = classifyPythonManifestSourceValue(
+    directReferenceMatch[2],
+  );
+  if (!manifestSource) {
+    return undefined;
+  }
+  return {
+    name: directReferenceMatch[1],
+    ...manifestSource,
+  };
+}
+
+function collectPythonManifestSource(pkg) {
+  const sourceCandidates = [
+    { kind: "git", value: pkg?.source?.git },
+    { kind: "git", value: pkg?.vcs?.git },
+    { kind: "url", value: pkg?.vcs?.url },
+    { kind: "url", value: pkg?.source?.url },
+    { kind: "path", value: pkg?.source?.path },
+    { kind: "path", value: pkg?.source?.editable },
+    { kind: "path", value: pkg?.source?.virtual },
+  ];
+  for (const candidate of sourceCandidates) {
+    if (typeof candidate.value !== "string" || !candidate.value.trim()) {
+      continue;
+    }
+    const normalizedValue = candidate.value.trim();
+    if (candidate.kind === "git") {
+      return {
+        type: "git",
+        value: normalizedValue.startsWith("git+")
+          ? normalizedValue
+          : `git+${normalizedValue}`,
+      };
+    }
+    const manifestSource = classifyPythonManifestSourceValue(normalizedValue);
+    if (manifestSource) {
+      return manifestSource;
+    }
+    return {
+      type: candidate.kind,
+      value: normalizedValue,
+    };
+  }
+  return undefined;
+}
+
+function parsePythonRequirementManifestSource(value) {
+  if (typeof value !== "string" || !value.trim()) {
+    return undefined;
+  }
+  const normalizedValue = value.trim();
+  const directReferenceMatch = normalizedValue.match(
+    PYTHON_DIRECT_REFERENCE_PATTERN,
+  );
+  if (directReferenceMatch) {
+    const manifestSource = classifyPythonManifestSourceValue(
+      directReferenceMatch[2],
+    );
+    if (manifestSource) {
+      return {
+        name: directReferenceMatch[1],
+        ...manifestSource,
+      };
+    }
+  }
+  const vcsRequirementMatch = normalizedValue.match(
+    /^(git\+\S+?)(?:#.*egg=([A-Za-z0-9_.-]+))?$/,
+  );
+  if (vcsRequirementMatch?.[2]) {
+    return {
+      name: vcsRequirementMatch[2],
+      type: "git",
+      value: vcsRequirementMatch[1],
+    };
+  }
+  return undefined;
+}
+
 /**
  * Method to parse python pyproject.toml file
  *
@@ -7101,6 +7410,7 @@ export function parsePyProjectTomlFile(tomlFile) {
   let tomlData;
   const directDepsKeys = {};
   const groupDepsKeys = {};
+  const dependencySourceMap = {};
   try {
     tomlData = toml.parse(readFileSync(tomlFile, { encoding: "utf-8" }));
   } catch (err) {
@@ -7172,8 +7482,19 @@ export function parsePyProjectTomlFile(tomlFile) {
   }
   if (tomlData?.project?.dependencies) {
     for (const adep of tomlData.project.dependencies) {
-      // Example: bcrypt>=4.2.0
-      directDepsKeys[adep.split(/[\s<>=]/)[0]] = true;
+      const dependencyKey = extractPythonDependencyKey(adep);
+      if (dependencyKey) {
+        directDepsKeys[dependencyKey] = true;
+      }
+      const manifestSource = parsePyProjectDependencySourceString(adep);
+      if (manifestSource) {
+        recordPythonDependencySource(
+          dependencySourceMap,
+          manifestSource.name,
+          manifestSource.type,
+          manifestSource.value,
+        );
+      }
     }
   }
   if (tomlData["dependency-groups"]) {
@@ -7185,6 +7506,15 @@ export function parsePyProjectTomlFile(tomlFile) {
             groupDepsKeys[pname] = [];
           }
           groupDepsKeys[pname].push(agroup);
+          const manifestSource = parsePyProjectDependencySourceString(p);
+          if (manifestSource) {
+            recordPythonDependencySource(
+              dependencySourceMap,
+              manifestSource.name,
+              manifestSource.type,
+              manifestSource.value,
+            );
+          }
         } else {
           return;
         }
@@ -7205,6 +7535,29 @@ export function parsePyProjectTomlFile(tomlFile) {
         ].includes(adep)
       ) {
         directDepsKeys[adep] = true;
+        const poetryDependency = tomlData.tool.poetry.dependencies[adep];
+        if (poetryDependency?.git) {
+          recordPythonDependencySource(
+            dependencySourceMap,
+            adep,
+            "git",
+            poetryDependency.git,
+          );
+        } else if (poetryDependency?.url) {
+          recordPythonDependencySource(
+            dependencySourceMap,
+            adep,
+            "url",
+            poetryDependency.url,
+          );
+        } else if (poetryDependency?.path) {
+          recordPythonDependencySource(
+            dependencySourceMap,
+            adep,
+            "path",
+            poetryDependency.path,
+          );
+        }
       }
     } // for
     if (tomlData?.tool?.poetry?.group) {
@@ -7216,10 +7569,63 @@ export function parsePyProjectTomlFile(tomlFile) {
             groupDepsKeys[adep] = [];
           }
           groupDepsKeys[adep].push(agroup);
+          const poetryDependency =
+            tomlData.tool.poetry.group[agroup]?.dependencies?.[adep];
+          if (poetryDependency?.git) {
+            recordPythonDependencySource(
+              dependencySourceMap,
+              adep,
+              "git",
+              poetryDependency.git,
+            );
+          } else if (poetryDependency?.url) {
+            recordPythonDependencySource(
+              dependencySourceMap,
+              adep,
+              "url",
+              poetryDependency.url,
+            );
+          } else if (poetryDependency?.path) {
+            recordPythonDependencySource(
+              dependencySourceMap,
+              adep,
+              "path",
+              poetryDependency.path,
+            );
+          }
         }
       } // for
     }
   }
+  if (tomlData?.tool?.uv?.sources) {
+    for (const adep of Object.keys(tomlData.tool.uv.sources)) {
+      const uvSource = Array.isArray(tomlData.tool.uv.sources[adep])
+        ? tomlData.tool.uv.sources[adep][0]
+        : tomlData.tool.uv.sources[adep];
+      if (uvSource?.git) {
+        recordPythonDependencySource(
+          dependencySourceMap,
+          adep,
+          "git",
+          uvSource.git,
+        );
+      } else if (uvSource?.url) {
+        recordPythonDependencySource(
+          dependencySourceMap,
+          adep,
+          "url",
+          uvSource.url,
+        );
+      } else if (uvSource?.path) {
+        recordPythonDependencySource(
+          dependencySourceMap,
+          adep,
+          "path",
+          uvSource.path,
+        );
+      }
+    }
+  }
   return {
     parentComponent: pkg,
     poetryMode,
@@ -7228,9 +7634,146 @@ export function parsePyProjectTomlFile(tomlFile) {
     workspacePaths,
     directDepsKeys,
     groupDepsKeys,
+    dependencySourceMap,
   };
 }
 
+function collectPythonLockDistributionReferences(pkg) {
+  const externalReferences = [];
+  const seen = new Set();
+
+  function addExternalReference(type, url, comment) {
+    if (typeof url !== "string" || !url.trim()) {
+      return;
+    }
+    const normalizedUrl = url.trim();
+    const reference = {
+      type,
+      url: normalizedUrl,
+      comment,
+    };
+    const referenceKey = createExternalReferenceKey(reference);
+    if (seen.has(referenceKey)) {
+      return;
+    }
+    seen.add(referenceKey);
+    externalReferences.push(reference);
+  }
+
+  addExternalReference("distribution", pkg?.archive?.url, "archive");
+  addExternalReference("distribution", pkg?.sdist?.url, "sdist");
+  if (Array.isArray(pkg?.wheels)) {
+    for (const wheel of pkg.wheels) {
+      addExternalReference(
+        "distribution",
+        wheel?.url,
+        wheel?.file || wheel?.name || wheel?.filename || "wheel",
+      );
+    }
+  }
+  const vcsSource = [
+    { kind: "url", value: pkg?.vcs?.url },
+    { kind: "git", value: pkg?.vcs?.git },
+    { kind: "git", value: pkg?.source?.git },
+  ].find(
+    (entry) => typeof entry.value === "string" && entry.value.trim().length > 0,
+  );
+  if (vcsSource) {
+    const vcsUrl = vcsSource.value.trim();
+    const normalizedVcsUrl =
+      vcsSource.kind === "git" && !vcsUrl.startsWith("git+")
+        ? `git+${vcsUrl}`
+        : vcsUrl;
+    addExternalReference("vcs", normalizedVcsUrl, "vcs");
+  }
+  if (pkg?.source?.url) {
+    const manifestSource = classifyPythonManifestSourceValue(pkg.source.url);
+    addExternalReference(
+      manifestSource?.type === "git" ? "vcs" : "distribution",
+      pkg.source.url,
+      "source",
+    );
+  }
+  return externalReferences;
+}
+
+function collectPythonLockMetadataFileEntries(lockTomlObj, pkg) {
+  if (!lockTomlObj?.metadata?.files || !pkg?.name) {
+    return [];
+  }
+  const expectedKeys = new Set([normalizePythonDependencyKey(pkg.name)]);
+  if (pkg.version) {
+    expectedKeys.add(
+      `${normalizePythonDependencyKey(pkg.name)} ${`${pkg.version}`.trim().toLowerCase()}`,
+    );
+  }
+  const matchingEntries = [];
+  for (const [entryKey, entryValues] of Object.entries(
+    lockTomlObj.metadata.files,
+  )) {
+    if (!Array.isArray(entryValues)) {
+      continue;
+    }
+    if (expectedKeys.has(normalizePythonDependencyKey(entryKey))) {
+      matchingEntries.push(...entryValues);
+    }
+  }
+  return matchingEntries;
+}
+
+function mergeExternalReferences(component, references) {
+  if (!references?.length) {
+    return;
+  }
+  const existingReferences = component.externalReferences || [];
+  const seen = new Set(
+    existingReferences.map((reference) =>
+      createExternalReferenceKey(reference),
+    ),
+  );
+  for (const reference of references) {
+    const dedupeKey = createExternalReferenceKey(reference);
+    if (seen.has(dedupeKey)) {
+      continue;
+    }
+    seen.add(dedupeKey);
+    existingReferences.push(reference);
+  }
+  if (existingReferences.length) {
+    component.externalReferences = existingReferences;
+  }
+}
+
+function collectPythonLockMetadataDistributionReferences(fileEntries) {
+  const distributionReferences = [];
+  for (const fileEntry of fileEntries || []) {
+    if (typeof fileEntry?.url !== "string" || !fileEntry.url.trim()) {
+      continue;
+    }
+    distributionReferences.push({
+      type: "distribution",
+      url: fileEntry.url.trim(),
+      comment: fileEntry.file,
+    });
+  }
+  return distributionReferences;
+}
+
+function collectPypiReleaseExternalReferences(releaseEntries) {
+  const externalReferences = [];
+  for (const releaseEntry of releaseEntries || []) {
+    if (typeof releaseEntry?.url !== "string" || !releaseEntry.url.trim()) {
+      continue;
+    }
+    externalReferences.push({
+      type: "distribution",
+      url: releaseEntry.url.trim(),
+      comment: releaseEntry.filename || releaseEntry.packagetype,
+    });
+  }
+  return externalReferences;
+}
+
 /**
  * Method to parse python lock files such as poetry.lock, pdm.lock, uv.lock, and pylock.toml.
  *
@@ -7247,6 +7790,7 @@ export async function parsePyLockData(lockData, lockFile, pyProjectFile) {
   const pkgBomRefMap = {};
   let directDepsKeys = {};
   let groupDepsKeys = {};
+  let dependencySourceMap = {};
   let parentComponent;
   let workspacePaths;
   let workspaceWarningShown = false;
@@ -7254,6 +7798,7 @@ export async function parsePyLockData(lockData, lockFile, pyProjectFile) {
   let pyLockProperties = [];
   // Keep track of any workspace components to be added to the parent component
   const workspaceComponentMap = {};
+  const workspaceDependencySourceMap = {};
   const workspacePyProjMap = {};
   const workspaceRefPyProjMap = {};
   const pkgParentMap = {};
@@ -7273,6 +7818,7 @@ export async function parsePyLockData(lockData, lockFile, pyProjectFile) {
     const pyProjMap = parsePyProjectTomlFile(pyProjectFile);
     directDepsKeys = pyProjMap.directDepsKeys || {};
     groupDepsKeys = pyProjMap.groupDepsKeys || {};
+    dependencySourceMap = pyProjMap.dependencySourceMap || {};
     parentComponent = pyProjMap.parentComponent;
     workspacePaths = pyProjMap.workspacePaths;
     if (workspacePaths?.length) {
@@ -7336,6 +7882,12 @@ export async function parsePyLockData(lockData, lockFile, pyProjectFile) {
             }
           }
           const wparentComponentRef = wcompMap.parentComponent["bom-ref"];
+          if (wcompMap?.dependencySourceMap) {
+            Object.assign(
+              workspaceDependencySourceMap,
+              wcompMap.dependencySourceMap,
+            );
+          }
           // Track the parents of workspace direct dependencies
           if (wcompMap?.directDepsKeys) {
             for (const wdd of Object.keys(wcompMap?.directDepsKeys)) {
@@ -7407,6 +7959,11 @@ export async function parsePyLockData(lockData, lockFile, pyProjectFile) {
         value: workspacePyProjMap[apkg.name] || pyProjectFile,
       });
     }
+    const manifestSource =
+      dependencySourceMap[normalizePythonDependencyKey(apkg.name)] ||
+      workspaceDependencySourceMap[normalizePythonDependencyKey(apkg.name)] ||
+      collectPythonManifestSource(apkg);
+    applyManifestSourceProperties(pkg, "cdx:pypi", manifestSource);
     if (apkg.optional) {
       pkg.scope = "optional";
     }
@@ -7448,6 +8005,7 @@ export async function parsePyLockData(lockData, lockFile, pyProjectFile) {
         });
       }
     }
+    mergeExternalReferences(pkg, collectPythonLockDistributionReferences(apkg));
     if (pyLockMode) {
       pkg.properties = pkg.properties.concat(
         collectPyLockPackageProperties(apkg),
@@ -7510,9 +8068,17 @@ export async function parsePyLockData(lockData, lockFile, pyProjectFile) {
         }
       }
     }
-    if (lockTomlObj?.metadata?.files?.[pkg.name]?.length) {
+    const metadataFileEntries = collectPythonLockMetadataFileEntries(
+      lockTomlObj,
+      pkg,
+    );
+    mergeExternalReferences(
+      pkg,
+      collectPythonLockMetadataDistributionReferences(metadataFileEntries),
+    );
+    if (metadataFileEntries.length) {
       pkg.components = [];
-      for (const afileObj of lockTomlObj.metadata.files[pkg.name]) {
+      for (const afileObj of metadataFileEntries) {
         const hashParts = afileObj?.hash?.split(":");
         let hashes;
         if (hashParts?.length === 2) {
@@ -7546,8 +8112,9 @@ export async function parsePyLockData(lockData, lockFile, pyProjectFile) {
         pkg.components = (pkg.components || []).concat(pylockFileComponents);
       }
     }
+    const normalizedPkgName = normalizePythonDependencyKey(pkg.name);
     if (
-      directDepsKeys[pkg.name] ||
+      directDepsKeys[normalizedPkgName] ||
       (hasWorkspaces && !Object.keys(workspaceComponentMap).length)
     ) {
       rootList.push(pkg);
@@ -7742,6 +8309,23 @@ export async function parseReqFile(reqFile, fetchDepsInfo = false) {
 const LICENSE_ID_COMMENTS_PATTERN =
   /^(Apache-2\.0|MIT|ISC|GPL-|LGPL-|BSD-[23]-Clause)/i;
 
+function parseLicenseComment(comment) {
+  if (!comment) {
+    return undefined;
+  }
+  const licenses = comment
+    .split("/")
+    .map((value) => {
+      const licenseId = value.trim();
+      if (!licenseId.match(LICENSE_ID_COMMENTS_PATTERN)) {
+        return undefined;
+      }
+      return { license: { id: licenseId } };
+    })
+    .filter((value) => value !== undefined);
+  return licenses.length ? licenses : undefined;
+}
+
 /**
  * Method to parse requirements.txt file. Must only be used internally.
  *
@@ -7779,11 +8363,16 @@ async function parseReqData(reqFile, reqData = null, fetchDepsInfo = false) {
   const lines = normalizedData.split("\n");
   for (const line of lines) {
     let l = line.trim();
+    let editableRequirement = false;
     if (l.includes("# Basic requirements")) {
       compScope = "required";
     } else if (l.includes("added by pip freeze")) {
       compScope = undefined;
     }
+    if (l.startsWith("-e ") || l.startsWith("--editable ")) {
+      editableRequirement = true;
+      l = l.replace(/^--editable\s+|^-e\s+/, "").trim();
+    }
     if (l.startsWith("Skipping line") || l.startsWith("(add")) {
       continue;
     }
@@ -7832,6 +8421,45 @@ async function parseReqData(reqFile, reqData = null, fetchDepsInfo = false) {
       markers = parts.slice(1).join(";").trim();
       structuredMarkers = parseReqEnvMarkers(markers);
     }
+    const requirementManifestSource = parsePythonRequirementManifestSource(l);
+    if (requirementManifestSource?.name) {
+      const apkg = {
+        name: requirementManifestSource.name,
+        version: null,
+        scope: compScope,
+        evidence,
+      };
+      if (hashes.length > 0) {
+        apkg.hashes = hashes;
+      }
+      const licenses = parseLicenseComment(comment);
+      if (licenses) {
+        apkg.licenses = licenses;
+      }
+      applyManifestSourceProperties(
+        apkg,
+        "cdx:pypi",
+        requirementManifestSource,
+      );
+      if (editableRequirement) {
+        addComponentProperty(apkg, "cdx:pypi:editable", "true");
+      }
+      if (markers) {
+        addComponentProperty(apkg, "cdx:pip:markers", markers);
+        if (structuredMarkers?.length > 0) {
+          addComponentProperty(
+            apkg,
+            "cdx:pip:structuredMarkers",
+            JSON.stringify(structuredMarkers),
+          );
+        }
+      }
+      if (reqFile) {
+        addComponentProperty(apkg, "SrcFile", reqFile);
+      }
+      pkgList.push(apkg);
+      continue;
+    }
 
     // Handle extras (e.g., package[extra1,extra2])
     let extras = null;
@@ -7865,20 +8493,9 @@ async function parseReqData(reqFile, reqData = null, fetchDepsInfo = false) {
       if (hashes.length > 0) {
         apkg.hashes = hashes;
       }
-      if (comment) {
-        apkg.licenses = comment
-          .split("/")
-          .map((c) => {
-            const licenseObj = {};
-            const cId = c.trim();
-            if (cId.match(LICENSE_ID_COMMENTS_PATTERN)) {
-              licenseObj.id = cId;
-            } else {
-              return undefined;
-            }
-            return { license: licenseObj };
-          })
-          .filter((l) => l !== undefined);
+      const licenses = parseLicenseComment(comment);
+      if (licenses) {
+        apkg.licenses = licenses;
       }
       if (extras && extras.length > 0) {
         properties.push({
@@ -7904,6 +8521,12 @@ async function parseReqData(reqFile, reqData = null, fetchDepsInfo = false) {
           });
         }
       }
+      if (editableRequirement) {
+        properties.push({
+          name: "cdx:pypi:editable",
+          value: "true",
+        });
+      }
       if (properties.length) {
         apkg.properties = properties;
       }
@@ -7931,20 +8554,9 @@ async function parseReqData(reqFile, reqData = null, fetchDepsInfo = false) {
         scope: compScope,
         evidence,
       };
-      if (comment) {
-        apkg.licenses = comment
-          .split("/")
-          .map((c) => {
-            const licenseObj = {};
-            const cId = c.trim();
-            if (cId.match(LICENSE_ID_COMMENTS_PATTERN)) {
-              licenseObj.id = cId;
-            } else {
-              return undefined;
-            }
-            return { license: licenseObj };
-          })
-          .filter((l) => l !== undefined);
+      const licenses = parseLicenseComment(comment);
+      if (licenses) {
+        apkg.licenses = licenses;
       }
       if (versionSpecifiers && !versionSpecifiers.startsWith("==")) {
         properties.push({
@@ -7964,6 +8576,12 @@ async function parseReqData(reqFile, reqData = null, fetchDepsInfo = false) {
           });
         }
       }
+      if (editableRequirement) {
+        properties.push({
+          name: "cdx:pypi:editable",
+          value: "true",
+        });
+      }
       if (properties.length) {
         apkg.properties = properties;
       }
@@ -12664,6 +13282,188 @@ export function parseConanData(conanData) {
   return pkgList;
 }
 
+/**
+ * Construct a generic package component object for collider-managed packages.
+ *
+ * @param {string} name Package name
+ * @param {Object} pkgData Locked package entry from collider.lock
+ * @param {string} lockFile Source lock file path
+ * @param {string} dependencyKind Whether the package is direct or transitive
+ * @returns {Object|undefined} Package component
+ */
+function buildColliderComponent(name, pkgData, lockFile, dependencyKind) {
+  if (!name) {
+    return undefined;
+  }
+  pkgData = pkgData || {};
+  dependencyKind = dependencyKind || "transitive";
+  const version = pkgData?.version || "";
+  const purl = new PackageURL(
+    "generic",
+    "",
+    name,
+    version || undefined,
+    null,
+    null,
+  ).toString();
+  const properties = [
+    {
+      name: "cdx:collider:dependencyKind",
+      value: dependencyKind,
+    },
+  ];
+  if (lockFile) {
+    properties.unshift({
+      name: "SrcFile",
+      value: lockFile,
+    });
+  }
+  const wrapHash =
+    typeof pkgData?.wrap_hash === "string" ? pkgData.wrap_hash.trim() : "";
+  const wrapHashMatch = wrapHash.match(/^sha256:([0-9A-Fa-f]{64})$/);
+  if (wrapHash) {
+    properties.push({
+      name: "cdx:collider:wrapHash",
+      value: wrapHash,
+    });
+  }
+  properties.push({
+    name: "cdx:collider:hasWrapHash",
+    value: wrapHashMatch ? "true" : "false",
+  });
+  if (wrapHash && !wrapHashMatch) {
+    properties.push({
+      name: "cdx:collider:wrapHashInvalid",
+      value: "true",
+    });
+  }
+  let originReference;
+  if (typeof pkgData?.origin === "string" && pkgData.origin.trim()) {
+    try {
+      const originUrl = new URL(pkgData.origin.trim());
+      const originHadSensitiveParts = Boolean(
+        originUrl.username ||
+          originUrl.password ||
+          originUrl.search ||
+          originUrl.hash,
+      );
+      originUrl.username = "";
+      originUrl.password = "";
+      originUrl.search = "";
+      originUrl.hash = "";
+      originReference = originUrl.toString();
+      properties.push({
+        name: "cdx:collider:origin",
+        value: originReference,
+      });
+      properties.push({
+        name: "cdx:collider:originScheme",
+        value: originUrl.protocol.replace(":", ""),
+      });
+      if (originUrl.host) {
+        properties.push({
+          name: "cdx:collider:originHost",
+          value: originUrl.host,
+        });
+      }
+      if (originHadSensitiveParts) {
+        properties.push({
+          name: "cdx:collider:originSanitized",
+          value: "true",
+        });
+      }
+    } catch {
+      thoughtLog("Ignoring invalid Collider origin URL");
+    }
+  }
+  const component = {
+    name,
+    version,
+    purl,
+    "bom-ref": decodeURIComponent(purl),
+    properties,
+  };
+  if (dependencyKind === "direct") {
+    component.scope = "required";
+  }
+  if (wrapHashMatch) {
+    component.hashes = [
+      {
+        alg: "SHA-256",
+        content: wrapHashMatch[1].toLowerCase(),
+      },
+    ];
+  }
+  if (originReference) {
+    component.externalReferences = [
+      {
+        type: "distribution",
+        url: originReference,
+      },
+    ];
+  }
+  return component;
+}
+
+/**
+ * Parse Collider lock file data (collider.lock) and return the package list and
+ * parent component dependencies.
+ *
+ * @param {string} colliderLockData Raw JSON string of the Collider lock file
+ * @param {string} lockFile Source lock file path
+ * @returns {{ pkgList: Object[], dependencies: Object, parentComponentDependencies: string[] }}
+ */
+export function parseColliderLockData(colliderLockData, lockFile) {
+  const pkgList = [];
+  const dependencies = {};
+  const parentComponentDependencies = [];
+  if (!colliderLockData) {
+    return { pkgList, dependencies, parentComponentDependencies };
+  }
+  let parsedLockFile;
+  try {
+    parsedLockFile = JSON.parse(colliderLockData);
+  } catch {
+    return { pkgList, dependencies, parentComponentDependencies };
+  }
+  const addedBomRefs = new Set();
+  const directDependencies = parsedLockFile.dependencies || {};
+  const packages = parsedLockFile.packages || {};
+  for (const [name, pkgData] of Object.entries(directDependencies)) {
+    const component = buildColliderComponent(name, pkgData, lockFile, "direct");
+    if (!component) {
+      continue;
+    }
+    if (!addedBomRefs.has(component["bom-ref"])) {
+      pkgList.push(component);
+      addedBomRefs.add(component["bom-ref"]);
+    }
+    if (!parentComponentDependencies.includes(component["bom-ref"])) {
+      parentComponentDependencies.push(component["bom-ref"]);
+    }
+    if (!(component["bom-ref"] in dependencies)) {
+      dependencies[component["bom-ref"]] = [];
+    }
+  }
+  for (const [name, pkgData] of Object.entries(packages)) {
+    const component = buildColliderComponent(
+      name,
+      pkgData,
+      lockFile,
+      "transitive",
+    );
+    if (!component || addedBomRefs.has(component["bom-ref"])) {
+      continue;
+    }
+    pkgList.push(component);
+    addedBomRefs.add(component["bom-ref"]);
+    if (!(component["bom-ref"] in dependencies)) {
+      dependencies[component["bom-ref"]] = [];
+    }
+  }
+  return { pkgList, dependencies, parentComponentDependencies };
+}
+
 /**
  * Parse Leiningen project.clj data and extract dependency packages.
  *
@@ -18362,6 +19162,92 @@ export function parsePackageJsonName(name) {
   return returnObject;
 }
 
+/**
+ * Collect bom-refs from metadata.tools entries.
+ *
+ * @param {Object[]|Object} tools CycloneDX metadata.tools section
+ * @param {Function} predicate Optional filter function
+ * @returns {string[]} Unique tool bom-refs
+ */
+export function extractToolRefs(tools, predicate) {
+  if (!tools) {
+    return [];
+  }
+  const toolRefs = new Set();
+  const toolList = Array.isArray(tools)
+    ? tools
+    : [...(tools.components || []), ...(tools.services || [])];
+  for (const tool of toolList) {
+    let toolRef = tool?.["bom-ref"];
+    if (!toolRef && tool?.purl) {
+      toolRef = decodeURIComponent(tool.purl);
+    }
+    if (!toolRef && tool?.name) {
+      try {
+        toolRef = new PackageURL(
+          "generic",
+          tool.group || tool.publisher || tool.manufacturer?.name || undefined,
+          tool.name,
+          tool.version || undefined,
+          null,
+          null,
+        ).toString();
+      } catch (_err) {
+        thoughtLog("Unable to derive bom-ref for external tool", {
+          group: tool.group,
+          manufacturer: tool.manufacturer?.name,
+          name: tool.name,
+          publisher: tool.publisher,
+          version: tool.version,
+        });
+        toolRef = undefined;
+      }
+    }
+    if (!toolRef) {
+      continue;
+    }
+    if (!tool["bom-ref"]) {
+      tool["bom-ref"] = toolRef;
+    }
+    if (predicate && !predicate(tool)) {
+      continue;
+    }
+    toolRefs.add(toolRef);
+  }
+  return Array.from(toolRefs);
+}
+
+/**
+ * Attach evidence.identity.tools references to the supplied subjects.
+ *
+ * @param {Object|Object[]} subjects Component or service objects
+ * @param {string[]} toolRefs Tool bom-refs
+ * @returns {Object|Object[]} The same mutated subject(s)
+ */
+export function attachIdentityTools(subjects, toolRefs) {
+  if (!subjects || !toolRefs?.length) {
+    return subjects;
+  }
+  const uniqueToolRefs = Array.from(new Set(toolRefs.filter(Boolean)));
+  if (!uniqueToolRefs.length) {
+    return subjects;
+  }
+  const subjectList = Array.isArray(subjects) ? subjects : [subjects];
+  for (const subject of subjectList) {
+    const identities = Array.isArray(subject?.evidence?.identity)
+      ? subject.evidence.identity
+      : subject?.evidence?.identity
+        ? [subject.evidence.identity]
+        : [];
+    for (const identity of identities) {
+      identity.tools = Array.from(
+        new Set([...(identity.tools || []), ...uniqueToolRefs]),
+      );
+    }
+  }
+  return subjects;
+}
+
 /**
  * Method to add occurrence evidence for components based on import statements. Currently useful for js
  *
@@ -19959,7 +20845,7 @@ export function collectExecutables(basePath, binPaths) {
   if (!binPaths) {
     return [];
   }
-  let executables = [];
+  const executablesByResolvedPath = new Map();
   const ignoreList = [
     "**/*.{h,c,cpp,hpp,man,txt,md,htm,html,jar,ear,war,zip,tar,egg,keepme,gitignore,json,js,py,pyc}",
     "[",
@@ -19975,12 +20861,38 @@ export function collectExecutables(basePath, binPaths) {
         follow: true,
         ignore: ignoreList,
       });
-      executables = executables.concat(files);
+      for (const file of files) {
+        let resolvedFile = file;
+        try {
+          resolvedFile = relative(basePath, realpathSync(join(basePath, file)));
+        } catch (_err) {
+          // Broken symlinks or permission errors can prevent realpath resolution.
+          if (DEBUG_MODE) {
+            console.log(`Unable to resolve executable path alias for ${file}`);
+          }
+        }
+        const existingFile = executablesByResolvedPath.get(resolvedFile);
+        if (shouldPreferUsrMergedExecutablePath(file, existingFile)) {
+          executablesByResolvedPath.set(resolvedFile, file);
+        }
+      }
     } catch (_err) {
       // ignore
     }
   }
-  return Array.from(new Set(executables)).sort();
+  return Array.from(executablesByResolvedPath.values()).sort();
+}
+
+function shouldPreferUsrMergedExecutablePath(file, existingFile) {
+  if (!existingFile) {
+    return true;
+  }
+  const fileUsesUsrPrefix = file.startsWith("usr/");
+  const existingFileUsesUsrPrefix = existingFile.startsWith("usr/");
+  if (fileUsesUsrPrefix !== existingFileUsesUsrPrefix) {
+    return fileUsesUsrPrefix;
+  }
+  return file < existingFile;
 }
 
 /**