@cyclonedx/cdxgen 12.3.2 → 12.3.3

package/lib/helpers/utils.poku.js

@@ -1,10 +1,12 @@
 import { Buffer } from "node:buffer";
 import {
+  chmodSync,
   existsSync,
   mkdirSync,
   mkdtempSync,
   readFileSync,
   rmSync,
+  symlinkSync,
   unlinkSync,
   writeFileSync,
 } from "node:fs";
@@ -21,10 +23,13 @@ import { parse as loadYaml } from "yaml";
 
 import { validateRefs } from "../validator/bomValidator.js";
 import {
+  attachIdentityTools,
   buildObjectForCocoaPod,
   buildObjectForGradleModule,
+  collectExecutables,
   convertOSQueryResults,
   encodeForPurl,
+  extractToolRefs,
   findLicenseId,
   findPnpmPackagePath,
   getCratesMetadata,
@@ -59,6 +64,7 @@ import {
   parseCmakeDotFile,
   parseCmakeLikeFile,
   parseCocoaDependency,
+  parseColliderLockData,
   parseComposerJson,
   parseComposerLock,
   parseConanData,
@@ -1276,6 +1282,84 @@ it("get py metadata", async () => {
   ]);
 }, 240000);
 
+it("get py metadata adds distribution external references", async () => {
+  const agentGetStub = sinon.stub().resolves({
+    body: {
+      info: {
+        author: "",
+        author_email: "",
+        classifiers: [],
+        license: "",
+        license_expression: "",
+        name: "requests",
+        summary: "HTTP client",
+        version: "2.31.0",
+      },
+      releases: {
+        "2.31.0": [
+          {
+            digests: { sha256: "abc123" },
+            filename: "requests-2.31.0-py3-none-any.whl",
+            packagetype: "bdist_wheel",
+            url: "https://files.pythonhosted.org/packages/example/requests-2.31.0-py3-none-any.whl",
+          },
+          {
+            digests: { sha256: "def456" },
+            filename: "requests-2.31.0.tar.gz",
+            packagetype: "sdist",
+            url: "https://files.pythonhosted.org/packages/example/requests-2.31.0.tar.gz",
+          },
+        ],
+      },
+    },
+  });
+  const { getPyMetadata: mockedGetPyMetadata } = await esmock("./utils.js", {
+    got: {
+      default: {
+        extend: sinon.stub().returns({ get: agentGetStub }),
+      },
+    },
+  });
+  const data = await mockedGetPyMetadata(
+    [
+      {
+        externalReferences: [
+          {
+            type: "website",
+            url: "https://example.com/requests",
+          },
+        ],
+        group: "",
+        name: "requests",
+        version: "2.31.0",
+      },
+    ],
+    true,
+  );
+  assert.strictEqual(data.length, 1);
+  assert.ok(
+    data[0].externalReferences?.some(
+      (reference) => reference.type === "website",
+    ),
+  );
+  assert.ok(
+    data[0].externalReferences?.some(
+      (reference) =>
+        reference.type === "distribution" &&
+        reference.url.endsWith(".whl") &&
+        reference.comment === "requests-2.31.0-py3-none-any.whl",
+    ),
+  );
+  assert.ok(
+    data[0].externalReferences?.some(
+      (reference) =>
+        reference.type === "distribution" &&
+        reference.url.endsWith(".tar.gz") &&
+        reference.comment === "requests-2.31.0.tar.gz",
+    ),
+  );
+});
+
 it("parseGoModData", async () => {
   let retMap = await parseGoModData(null);
   assert.deepStrictEqual(retMap, {});
@@ -2305,6 +2389,49 @@ bindgen = { version = "0.70.0", default-features = false }
   }
 });
 
+it("parse cargo toml captures git dependency metadata", async () => {
+  const tmpDir = mkdtempSync(path.join(tmpdir(), "cdxgen-cargo-git-"));
+  const cargoTomlFile = path.join(tmpDir, "Cargo.toml");
+  writeFileSync(
+    cargoTomlFile,
+    `[package]
+name = "demo"
+version = "1.0.0"
+
+[dependencies]
+git-crate = { git = "https://github.com/acme/git-crate.git", branch = "main" }
+`,
+  );
+  try {
+    const depList = await parseCargoTomlData(cargoTomlFile);
+    const gitDep = depList.find((pkg) => pkg.name === "git-crate");
+    assert.ok(gitDep);
+    assert.strictEqual(
+      gitDep.version,
+      "git+https://github.com/acme/git-crate.git",
+    );
+    assert.strictEqual(
+      gitDep.properties.find((property) => property.name === "cdx:cargo:git")
+        ?.value,
+      "https://github.com/acme/git-crate.git",
+    );
+    assert.strictEqual(
+      gitDep.properties.find(
+        (property) => property.name === "cdx:cargo:gitBranch",
+      )?.value,
+      "main",
+    );
+    assert.strictEqual(
+      gitDep.properties.find(
+        (property) => property.name === "cdx:cargo:dependencyKind",
+      )?.value,
+      "runtime",
+    );
+  } finally {
+    rmSync(tmpDir, { force: true, recursive: true });
+  }
+});
+
 it("parse cargo virtual workspace with inherited package and dependency metadata", async () => {
   const workspaceDir = "./test/data/cargo-workspace-repotest";
   const workspaceToml = path.join(workspaceDir, "Cargo.toml");
@@ -2825,6 +2952,221 @@ it("parse conan data", () => {
   });
 });
 
+it("parse collider lock data", () => {
+  let colliderLockData = parseColliderLockData(null);
+  assert.deepStrictEqual(colliderLockData.pkgList.length, 0);
+  assert.deepStrictEqual(Object.keys(colliderLockData.dependencies).length, 0);
+  assert.deepStrictEqual(
+    colliderLockData.parentComponentDependencies.length,
+    0,
+  );
+
+  colliderLockData = parseColliderLockData(
+    readFileSync("./test/data/collider.lock", { encoding: "utf-8" }),
+    "./test/data/collider.lock",
+  );
+  assert.deepStrictEqual(colliderLockData.pkgList.length, 3);
+  assert.deepStrictEqual(colliderLockData.pkgList[0], {
+    name: "fmt",
+    version: "11.0.2",
+    "bom-ref": "pkg:generic/fmt@11.0.2",
+    externalReferences: [
+      {
+        type: "distribution",
+        url: "https://packages.example.com/collider/v2/",
+      },
+    ],
+    hashes: [
+      {
+        alg: "SHA-256",
+        content:
+          "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+      },
+    ],
+    properties: [
+      { name: "SrcFile", value: "./test/data/collider.lock" },
+      { name: "cdx:collider:dependencyKind", value: "direct" },
+      {
+        name: "cdx:collider:wrapHash",
+        value:
+          "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+      },
+      { name: "cdx:collider:hasWrapHash", value: "true" },
+      {
+        name: "cdx:collider:origin",
+        value: "https://packages.example.com/collider/v2/",
+      },
+      { name: "cdx:collider:originScheme", value: "https" },
+      { name: "cdx:collider:originHost", value: "packages.example.com" },
+    ],
+    purl: "pkg:generic/fmt@11.0.2",
+    scope: "required",
+  });
+  assert.deepStrictEqual(colliderLockData.pkgList[1], {
+    name: "spdlog",
+    version: "1.15.0",
+    "bom-ref": "pkg:generic/spdlog@1.15.0",
+    externalReferences: [
+      {
+        type: "distribution",
+        url: "https://packages.example.com/collider/v2/",
+      },
+    ],
+    hashes: [
+      {
+        alg: "SHA-256",
+        content:
+          "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
+      },
+    ],
+    properties: [
+      { name: "SrcFile", value: "./test/data/collider.lock" },
+      { name: "cdx:collider:dependencyKind", value: "direct" },
+      {
+        name: "cdx:collider:wrapHash",
+        value:
+          "sha256:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
+      },
+      { name: "cdx:collider:hasWrapHash", value: "true" },
+      {
+        name: "cdx:collider:origin",
+        value: "https://packages.example.com/collider/v2/",
+      },
+      { name: "cdx:collider:originScheme", value: "https" },
+      { name: "cdx:collider:originHost", value: "packages.example.com" },
+    ],
+    purl: "pkg:generic/spdlog@1.15.0",
+    scope: "required",
+  });
+  assert.deepStrictEqual(colliderLockData.pkgList[2], {
+    name: "fast_float",
+    version: "8.0.2",
+    "bom-ref": "pkg:generic/fast_float@8.0.2",
+    externalReferences: [
+      {
+        type: "distribution",
+        url: "https://wrapdb.mesonbuild.com/v2/",
+      },
+    ],
+    hashes: [
+      {
+        alg: "SHA-256",
+        content:
+          "cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc",
+      },
+    ],
+    properties: [
+      { name: "SrcFile", value: "./test/data/collider.lock" },
+      { name: "cdx:collider:dependencyKind", value: "transitive" },
+      {
+        name: "cdx:collider:wrapHash",
+        value:
+          "sha256:cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc",
+      },
+      { name: "cdx:collider:hasWrapHash", value: "true" },
+      {
+        name: "cdx:collider:origin",
+        value: "https://wrapdb.mesonbuild.com/v2/",
+      },
+      { name: "cdx:collider:originScheme", value: "https" },
+      { name: "cdx:collider:originHost", value: "wrapdb.mesonbuild.com" },
+    ],
+    purl: "pkg:generic/fast_float@8.0.2",
+  });
+  assert.deepStrictEqual(colliderLockData.dependencies, {
+    "pkg:generic/fmt@11.0.2": [],
+    "pkg:generic/spdlog@1.15.0": [],
+    "pkg:generic/fast_float@8.0.2": [],
+  });
+  assert.deepStrictEqual(colliderLockData.parentComponentDependencies, [
+    "pkg:generic/fmt@11.0.2",
+    "pkg:generic/spdlog@1.15.0",
+  ]);
+});
+
+it("parse collider lock data sanitizes origin metadata and tracks invalid wrap hashes", () => {
+  const colliderLockData = parseColliderLockData(
+    JSON.stringify({
+      version: 1,
+      dependencies: {
+        "unsafe-origin": {
+          version: "1.0.0",
+          wrap_hash:
+            "sha256:dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd",
+          origin: "https://user:pass@example.com/private/v2/?token=secret#frag",
+        },
+      },
+      packages: {
+        malformed: {
+          version: "2.0.0",
+          wrap_hash: "not-a-sha256",
+          origin: "http://mirror.example.com/collider/v2/?sig=123",
+        },
+        "bad-origin": {
+          version: "3.0.0",
+          wrap_hash:
+            "sha256:eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee",
+          origin: "://not a url",
+        },
+      },
+    }),
+    "/repo/collider.lock",
+  );
+  assert.strictEqual(colliderLockData.pkgList.length, 3);
+  const unsafeOrigin = colliderLockData.pkgList.find(
+    (pkg) => pkg.name === "unsafe-origin",
+  );
+  const malformed = colliderLockData.pkgList.find(
+    (pkg) => pkg.name === "malformed",
+  );
+  const badOrigin = colliderLockData.pkgList.find(
+    (pkg) => pkg.name === "bad-origin",
+  );
+  assert.deepStrictEqual(
+    unsafeOrigin.properties.find(
+      (property) => property.name === "cdx:collider:origin",
+    )?.value,
+    "https://example.com/private/v2/",
+  );
+  assert.deepStrictEqual(
+    unsafeOrigin.properties.find(
+      (property) => property.name === "cdx:collider:originSanitized",
+    )?.value,
+    "true",
+  );
+  assert.deepStrictEqual(unsafeOrigin.externalReferences, [
+    {
+      type: "distribution",
+      url: "https://example.com/private/v2/",
+    },
+  ]);
+  assert.deepStrictEqual(
+    malformed.properties.find(
+      (property) => property.name === "cdx:collider:hasWrapHash",
+    )?.value,
+    "false",
+  );
+  assert.deepStrictEqual(
+    malformed.properties.find(
+      (property) => property.name === "cdx:collider:wrapHashInvalid",
+    )?.value,
+    "true",
+  );
+  assert.deepStrictEqual(
+    malformed.properties.find(
+      (property) => property.name === "cdx:collider:origin",
+    )?.value,
+    "http://mirror.example.com/collider/v2/",
+  );
+  assert.ok(!malformed.hashes);
+  assert.ok(
+    !badOrigin.properties.some(
+      (property) => property.name === "cdx:collider:origin",
+    ),
+  );
+  assert.ok(!badOrigin.externalReferences);
+});
+
 it("conan package reference mapper to pURL", () => {
   const checkParseResult = (inputPkgRef, expectedPurl) => {
     const [purl, name, version] =
@@ -4823,6 +5165,181 @@ it("parsePkgLock marks devOptional entries as development", async () => {
   );
 });
 
+it("parsePkgLock captures manifest-declared npm direct sources", async () => {
+  const rootNode = {
+    path: "/virtual/project",
+    package: {
+      author: "",
+      license: "MIT",
+    },
+    packageName: "virtual-project",
+    version: "1.0.0",
+    edgesOut: new Map(),
+    fsChildren: new Set(),
+    children: new Map(),
+  };
+  const gitNode = {
+    path: "/virtual/project/node_modules/git-dep",
+    package: {
+      author: "",
+      license: "MIT",
+    },
+    packageName: "git-dep",
+    version: "2.0.0",
+    hasInstallScript: true,
+    integrity: "sha512-gitdep",
+    edgesIn: new Set([
+      {
+        name: "git-dep",
+        spec: "git+https://github.com/acme/git-dep.git",
+      },
+    ]),
+    edgesOut: new Map(),
+    fsChildren: new Set(),
+    children: new Map(),
+  };
+  rootNode.children.set("node_modules/git-dep", gitNode);
+  rootNode.edgesOut.set("git-dep", {
+    name: "git-dep",
+    spec: "git+https://github.com/acme/git-dep.git",
+    to: gitNode,
+  });
+  const { parsePkgLock: parsePkgLockWithMockedArborist } = await esmock(
+    "./utils.js",
+    {
+      "../third-party/arborist/lib/index.js": {
+        default: class MockArborist {
+          async loadVirtual() {
+            return rootNode;
+          }
+        },
+      },
+    },
+  );
+  const parsedList = await parsePkgLockWithMockedArborist(
+    "./test/data/package-json/v3/package-lock.json",
+    {},
+  );
+  const gitDepPkg = parsedList.pkgList.find(
+    (pkg) => pkg["bom-ref"] === "pkg:npm/git-dep@2.0.0",
+  );
+  assert.ok(gitDepPkg);
+  assert.ok(
+    gitDepPkg.properties.some(
+      (property) =>
+        property.name === "cdx:npm:manifestSourceType" &&
+        property.value === "git",
+    ),
+  );
+  assert.ok(
+    gitDepPkg.properties.some(
+      (property) =>
+        property.name === "cdx:npm:manifestSource" &&
+        property.value === "git+https://github.com/acme/git-dep.git",
+    ),
+  );
+});
+
+it("parsePkgLock captures supported npm manifest source syntaxes", async () => {
+  const rootNode = {
+    path: "/virtual/project",
+    package: {
+      author: "",
+      license: "MIT",
+    },
+    packageName: "virtual-project",
+    version: "1.0.0",
+    edgesOut: new Map(),
+    fsChildren: new Set(),
+    children: new Map(),
+  };
+  const sourceCases = [
+    ["git-plus", "git+https://github.com/acme/git-plus.git", "git"],
+    ["git-protocol", "git://github.com/acme/git-protocol.git", "git"],
+    ["github-shortcut", "github:acme/github-shortcut", "git"],
+    ["gitlab-shortcut", "gitlab:acme/gitlab-shortcut", "git"],
+    ["bitbucket-shortcut", "bitbucket:acme/bitbucket-shortcut", "git"],
+    ["gist-shortcut", "gist:1234567890abcdef", "git"],
+    ["http-archive", "http://example.com/http-archive.tgz", "url"],
+    ["https-archive", "https://example.com/https-archive.tgz", "url"],
+    ["file-source", "file:../libs/file-source", "path"],
+    ["link-source", "link:../libs/link-source", "path"],
+    ["workspace-source", "workspace:*", "path"],
+    ["relative-source", "./libs/relative-source", "path"],
+    ["parent-source", "../libs/parent-source", "path"],
+    ["absolute-source", "/opt/libs/absolute-source", "path"],
+    ["windows-source", "C:\\libs\\windows-source", "path"],
+  ];
+
+  for (const [packageName, spec] of sourceCases) {
+    const childPath = `/virtual/project/node_modules/${packageName}`;
+    const childNode = {
+      path: childPath,
+      package: {
+        author: "",
+        license: "MIT",
+      },
+      packageName,
+      version: "1.0.0",
+      integrity: `sha512-${packageName}`,
+      edgesIn: new Set([
+        {
+          name: packageName,
+          spec,
+        },
+      ]),
+      edgesOut: new Map(),
+      fsChildren: new Set(),
+      children: new Map(),
+    };
+    rootNode.children.set(`node_modules/${packageName}`, childNode);
+    rootNode.edgesOut.set(packageName, {
+      name: packageName,
+      spec,
+      to: childNode,
+    });
+  }
+
+  const { parsePkgLock: parsePkgLockWithMockedArborist } = await esmock(
+    "./utils.js",
+    {
+      "../third-party/arborist/lib/index.js": {
+        default: class MockArborist {
+          async loadVirtual() {
+            return rootNode;
+          }
+        },
+      },
+    },
+  );
+  const parsedList = await parsePkgLockWithMockedArborist(
+    "./test/data/package-json/v3/package-lock.json",
+    {},
+  );
+
+  for (const [packageName, spec, expectedType] of sourceCases) {
+    const pkg = parsedList.pkgList.find(
+      (parsedPkg) => parsedPkg.name === packageName,
+    );
+    assert.ok(pkg, `expected ${packageName} to be parsed`);
+    assert.ok(
+      pkg.properties.some(
+        (property) =>
+          property.name === "cdx:npm:manifestSourceType" &&
+          property.value === expectedType,
+      ),
+      `expected ${packageName} manifest source type ${expectedType}`,
+    );
+    assert.ok(
+      pkg.properties.some(
+        (property) =>
+          property.name === "cdx:npm:manifestSource" && property.value === spec,
+      ),
+      `expected ${packageName} manifest source ${spec}`,
+    );
+  }
+});
+
 it("parsePkgLock theia", async () => {
   const parsedList = await parsePkgLock(
     "./test/data/package-json/theia/package-lock.json",
@@ -7465,6 +7982,112 @@ it("parse requirements.txt", async () => {
   }
 });
 
+it("parse requirements.txt enriches distribution references when package metadata fetch is enabled", async () => {
+  const tempDir = mkdtempSync(path.join(tmpdir(), "cdxgen-req-pypi-"));
+  const reqFile = path.join(tempDir, "requirements.txt");
+  const agentGetStub = sinon.stub().resolves({
+    body: {
+      info: {
+        author: "",
+        author_email: "",
+        classifiers: [],
+        license: "",
+        license_expression: "",
+        name: "requests",
+        summary: "HTTP client",
+        version: "2.31.0",
+      },
+      releases: {
+        "2.31.0": [
+          {
+            digests: { sha256: "abc123" },
+            filename: "requests-2.31.0-py3-none-any.whl",
+            packagetype: "bdist_wheel",
+            url: "https://files.pythonhosted.org/packages/example/requests-2.31.0-py3-none-any.whl",
+          },
+        ],
+      },
+    },
+  });
+  writeFileSync(reqFile, "requests==2.31.0\n", "utf-8");
+  const { parseReqFile: mockedParseReqFile } = await esmock("./utils.js", {
+    got: {
+      default: {
+        extend: sinon.stub().returns({ get: agentGetStub }),
+      },
+    },
+  });
+  try {
+    const deps = await mockedParseReqFile(reqFile, true);
+    assert.strictEqual(deps.length, 1);
+    assert.ok(
+      deps[0].externalReferences?.some(
+        (reference) =>
+          reference.type === "distribution" && reference.url.endsWith(".whl"),
+      ),
+    );
+  } finally {
+    rmSync(tempDir, { recursive: true, force: true });
+  }
+});
+
+it("parse requirements.txt captures direct manifest sources", async () => {
+  const tempDir = mkdtempSync(path.join(tmpdir(), "cdxgen-req-source-"));
+  const reqFile = path.join(tempDir, "requirements.txt");
+  writeFileSync(
+    reqFile,
+    [
+      "requests @ https://example.com/packages/requests-2.31.0.whl  # MIT",
+      "-e git+https://github.com/acme/private-lib.git#egg=private-lib",
+      "",
+    ].join("\n"),
+    "utf-8",
+  );
+  try {
+    const deps = await parseReqFile(reqFile, false);
+    const requestsPkg = deps.find((pkg) => pkg.name === "requests");
+    assert.ok(requestsPkg);
+    assert.ok(
+      requestsPkg.properties.some(
+        (property) =>
+          property.name === "cdx:pypi:manifestSourceType" &&
+          property.value === "url",
+      ),
+    );
+    assert.ok(
+      requestsPkg.properties.some(
+        (property) =>
+          property.name === "cdx:pypi:manifestSource" &&
+          property.value === "https://example.com/packages/requests-2.31.0.whl",
+      ),
+    );
+    assert.deepStrictEqual(requestsPkg.licenses, [
+      {
+        license: {
+          id: "MIT",
+        },
+      },
+    ]);
+    const privateLibPkg = deps.find((pkg) => pkg.name === "private-lib");
+    assert.ok(privateLibPkg);
+    assert.ok(
+      privateLibPkg.properties.some(
+        (property) =>
+          property.name === "cdx:pypi:manifestSourceType" &&
+          property.value === "git",
+      ),
+    );
+    assert.ok(
+      privateLibPkg.properties.some(
+        (property) =>
+          property.name === "cdx:pypi:editable" && property.value === "true",
+      ),
+    );
+  } finally {
+    rmSync(tempDir, { recursive: true, force: true });
+  }
+});
+
 it("parse pyproject.toml", () => {
   let retMap = parsePyProjectTomlFile("./test/data/pyproject.toml");
   assert.deepStrictEqual(retMap.parentComponent, {
@@ -7669,6 +8292,120 @@ it("parse pyproject.toml with custom poetry source", () => {
   assert.deepStrictEqual(Object.keys(retMap.directDepsKeys).length, 6);
 });
 
+it("parse pyproject.toml captures dependency manifest sources", async () => {
+  const tempDir = mkdtempSync(path.join(tmpdir(), "cdxgen-pyproject-source-"));
+  const pyProjectFile = path.join(tempDir, "pyproject.toml");
+  writeFileSync(
+    pyProjectFile,
+    `
+[project]
+name = "demo-app"
+version = "0.1.0"
+dependencies = ["anyio[http2] @ https://example.com/packages/anyio.whl"]
+
+[tool.poetry.dependencies]
+python = ">=3.11"
+poetry-git = { git = "https://github.com/acme/poetry-git.git" }
+
+[tool.uv.sources]
+uv-path = { path = "../libs/uv-path" }
+    `.trim(),
+    "utf-8",
+  );
+  try {
+    const pyProjectData = parsePyProjectTomlFile(pyProjectFile);
+    assert.deepStrictEqual(pyProjectData.dependencySourceMap.anyio, {
+      type: "url",
+      value: "https://example.com/packages/anyio.whl",
+    });
+    assert.strictEqual(pyProjectData.directDepsKeys.anyio, true);
+    assert.deepStrictEqual(pyProjectData.dependencySourceMap["poetry-git"], {
+      type: "git",
+      value: "https://github.com/acme/poetry-git.git",
+    });
+    assert.deepStrictEqual(pyProjectData.dependencySourceMap["uv-path"], {
+      type: "path",
+      value: "../libs/uv-path",
+    });
+
+    const retMap = await parsePyLockData(
+      readFileSync("./test/data/uv.lock", { encoding: "utf-8" }),
+      "./test/data/uv.lock",
+      pyProjectFile,
+    );
+    const anyioPkg = retMap.pkgList.find((pkg) => pkg.name === "anyio");
+    assert.ok(anyioPkg);
+    assert.ok(
+      anyioPkg.properties.some(
+        (property) =>
+          property.name === "cdx:pypi:manifestSourceType" &&
+          property.value === "url",
+      ),
+    );
+    assert.ok(
+      anyioPkg.properties.some(
+        (property) =>
+          property.name === "cdx:pypi:manifestSource" &&
+          property.value === "https://example.com/packages/anyio.whl",
+      ),
+    );
+  } finally {
+    rmSync(tempDir, { recursive: true, force: true });
+  }
+});
+
+it("normalizes pyproject direct dependency keys when matching pylock packages", async () => {
+  const tempDir = mkdtempSync(path.join(tmpdir(), "cdxgen-pylock-normalize-"));
+  const pyProjectFile = path.join(tempDir, "pyproject.toml");
+  const pyLockFile = path.join(tempDir, "pylock.toml");
+  writeFileSync(
+    pyProjectFile,
+    `
+[project]
+name = "normalize-demo"
+version = "1.0.0"
+dependencies = [
+  "demo_pkg @ https://example.com/packages/demo-pkg-1.0.0.whl",
+]
+    `.trim(),
+    "utf-8",
+  );
+  writeFileSync(
+    pyLockFile,
+    `
+lock-version = "1.0"
+created-by = "poku"
+
+[[packages]]
+name = "demo-pkg"
+version = "1.0.0"
+index = "https://pypi.org/simple/"
+wheels = [
+  { name = "demo_pkg-1.0.0-py3-none-any.whl", url = "https://example.com/packages/demo-pkg-1.0.0.whl", size = 1234, upload-time = 2026-01-01T00:00:00+00:00, hashes = { sha256 = "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef" } },
+]
+    `.trim(),
+    "utf-8",
+  );
+  try {
+    const retMap = await parsePyLockData(
+      readFileSync(pyLockFile, { encoding: "utf-8" }),
+      pyLockFile,
+      pyProjectFile,
+    );
+    assert.strictEqual(retMap.rootList.length, 1);
+    assert.strictEqual(retMap.rootList[0].name, "demo-pkg");
+    assert.ok(
+      retMap.rootList[0].properties.some(
+        (property) =>
+          property.name === "cdx:pypi:manifestSourceType" &&
+          property.value === "url",
+      ),
+    );
+  } finally {
+    rmSync(tempDir, { recursive: true, force: true });
+  }
+});
+
 it("parse python lock files", async () => {
   let retMap = await parsePyLockData(
     readFileSync("./test/data/poetry.lock", { encoding: "utf-8" }),
@@ -7695,12 +8432,28 @@ it("parse python lock files", async () => {
   );
   assert.deepStrictEqual(retMap.pkgList.length, 39);
   assert.deepStrictEqual(retMap.dependenciesList.length, 37);
+  const pdmBlinkerPkg = retMap.pkgList.find((p) => p.name === "blinker");
+  assert.ok(
+    pdmBlinkerPkg.externalReferences?.some(
+      (reference) =>
+        reference.type === "distribution" && reference.url.endsWith(".whl"),
+    ),
+    "Expected pdm.lock metadata files to populate distribution externalReferences",
+  );
   retMap = await parsePyLockData(
     readFileSync("./test/data/uv.lock", { encoding: "utf-8" }),
     "./test/data/uv.lock",
   );
   assert.deepStrictEqual(retMap.pkgList.length, 63);
   assert.deepStrictEqual(retMap.dependenciesList.length, 63);
+  const uvAnyioPkg = retMap.pkgList.find((p) => p.name === "anyio");
+  assert.ok(
+    uvAnyioPkg.externalReferences?.some(
+      (reference) =>
+        reference.type === "distribution" && reference.url.endsWith(".whl"),
+    ),
+    "Expected uv.lock packages to populate distribution externalReferences",
+  );
   retMap = await parsePyLockData(
     readFileSync("./test/data/uv-workspace.lock", { encoding: "utf-8" }),
     "./test/data/uv-workspace.lock",
@@ -7727,6 +8480,13 @@ it("parse python lock files", async () => {
     attrsPkg.components?.length,
     "Expected pylock wheel entry to produce file component",
   );
+  assert.ok(
+    attrsPkg.externalReferences?.some(
+      (reference) =>
+        reference.type === "distribution" && reference.url.endsWith(".whl"),
+    ),
+    "Expected pylock package to retain distribution externalReferences",
+  );
   const cattrsPkg = retMap.pkgList.find((p) => p.name === "cattrs");
   assert.ok(
     cattrsPkg.properties.some(
@@ -8881,6 +9641,80 @@ it("parsePackageJsonName tests", () => {
   });
 });
 
+it("extractToolRefs collects unique bom-refs from metadata.tools", () => {
+  assert.deepStrictEqual(
+    extractToolRefs(
+      {
+        components: [
+          { name: "trivy", "bom-ref": "pkg:generic/trivy@0.1.0" },
+          { name: "trivy", "bom-ref": "pkg:generic/trivy@0.1.0" },
+          { name: "cdxgen" },
+        ],
+        services: [{ name: "blint", "bom-ref": "urn:tool:blint" }],
+      },
+      (tool) => tool.name !== "cdxgen",
+    ),
+    ["pkg:generic/trivy@0.1.0", "urn:tool:blint"],
+  );
+});
+
+it("extractToolRefs derives and persists bom-refs for external tools", () => {
+  const tools = {
+    components: [
+      {
+        group: "aquasecurity",
+        name: "trivy",
+        version: "dev",
+      },
+    ],
+  };
+  assert.deepStrictEqual(extractToolRefs(tools), [
+    "pkg:generic/aquasecurity/trivy@dev",
+  ]);
+  assert.strictEqual(
+    tools.components[0]["bom-ref"],
+    "pkg:generic/aquasecurity/trivy@dev",
+  );
+});
+
+it("attachIdentityTools adds tool references to object and array identities", () => {
+  const subjects = [
+    {
+      evidence: {
+        identity: {
+          field: "purl",
+          tools: ["pkg:generic/existing-tool@1.0.0"],
+        },
+      },
+    },
+    {
+      evidence: {
+        identity: [
+          { field: "purl" },
+          { field: "hash", tools: ["urn:tool:hash"] },
+        ],
+      },
+    },
+  ];
+  attachIdentityTools(subjects, [
+    "pkg:generic/existing-tool@1.0.0",
+    "pkg:generic/trivy@0.1.0",
+  ]);
+  assert.deepStrictEqual(subjects[0].evidence.identity.tools, [
+    "pkg:generic/existing-tool@1.0.0",
+    "pkg:generic/trivy@0.1.0",
+  ]);
+  assert.deepStrictEqual(subjects[1].evidence.identity[0].tools, [
+    "pkg:generic/existing-tool@1.0.0",
+    "pkg:generic/trivy@0.1.0",
+  ]);
+  assert.deepStrictEqual(subjects[1].evidence.identity[1].tools, [
+    "urn:tool:hash",
+    "pkg:generic/existing-tool@1.0.0",
+    "pkg:generic/trivy@0.1.0",
+  ]);
+});
+
 it("parseDot tests", () => {
   const retMap = parseCmakeDotFile("./test/data/tslite.dot", "conan");
   assert.deepStrictEqual(retMap.parentComponent, {
@@ -9055,6 +9889,20 @@ it("hasAnyProjectType tests", () => {
     }),
     true,
   );
+  assert.deepStrictEqual(
+    hasAnyProjectType(["oci"], {
+      projectType: ["rootfs"],
+      excludeType: undefined,
+    }),
+    true,
+  );
+  assert.deepStrictEqual(
+    hasAnyProjectType(["docker"], {
+      projectType: ["rootfs"],
+      excludeType: undefined,
+    }),
+    true,
+  );
 
   assert.deepStrictEqual(
     hasAnyProjectType(["js"], {
@@ -9855,4 +10703,38 @@ describe("convertOSQueryResults", () => {
     assert.ok(propertyMap["cdx:lolbas:functions"].includes("download"));
     assert.ok(propertyMap["cdx:lolbas:attackTechniques"].includes("T1059.001"));
   });
+
+  it("collectExecutables() prefers usr-merged executable paths", () => {
+    if (process.platform === "win32") {
+      return;
+    }
+    const tempDir = mkdtempSync(path.join(tmpdir(), "cdxgen-executables-"));
+    try {
+      mkdirSync(path.join(tempDir, "usr", "bin"), { recursive: true });
+      mkdirSync(path.join(tempDir, "usr", "sbin"), { recursive: true });
+      writeFileSync(path.join(tempDir, "usr", "bin", "which"), "#!/bin/sh\n");
+      writeFileSync(
+        path.join(tempDir, "usr", "sbin", "zramctl"),
+        "#!/bin/sh\n",
+      );
+      chmodSync(path.join(tempDir, "usr", "bin", "which"), 0o755);
+      chmodSync(path.join(tempDir, "usr", "sbin", "zramctl"), 0o755);
+      symlinkSync(path.join(tempDir, "usr", "bin"), path.join(tempDir, "bin"));
+      symlinkSync(
+        path.join(tempDir, "usr", "sbin"),
+        path.join(tempDir, "sbin"),
+      );
+
+      const result = collectExecutables(tempDir, [
+        "/bin",
+        "/usr/bin",
+        "/sbin",
+        "/usr/sbin",
+      ]);
+
+      assert.deepStrictEqual(result, ["usr/bin/which", "usr/sbin/zramctl"]);
+    } finally {
+      rmSync(tempDir, { recursive: true, force: true });
+    }
+  });
 });