@cyclonedx/cdxgen 12.3.2 → 12.3.3

package/README.md

@@ -523,6 +523,12 @@ You can also pass `-t docker` with repository names. Only the `latest` tag would
 cdxgen shiftleft/scan-slim -o /tmp/bom.json -t docker
 ```
 
+For offline or staged scans, point cdxgen at a locally reconstructed root filesystem directory. The container pipeline accepts `-t docker`, `-t rootfs`, or `-t oci-dir` for this mode.
+
+```shell
+cdxgen /tmp/remote_target -o /tmp/bom.json -t rootfs
+```
+
 You can also pass the .tar file of a container image.
 
 ```shell

package/data/rules/ci-permissions.yaml

@@ -642,5 +642,137 @@
       "sensitiveOperations": $prop($, 'cdx:github:step:sensitiveOperations'),
       "sensitiveContextRefs": $prop($, 'cdx:github:step:sensitiveContextRefs'),
       "dispatchKinds": $prop($, 'cdx:github:step:dispatchKinds')
+     }
+
+- id: CI-022
+  name: "npm setup action disables build cache despite resolved package distributions"
+  description: "Explicitly disabling setup-node caching reduces tamper resistance and reviewability when npm dependencies are resolved from remote package distributions"
+  severity: medium
+  category: ci-permission
+  attack:
+    tactics: [TA0005]
+    techniques: [T1195.001]
+  condition: |
+    $auditComponents($)[
+      $prop($, 'cdx:github:action:disablesBuildCache') = 'true'
+      and $prop($, 'cdx:github:action:buildCacheEcosystem') = 'npm'
+      and $count($$.components[
+        $startsWith(purl, 'pkg:npm/')
+        and (
+          $contains($lowercase($nullSafeProp($, 'cdx:npm:manifestSourceType')), 'git')
+          or $contains($lowercase($nullSafeProp($, 'cdx:npm:manifestSourceType')), 'url')
+        )
+        and $count(externalReferences[
+          type = 'distribution'
+          and (
+            $startsWith($lowercase(url), 'git+')
+            or $startsWith($lowercase(url), 'http://')
+            or $startsWith($lowercase(url), 'https://')
+          )
+        ]) > 0
+      ]) > 0
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl,
+      "file": $prop($, 'cdx:github:workflow:file')
+    }
+  message: "GitHub Action '{{ $prop($, 'cdx:github:action:uses') }}' explicitly disables npm build caching while resolved npm package distributions are present in the BOM"
+  mitigation: "Keep setup-node caching enabled unless you have a reviewed exception; disabling cache can weaken integrity checks and provenance review for resolved npm artifacts"
+  evidence: |
+    {
+      "cacheDisableInput": $prop($, 'cdx:github:action:buildCacheDisableInput'),
+      "cacheDisableValue": $prop($, 'cdx:github:action:buildCacheDisableValue'),
+      "matchingPackages": $$.components[
+        $startsWith(purl, 'pkg:npm/')
+        and (
+          $contains($lowercase($nullSafeProp($, 'cdx:npm:manifestSourceType')), 'git')
+          or $contains($lowercase($nullSafeProp($, 'cdx:npm:manifestSourceType')), 'url')
+        )
+        and $count(externalReferences[
+          type = 'distribution'
+          and (
+            $startsWith($lowercase(url), 'git+')
+            or $startsWith($lowercase(url), 'http://')
+            or $startsWith($lowercase(url), 'https://')
+          )
+        ]) > 0
+      ].purl
+    }
+
+- id: CI-023
+  name: "Python setup action disables build cache despite resolved package distributions"
+  description: "Explicitly disabling setup-python caching reduces tamper resistance and reviewability when PyPI dependencies are resolved from remote archives or VCS sources"
+  severity: medium
+  category: ci-permission
+  attack:
+    tactics: [TA0005]
+    techniques: [T1195.001]
+  condition: |
+    $auditComponents($)[
+      $prop($, 'cdx:github:action:disablesBuildCache') = 'true'
+      and $prop($, 'cdx:github:action:buildCacheEcosystem') = 'pypi'
+      and $count($$.components[
+        $startsWith(purl, 'pkg:pypi/')
+        and (
+          $contains($lowercase($nullSafeProp($, 'cdx:pypi:manifestSourceType')), 'git')
+          or $contains($lowercase($nullSafeProp($, 'cdx:pypi:manifestSourceType')), 'url')
+        )
+      ]) > 0
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl,
+      "file": $prop($, 'cdx:github:workflow:file')
+    }
+  message: "GitHub Action '{{ $prop($, 'cdx:github:action:uses') }}' explicitly disables Python build caching while resolved PyPI package distributions are present in the BOM"
+  mitigation: "Keep setup-python caching enabled when lockfiles resolve remote archives or VCS sources unless you have a reviewed exception"
+  evidence: |
+    {
+      "cacheDisableInput": $prop($, 'cdx:github:action:buildCacheDisableInput'),
+      "cacheDisableValue": $prop($, 'cdx:github:action:buildCacheDisableValue'),
+      "matchingPackages": $$.components[
+        $startsWith(purl, 'pkg:pypi/')
+        and (
+          $contains($lowercase($nullSafeProp($, 'cdx:pypi:manifestSourceType')), 'git')
+          or $contains($lowercase($nullSafeProp($, 'cdx:pypi:manifestSourceType')), 'url')
+        )
+      ].purl
     }
 
+- id: CI-024
+  name: "Cargo setup action disables build cache despite manifest-declared git dependencies"
+  description: "Explicitly disabling Cargo setup caching reduces tamper resistance and reviewability when Cargo manifests rely on git dependencies"
+  severity: medium
+  category: ci-permission
+  attack:
+    tactics: [TA0005]
+    techniques: [T1195.001]
+  condition: |
+    $auditComponents($)[
+      $prop($, 'cdx:github:action:disablesBuildCache') = 'true'
+      and $prop($, 'cdx:github:action:buildCacheEcosystem') = 'cargo'
+      and $count($$.components[
+        $startsWith(purl, 'pkg:cargo/')
+        and $hasProp($, 'cdx:cargo:git')
+      ]) > 0
+    ]
+  location: |
+    {
+      "bomRef": $."bom-ref",
+      "purl": purl,
+      "file": $prop($, 'cdx:github:workflow:file')
+    }
+  message: "GitHub Action '{{ $prop($, 'cdx:github:action:uses') }}' explicitly disables Cargo build caching while manifest-declared Cargo git dependencies are present in the BOM"
+  mitigation: "Keep Cargo setup caching enabled when manifests rely on git dependencies unless you have a reviewed exception"
+  evidence: |
+    {
+      "cacheDisableInput": $prop($, 'cdx:github:action:buildCacheDisableInput'),
+      "cacheDisableValue": $prop($, 'cdx:github:action:buildCacheDisableValue'),
+      "matchingPackages": $$.components[
+        $startsWith(purl, 'pkg:cargo/')
+        and $hasProp($, 'cdx:cargo:git')
+      ].purl
+    }

package/data/rules/dependency-sources.yaml

@@ -2,21 +2,23 @@
 # Category: dependency-source
 # Evaluates package manager data for non-registry, local, or mutable sources
 - id: PKG-001
-  name: "Install script from non-registry source"
-  description: "npm packages with install scripts from git/file/local sources increase supply chain attack surface"
+  name: "Install script from direct manifest source"
+  description: "npm packages with install scripts declared from git, URL, or local path sources in the manifest increase supply chain attack surface"
   severity: high
   category: dependency-source
   condition: |
     components[
       $prop($, 'cdx:npm:hasInstallScript') = 'true'
-      and $prop($, 'cdx:npm:isRegistryDependency') = 'false'
+      and $hasProp($, 'cdx:npm:manifestSourceType')
     ]
   location: |
     { "bomRef": $."bom-ref", "purl": purl }
-  message: "npm package '{{ name }}@{{ version }}' executes install script from non-registry source"
-  mitigation: "Avoid git/file dependencies with lifecycle hooks; use registry dependencies or vendor explicitly"
+  message: "npm package '{{ name }}@{{ version }}' executes install script from manifest-declared source type(s): {{ $prop($, 'cdx:npm:manifestSourceType') }}"
+  mitigation: "Avoid git, URL, or local-path dependencies with lifecycle hooks; use registry-published dependencies or vendor explicitly"
   evidence: |
     {
+      "manifestSourceType": $prop($, 'cdx:npm:manifestSourceType'),
+      "manifestSource": $prop($, 'cdx:npm:manifestSource'),
       "riskyScripts": $prop($, 'cdx:npm:risky_scripts'),
       "resolvedPath": $prop($, 'cdx:npm:resolvedPath'),
       "isLink": $prop($, 'cdx:npm:isLink')
@@ -162,3 +164,61 @@
       "dependencyKind": $prop($, 'cdx:cargo:dependencyKind'),
       "target": $prop($, 'cdx:cargo:target')
     }
+- id: PKG-009
+  name: "Collider package resolved from insecure HTTP origin"
+  description: "Collider lock entries that resolve from HTTP origins can be observed or modified in transit before wrap-hash verification occurs"
+  severity: medium
+  category: dependency-source
+  condition: |
+    components[
+      $prop($, 'cdx:collider:originScheme') = 'http'
+    ]
+  location: |
+    { "bomRef": $."bom-ref", "purl": purl }
+  message: "Collider package '{{ name }}@{{ version }}' resolves from insecure origin '{{ $prop($, 'cdx:collider:origin') }}'"
+  mitigation: "Prefer HTTPS, trusted file:// repositories, or an authenticated internal mirror for Collider package origins"
+  evidence: |
+    {
+      "origin": $prop($, 'cdx:collider:origin'),
+      "originHost": $prop($, 'cdx:collider:originHost'),
+      "dependencyKind": $prop($, 'cdx:collider:dependencyKind')
+    }
+- id: PKG-010
+  name: "Collider origin required sanitization before BOM emission"
+  description: "Collider lock origin URLs should not carry credentials, query strings, or fragments because those values may embed secrets or unstable signed URLs"
+  severity: low
+  category: dependency-source
+  condition: |
+    components[
+      $prop($, 'cdx:collider:originSanitized') = 'true'
+    ]
+  location: |
+    { "bomRef": $."bom-ref", "purl": purl }
+  message: "Collider package '{{ name }}@{{ version }}' had sensitive origin fields stripped before BOM emission"
+  mitigation: "Avoid embedding credentials or signed query parameters in Collider repository origin URLs; prefer stable repository base URLs"
+  evidence: |
+    {
+      "origin": $prop($, 'cdx:collider:origin'),
+      "originHost": $prop($, 'cdx:collider:originHost'),
+      "dependencyKind": $prop($, 'cdx:collider:dependencyKind')
+    }
+- id: PKG-011
+  name: "Python dependency uses direct manifest source"
+  description: "Python dependencies declared via git, direct URL, or local path in requirements or pyproject files bypass normal registry version mediation"
+  severity: high
+  category: dependency-source
+  condition: |
+    components[
+      $hasProp($, 'cdx:pypi:manifestSourceType')
+    ]
+  location: |
+    { "bomRef": $."bom-ref", "purl": purl }
+  message: "Python package '{{ name }}@{{ version }}' is declared from manifest {{ $prop($, 'cdx:pypi:manifestSourceType') }} source '{{ $prop($, 'cdx:pypi:manifestSource') }}'"
+  mitigation: "Prefer registry-published releases for production builds, or pin and review direct git/URL/path sources explicitly"
+  evidence: |
+    {
+      "manifestSourceType": $prop($, 'cdx:pypi:manifestSourceType'),
+      "manifestSource": $prop($, 'cdx:pypi:manifestSource'),
+      "registry": $prop($, 'cdx:pypi:registry'),
+      "resolvedFrom": $prop($, 'cdx:pypi:resolved_from')
+    }

package/data/rules/package-integrity.yaml

@@ -305,3 +305,25 @@
         )
       ].$prop($, 'cdx:github:step:command')
     }
+
+- id: INT-014
+  name: "Collider package missing valid wrap hash pin"
+  description: "Collider lock entries should carry a SHA-256 wrap_hash so the selected wrap file remains integrity-pinned and reproducible"
+  severity: high
+  category: package-integrity
+  condition: |
+    components[
+      $hasProp($, 'cdx:collider:dependencyKind')
+      and $prop($, 'cdx:collider:hasWrapHash') = 'false'
+    ]
+  location: |
+    { "bomRef": $."bom-ref", "purl": purl }
+  message: "Collider package '{{ name }}@{{ version }}' is missing a valid wrap hash integrity pin"
+  mitigation: "Recreate collider.lock with valid wrap_hash values and verify the lockfile against the repository before release"
+  evidence: |
+    {
+      "wrapHash": $prop($, 'cdx:collider:wrapHash'),
+      "wrapHashInvalid": $prop($, 'cdx:collider:wrapHashInvalid'),
+      "origin": $prop($, 'cdx:collider:origin'),
+      "dependencyKind": $prop($, 'cdx:collider:dependencyKind')
+    }

package/lib/cli/index.js

@@ -64,6 +64,7 @@ import {
   addEvidenceForDotnet,
   addEvidenceForImports,
   addPlugin,
+  attachIdentityTools,
   buildGradleCommandArguments,
   buildObjectForCocoaPod,
   buildObjectForGradleModule,
@@ -88,6 +89,7 @@ import {
   executeParallelGradleProperties,
   executePodCommand,
   extractJarArchive,
+  extractToolRefs,
   frameworksList,
   generatePixiLockFile,
   getAllFiles,
@@ -134,6 +136,7 @@ import {
   parseCloudBuildData,
   parseCmakeLikeFile,
   parseCocoaDependency,
+  parseColliderLockData,
   parseComposerJson,
   parseComposerLock,
   parseConanData,
@@ -329,7 +332,10 @@ const createDefaultParentComponent = (
     group: options.projectGroup || "",
     name: compName,
     version: `${options.projectVersion}` || "latest",
-    type: compName.endsWith(".tar") ? "container" : "application",
+    type:
+      type === "container" || compName.endsWith(".tar")
+        ? "container"
+        : "application",
   };
   const ppurl = new PackageURL(
     type,
@@ -344,6 +350,25 @@ const createDefaultParentComponent = (
   return parentComponent;
 };
 
+const shouldIncludeNodeModulesDir = (options = {}, baseProjectTypes = []) => {
+  if (options.deep) {
+    return true;
+  }
+  const projectTypes = Array.isArray(options.projectType)
+    ? options.projectType
+    : options.projectType
+      ? [options.projectType]
+      : [];
+  if (!projectTypes.length) {
+    return true;
+  }
+  return baseProjectTypes.some((projectType) =>
+    projectTypes.every((selectedProjectType) =>
+      PROJECT_TYPE_ALIASES[projectType]?.includes(selectedProjectType),
+    ),
+  );
+};
+
 const determineParentComponent = (options) => {
   let parentComponent;
   if (options.parentComponent && Object.keys(options.parentComponent).length) {
@@ -1368,17 +1393,21 @@ export async function createJarBom(path, options) {
   let pkgList = [];
   let jarFiles;
   let nsMapping = {};
-  if (!options.exclude) {
-    options.exclude = [];
-  }
-  // We can look for jar files within node_modules directory
-  if (typeof options.includeNodeModulesDir === "undefined" || options.deep) {
-    options.includeNodeModulesDir = true;
+  const searchOptions = {
+    ...options,
+    exclude: [...(options.exclude || [])],
+  };
+  if (typeof searchOptions.includeNodeModulesDir === "undefined") {
+    searchOptions.includeNodeModulesDir = shouldIncludeNodeModulesDir(options, [
+      "jar",
+      "war",
+      "ear",
+    ]);
   }
   // Exclude certain directories during oci sbom generation
   if (hasAnyProjectType(["oci"], options, false)) {
-    options.exclude.push("**/android-sdk*/**");
-    options.exclude.push("**/.sdkman/**");
+    searchOptions.exclude.push("**/android-sdk*/**");
+    searchOptions.exclude.push("**/.sdkman/**");
   }
   const parentComponent = createDefaultParentComponent(path, "maven", options);
   if (options.useGradleCache) {
@@ -1402,14 +1431,14 @@ export async function createJarBom(path, options) {
     jarFiles = getAllFiles(
       path,
       `${options.multiProject ? "**/" : ""}*.[jw]ar`,
-      options,
+      searchOptions,
     );
   }
   // Jenkins plugins
   const hpiFiles = getAllFiles(
     path,
     `${options.multiProject ? "**/" : ""}*.hpi`,
-    options,
+    searchOptions,
   );
   if (hpiFiles.length) {
     jarFiles = jarFiles.concat(hpiFiles);
@@ -1464,6 +1493,13 @@ export function createBinaryBom(path, options) {
     const binaryBom = JSON.parse(
       readFileSync(binaryBomFile, { encoding: "utf-8" }),
     );
+    attachIdentityTools(
+      binaryBom?.components,
+      extractToolRefs(
+        binaryBom?.metadata?.tools,
+        (tool) => tool?.name !== "cdxgen",
+      ),
+    );
     return {
       bomJson: binaryBom,
       dependencies: binaryBom.dependencies,
@@ -1891,6 +1927,10 @@ export async function createJavaBom(path, options) {
             ) {
               tools = bomJsonObj.metadata.tools;
             }
+            const toolRefs = extractToolRefs(
+              bomJsonObj?.metadata?.tools,
+              (tool) => tool?.name !== "cdxgen",
+            );
             if (
               bomJsonObj.metadata?.component &&
               !Object.keys(parentComponent).length
@@ -1927,6 +1967,7 @@ export async function createJavaBom(path, options) {
                     name: "SrcFile",
                     value: srcPomFile,
                   });
+                  attachIdentityTools(acomp, toolRefs);
                 }
               }
               pkgList = pkgList.concat(bomJsonObj.components);
@@ -5416,6 +5457,11 @@ export function createCppBom(path, options) {
   let parentComponent;
   let dependencies = [];
   const addedParentComponentsMap = {};
+  const colliderLockFiles = getAllFiles(
+    path,
+    `${options.multiProject ? "**/" : ""}collider.lock`,
+    options,
+  );
   const conanLockFiles = getAllFiles(
     path,
     `${options.multiProject ? "**/" : ""}conan.lock`,
@@ -5492,6 +5538,39 @@ export function createCppBom(path, options) {
       }
     }
   }
+  if (colliderLockFiles.length) {
+    for (const f of colliderLockFiles) {
+      if (DEBUG_MODE) {
+        console.log(`Parsing ${f}`);
+      }
+      const colliderLockData = readFileSync(f, { encoding: "utf-8" });
+      const {
+        pkgList: colliderPkgList,
+        dependencies: colliderDependencies,
+        parentComponentDependencies: parentCompDeps,
+      } = parseColliderLockData(colliderLockData, f);
+
+      if (colliderPkgList.length) {
+        pkgList = pkgList.concat(colliderPkgList);
+      }
+
+      if (Object.keys(colliderDependencies).length) {
+        dependencies = mergeDependencies(
+          dependencies,
+          Object.keys(colliderDependencies).map((dependentBomRef) => ({
+            ref: dependentBomRef,
+            dependsOn: colliderDependencies[dependentBomRef],
+          })),
+        );
+      }
+
+      if (parentCompDeps.length) {
+        parentComponentDependencies = [
+          ...new Set(parentComponentDependencies.concat(parentCompDeps)),
+        ];
+      }
+    }
+  }
   if (cmakeLikeFiles.length) {
     for (const f of cmakeLikeFiles) {
       if (DEBUG_MODE) {
@@ -6830,24 +6909,26 @@ export async function createContainerSpecLikeBom(path, options) {
 export function createPHPBom(path, options) {
   let dependencies = [];
   let parentComponent = {};
-  // We can look for composer files within node_modules directory
-  if (typeof options.includeNodeModulesDir === "undefined" || options.deep) {
-    options.includeNodeModulesDir = true;
-  }
+  const searchOptions = {
+    ...options,
+    includeNodeModulesDir:
+      typeof options.includeNodeModulesDir === "undefined"
+        ? shouldIncludeNodeModulesDir(options, ["php"])
+        : options.includeNodeModulesDir,
+  };
+  const composerLockSearchOptions = {
+    ...searchOptions,
+    exclude: [...(options.exclude || []), "**/vendor/**"],
+  };
   const composerJsonFiles = getAllFiles(
     path,
     `${options.multiProject ? "**/" : ""}composer.json`,
-    options,
+    searchOptions,
   );
-  if (!options.exclude) {
-    options.exclude = [];
-  }
-  // Ignore vendor directories for lock files
-  options.exclude.push("**/vendor/**");
   let composerLockFiles = getAllFiles(
     path,
     `${options.multiProject ? "**/" : ""}composer.lock`,
-    options,
+    composerLockSearchOptions,
   );
   let pkgList = [];
   const composerJsonMode = composerJsonFiles.length;
@@ -6910,7 +6991,7 @@ export function createPHPBom(path, options) {
   composerLockFiles = getAllFiles(
     path,
     `${options.multiProject ? "**/" : ""}composer.lock`,
-    options,
+    composerLockSearchOptions,
   );
   if (composerLockFiles.length) {
     // Look for any root composer.json to capture the parentComponent
@@ -8058,6 +8139,7 @@ export async function createMultiXBom(pathList, options) {
       binPaths,
       executables,
       sharedLibs,
+      tools,
     } = await getOSPackages(
       options.allLayersExplodedDir,
       options.exportData?.inspectData?.Config,
@@ -8088,6 +8170,13 @@ export async function createMultiXBom(pathList, options) {
     if (allTypes?.length) {
       options.allOSComponentTypes = allTypes;
     }
+    if (tools?.length) {
+      options.tools = (
+        Array.isArray(options.tools)
+          ? options.tools
+          : options.tools?.components || []
+      ).concat(tools);
+    }
     components = components.concat(osPackages);
     components = components.concat(executables);
     components = components.concat(sharedLibs);
@@ -9162,6 +9251,11 @@ export async function createXBom(path, options) {
     `${options.multiProject ? "**/" : ""}conan.lock`,
     options,
   );
+  const colliderLockFiles = getAllFiles(
+    path,
+    `${options.multiProject ? "**/" : ""}collider.lock`,
+    options,
+  );
   const conanFiles = getAllFiles(
     path,
     `${options.multiProject ? "**/" : ""}conanfile.txt`,
@@ -9178,6 +9272,7 @@ export async function createXBom(path, options) {
     options,
   );
   if (
+    colliderLockFiles.length ||
     conanLockFiles.length ||
     conanFiles.length ||
     cmakeListFiles.length ||
@@ -9347,6 +9442,10 @@ export async function createBom(path, options) {
   }
   let exportData;
   let isContainerMode = false;
+  const isLocalDirectoryInput =
+    !options.projectType?.includes("universal") &&
+    safeExistsSync(path) &&
+    lstatSync(path).isDirectory();
   // Docker and image archive support
   // TODO: Support any source archive
   if (path.endsWith(".tar") || path.endsWith(".tar.gz")) {
@@ -9359,6 +9458,22 @@ export async function createBom(path, options) {
       return {};
     }
     isContainerMode = true;
+  } else if (
+    isLocalDirectoryInput &&
+    (hasAnyProjectType(["oci-dir"], options, false) ||
+      hasAnyProjectType(["oci"], options, false))
+  ) {
+    isContainerMode = true;
+    exportData = {
+      inspectData: undefined,
+      lastWorkingDir: "",
+      allLayersDir: path,
+      allLayersExplodedDir: path,
+    };
+    if (safeExistsSync(join(path, "all-layers"))) {
+      exportData.allLayersExplodedDir = join(path, "all-layers");
+    }
+    exportData.pkgPathList = getPkgPathList(exportData, undefined);
   } else if (
     (options.projectType &&
       !options.projectType?.includes("universal") &&
@@ -9386,21 +9501,6 @@ export async function createBom(path, options) {
         console.log(path, "doesn't appear to be a valid container image.");
       }
     }
-  } else if (
-    !options.projectType?.includes("universal") &&
-    hasAnyProjectType(["oci-dir"], options, false)
-  ) {
-    isContainerMode = true;
-    exportData = {
-      inspectData: undefined,
-      lastWorkingDir: "",
-      allLayersDir: path,
-      allLayersExplodedDir: path,
-    };
-    if (safeExistsSync(join(path, "all-layers"))) {
-      exportData.allLayersDir = join(path, "all-layers");
-    }
-    exportData.pkgPathList = getPkgPathList(exportData, undefined);
   }
   if (isContainerMode) {
     options.multiProject = true;
@@ -9680,6 +9780,7 @@ export async function submitBom(args, bomContents) {
     // See issue #1963 regarding CRLF hardening
     return await got(serverUrl, {
       method: "PUT",
+      followRedirect: false,
       https: {
         rejectUnauthorized: !args.skipDtTlsCheck,
       },
@@ -9705,11 +9806,12 @@ export async function submitBom(args, bomContents) {
       try {
         return await got(serverUrl, {
           method: "POST",
+          followRedirect: false,
           https: {
             rejectUnauthorized: !args.skipDtTlsCheck,
           },
           headers: {
-            "X-Api-Key": args.apiKey,
+            "X-Api-Key": (args.apiKey || "").replace(/[\r\n]/g, ""),
             "Content-Type": "application/json",
             "user-agent": `@CycloneDX/cdxgen ${CDXGEN_VERSION}`,
           },