@cyclonedx/cdxgen 12.3.2 → 12.4.0

package/lib/cli/index.js

@@ -11,7 +11,6 @@ import { platform as _platform, arch, homedir } from "node:os";
 import { basename, dirname, join, relative, resolve, sep } from "node:path";
 import process from "node:process";
 
-import got from "got";
 import { PackageURL } from "packageurl-js";
 import { gte, lte } from "semver";
 import { parse } from "ssri";
@@ -35,8 +34,15 @@ import {
   detectPythonMcpInventory,
   findJSImportsExports,
 } from "../helpers/analyzer.js";
+import {
+  cleanupAsarTempDir,
+  extractAsarToTempDir,
+  parseAsarArchive,
+  rewriteExtractedArchivePaths,
+} from "../helpers/asarutils.js";
 import { expandBomAuditCategories } from "../helpers/auditCategories.js";
 import { parseCaxaMetadata } from "../helpers/caxa.js";
+import { collectSourceCryptoComponents } from "../helpers/cbomutils.js";
 import {
   CHROME_EXTENSION_PURL_TYPE,
   collectChromeExtensionsFromPath,
@@ -49,27 +55,33 @@ import {
   trimComponents,
 } from "../helpers/depsUtils.js";
 import { GIT_COMMAND } from "../helpers/envcontext.js";
-import { thoughtLog } from "../helpers/logger.js";
 import {
-  classifyMcpReference,
-  enrichComponentWithMcpMetadata,
-} from "../helpers/mcp.js";
+  createHbomDocument,
+  ensureHbomRuntimeSupport,
+  ensureNoMixedHbomProjectTypes,
+  hasHbomProjectType,
+} from "../helpers/hbom.js";
+import { mergeHostInventoryBoms } from "../helpers/hostTopology.js";
+import { thoughtLog } from "../helpers/logger.js";
+import { enrichComponentWithMcpMetadata } from "../helpers/mcp.js";
 import { isPyLockFile } from "../helpers/pylockutils.js";
 import {
   buildDependencyTrackBomPayload,
-  getDependencyTrackBomUrl,
+  getDependencyTrackBomApiUrl,
 } from "../helpers/remote/dependency-track.js";
 import { table } from "../helpers/table.js";
 import {
   addEvidenceForDotnet,
   addEvidenceForImports,
   addPlugin,
+  attachIdentityTools,
   buildGradleCommandArguments,
   buildObjectForCocoaPod,
   buildObjectForGradleModule,
   CARGO_CMD,
   CDXGEN_VERSION,
   CLJ_CMD,
+  cdxgenAgent,
   checksumFile,
   cleanupPlugin,
   collectGemModuleNames,
@@ -88,6 +100,7 @@ import {
   executeParallelGradleProperties,
   executePodCommand,
   extractJarArchive,
+  extractToolRefs,
   frameworksList,
   generatePixiLockFile,
   getAllFiles,
@@ -109,6 +122,7 @@ import {
   getTmpDir,
   hasAnyProjectType,
   includeMavenTestScope,
+  isAllowedHttpHost,
   isDryRun,
   isFeatureEnabled,
   isMac,
@@ -134,6 +148,7 @@ import {
   parseCloudBuildData,
   parseCmakeLikeFile,
   parseCocoaDependency,
+  parseColliderLockData,
   parseComposerJson,
   parseComposerLock,
   parseConanData,
@@ -198,6 +213,7 @@ import {
   readZipEntry,
   recomputeScope,
   recordActivity,
+  recordSensitiveFileRead,
   resetActivityContext,
   SWIFT_CMD,
   safeExistsSync,
@@ -223,10 +239,12 @@ import {
   VSCODE_EXTENSION_PURL_TYPE,
 } from "../helpers/vsixutils.js";
 import {
+  enrichOSComponentsWithTrustData,
   executeOsQuery,
   getBinaryBom,
   getDotnetSlices,
   getOSPackages,
+  getPluginToolComponents,
 } from "../managers/binary.js";
 import {
   addSkippedSrcFiles,
@@ -329,7 +347,10 @@ const createDefaultParentComponent = (
     group: options.projectGroup || "",
     name: compName,
     version: `${options.projectVersion}` || "latest",
-    type: compName.endsWith(".tar") ? "container" : "application",
+    type:
+      type === "container" || compName.endsWith(".tar")
+        ? "container"
+        : "application",
   };
   const ppurl = new PackageURL(
     type,
@@ -344,6 +365,37 @@ const createDefaultParentComponent = (
   return parentComponent;
 };
 
+const shouldIncludeNodeModulesDir = (options = {}, baseProjectTypes = []) => {
+  if (options.deep) {
+    return true;
+  }
+  const projectTypes = Array.isArray(options.projectType)
+    ? options.projectType
+    : options.projectType
+      ? [options.projectType]
+      : [];
+  if (!projectTypes.length) {
+    return true;
+  }
+  return baseProjectTypes.some((projectType) =>
+    projectTypes.every((selectedProjectType) =>
+      PROJECT_TYPE_ALIASES[projectType]?.includes(selectedProjectType),
+    ),
+  );
+};
+
+const hasExplicitProjectTypeSelection = (options, baseProjectType) => {
+  options = options || {};
+  const projectTypes = Array.isArray(options.projectType)
+    ? options.projectType
+    : options.projectType
+      ? [options.projectType]
+      : [];
+  return projectTypes.some((selectedProjectType) =>
+    PROJECT_TYPE_ALIASES[baseProjectType]?.includes(selectedProjectType),
+  );
+};
+
 const determineParentComponent = (options) => {
   let parentComponent;
   if (options.parentComponent && Object.keys(options.parentComponent).length) {
@@ -815,6 +867,18 @@ function addMetadata(parentComponent = {}, options = {}, context = {}) {
         value: options.allOSComponentTypes.sort().join("\\n"),
       });
     }
+    if (Number.isInteger(options?.unpackagedExecutableCount)) {
+      mproperties.push({
+        name: "cdx:container:unpackagedExecutableCount",
+        value: String(options.unpackagedExecutableCount),
+      });
+    }
+    if (Number.isInteger(options?.unpackagedSharedLibraryCount)) {
+      mproperties.push({
+        name: "cdx:container:unpackagedSharedLibraryCount",
+        value: String(options.unpackagedSharedLibraryCount),
+      });
+    }
     // Should we move these to formulation?
     if (options?.bundledSdks?.length) {
       for (const sdk of options.bundledSdks) {
@@ -918,6 +982,9 @@ export function listComponents(options, allImports, pkg, ptype = "npm") {
   return Object.keys(compMap).map((k) => compMap[k]);
 }
 
+// These component types do not have PURLs
+const NON_PURL_TYPES = ["cryptographic-asset", "file", "data"];
+
 /**
  * Given the specified package, create a CycloneDX component and add it to the list.
  */
@@ -954,9 +1021,9 @@ function addComponent(
     }
     const version = pkg.version || "";
     const licenses = pkg.licenses || getLicenses(pkg);
-    let purl =
-      pkg.purl ||
-      new PackageURL(
+    let purl = pkg.purl;
+    if (!purl && ptype) {
+      purl = new PackageURL(
         ptype,
         encodeForPurl(group),
         encodeForPurl(name),
@@ -964,9 +1031,9 @@ function addComponent(
         pkg.qualifiers,
         encodeForPurl(pkg.subpath),
       );
-    let purlString = purl.toString();
-    // There is no purl for cryptographic-asset
-    if (ptype === "cryptographic-asset") {
+    }
+    let purlString = purl?.toString();
+    if (NON_PURL_TYPES.includes(ptype) || NON_PURL_TYPES.includes(pkg.type)) {
       purl = undefined;
       purlString = undefined;
     }
@@ -1077,7 +1144,7 @@ function addComponent(
     if (pkg.properties?.length) {
       component.properties = pkg.properties;
     }
-    if (pkg.cryptoProperties?.length) {
+    if (pkg.cryptoProperties && typeof pkg.cryptoProperties === "object") {
       component.cryptoProperties = pkg.cryptoProperties;
     }
     // Retain nested components
@@ -1368,17 +1435,21 @@ export async function createJarBom(path, options) {
   let pkgList = [];
   let jarFiles;
   let nsMapping = {};
-  if (!options.exclude) {
-    options.exclude = [];
-  }
-  // We can look for jar files within node_modules directory
-  if (typeof options.includeNodeModulesDir === "undefined" || options.deep) {
-    options.includeNodeModulesDir = true;
+  const searchOptions = {
+    ...options,
+    exclude: [...(options.exclude || [])],
+  };
+  if (typeof searchOptions.includeNodeModulesDir === "undefined") {
+    searchOptions.includeNodeModulesDir = shouldIncludeNodeModulesDir(options, [
+      "jar",
+      "war",
+      "ear",
+    ]);
   }
   // Exclude certain directories during oci sbom generation
   if (hasAnyProjectType(["oci"], options, false)) {
-    options.exclude.push("**/android-sdk*/**");
-    options.exclude.push("**/.sdkman/**");
+    searchOptions.exclude.push("**/android-sdk*/**");
+    searchOptions.exclude.push("**/.sdkman/**");
   }
   const parentComponent = createDefaultParentComponent(path, "maven", options);
   if (options.useGradleCache) {
@@ -1402,14 +1473,14 @@ export async function createJarBom(path, options) {
     jarFiles = getAllFiles(
       path,
       `${options.multiProject ? "**/" : ""}*.[jw]ar`,
-      options,
+      searchOptions,
     );
   }
   // Jenkins plugins
   const hpiFiles = getAllFiles(
     path,
     `${options.multiProject ? "**/" : ""}*.hpi`,
-    options,
+    searchOptions,
   );
   if (hpiFiles.length) {
     jarFiles = jarFiles.concat(hpiFiles);
@@ -1464,6 +1535,13 @@ export function createBinaryBom(path, options) {
     const binaryBom = JSON.parse(
       readFileSync(binaryBomFile, { encoding: "utf-8" }),
     );
+    attachIdentityTools(
+      binaryBom?.components,
+      extractToolRefs(
+        binaryBom?.metadata?.tools,
+        (tool) => tool?.name !== "cdxgen",
+      ),
+    );
     return {
       bomJson: binaryBom,
       dependencies: binaryBom.dependencies,
@@ -1891,6 +1969,10 @@ export async function createJavaBom(path, options) {
             ) {
               tools = bomJsonObj.metadata.tools;
             }
+            const toolRefs = extractToolRefs(
+              bomJsonObj?.metadata?.tools,
+              (tool) => tool?.name !== "cdxgen",
+            );
             if (
               bomJsonObj.metadata?.component &&
               !Object.keys(parentComponent).length
@@ -1927,6 +2009,7 @@ export async function createJavaBom(path, options) {
                     name: "SrcFile",
                     value: srcPomFile,
                   });
+                  attachIdentityTools(acomp, toolRefs);
                 }
               }
               pkgList = pkgList.concat(bomJsonObj.components);
@@ -2728,11 +2811,10 @@ export async function createJavaBom(path, options) {
 }
 
 /**
- * Function to create bom string for Node.js projects
+ * Identify the requested AI inventory project types.
  *
- * @param {string} path to the project
  * @param {Object} options Parse options from the cli
- * @returns {Promise<Object>} Promise resolving to BOM object
+ * @returns {string[]} Requested AI inventory types
  */
 function getRequestedAiInventoryTypes(options) {
   return AI_INVENTORY_PROJECT_TYPES.filter((type) =>
@@ -2746,6 +2828,48 @@ function getExcludedAiInventoryTypes(options) {
   );
 }
 
+function filterIncludedAiInventoryTypes(
+  includedAiInventoryTypes,
+  excludedAiInventoryTypes,
+) {
+  return [...new Set(includedAiInventoryTypes)].filter(
+    (type) => !excludedAiInventoryTypes.includes(type),
+  );
+}
+
+/**
+ * Determine which AI inventory types should be collected for a scan.
+ *
+ * This combines explicit project-type opt-ins with BOM audit category-driven
+ * opt-ins, then removes any explicitly excluded inventory types.
+ *
+ * @param {Object} options Parse options from the CLI
+ * @returns {string[]} AI inventory types to collect
+ */
+function getIncludedAiInventoryTypes(options) {
+  const requestedAiInventoryTypes = getRequestedAiInventoryTypes(options);
+  const excludedAiInventoryTypes = getExcludedAiInventoryTypes(options);
+  const exactAiInventoryType = getExactAiInventoryType(options);
+  if (exactAiInventoryType) {
+    return filterIncludedAiInventoryTypes(
+      requestedAiInventoryTypes,
+      excludedAiInventoryTypes,
+    );
+  }
+  const auditCategories = expandBomAuditCategories(options?.bomAuditCategories);
+  const includedAiInventoryTypes = [...requestedAiInventoryTypes];
+  if (auditCategories.includes("ai-agent")) {
+    includedAiInventoryTypes.push("ai-skill");
+  }
+  if (auditCategories.includes("mcp-server")) {
+    includedAiInventoryTypes.push("mcp");
+  }
+  return filterIncludedAiInventoryTypes(
+    includedAiInventoryTypes,
+    excludedAiInventoryTypes,
+  );
+}
+
 function getExactAiInventoryType(options) {
   const requestedAiInventoryTypes = getRequestedAiInventoryTypes(options);
   return requestedAiInventoryTypes.length === 1 &&
@@ -2755,22 +2879,14 @@ function getExactAiInventoryType(options) {
     : undefined;
 }
 
-function shouldDetectMcpInventory(options, allImports = {}) {
-  if (hasAnyProjectType(["mcp"], options, false)) {
-    return true;
-  }
-  const auditCategories = expandBomAuditCategories(options?.bomAuditCategories);
-  if (
-    auditCategories.some((category) =>
-      ["mcp-server", "ai-agent"].includes(category),
-    )
-  ) {
-    return true;
-  }
-  return Object.keys(allImports).some((importName) => {
-    const classification = classifyMcpReference(importName);
-    return classification.isMcp;
-  });
+/**
+ * Determine whether MCP source-code analysis should run for the current scan.
+ *
+ * @param {string[]} includedAiInventoryTypes AI inventory types selected for collection
+ * @returns {boolean} True when MCP inventory collection is enabled
+ */
+function shouldDetectMcpInventory(includedAiInventoryTypes) {
+  return includedAiInventoryTypes.includes("mcp");
 }
 
 function summarizeAiInventoryNames(subjects, discoveryPath, kindSet) {
@@ -2865,14 +2981,8 @@ export async function createNodejsBom(path, options) {
   let parentComponent = {};
   const parentSubComponents = [];
   let ppurl = "";
-  const requestedAiInventoryTypes = getRequestedAiInventoryTypes(options);
-  const excludedAiInventoryTypes = getExcludedAiInventoryTypes(options);
   const exactAiInventoryType = getExactAiInventoryType(options);
-  const includedAiInventoryTypes = exactAiInventoryType
-    ? requestedAiInventoryTypes
-    : AI_INVENTORY_PROJECT_TYPES.filter(
-        (type) => !excludedAiInventoryTypes.includes(type),
-      );
+  const includedAiInventoryTypes = getIncludedAiInventoryTypes(options);
   let aiInventory = { components: [], dependencies: [], services: [] };
   // Docker mode requires special handling
   if (hasAnyProjectType(["docker", "oci", "container", "os"], options, false)) {
@@ -2924,16 +3034,13 @@ export async function createNodejsBom(path, options) {
     const retData = await findJSImportsExports(path, options.deep);
     allImports = retData.allImports;
     allExports = retData.allExports;
-    if (shouldDetectMcpInventory(options, allImports)) {
+    if (shouldDetectMcpInventory(includedAiInventoryTypes)) {
       mcpInventory = detectMcpInventory(path, options.deep);
     }
   }
   if (includedAiInventoryTypes.length) {
     aiInventory = collectAiInventory(path, options, includedAiInventoryTypes);
   }
-  if (excludedAiInventoryTypes.includes("mcp")) {
-    mcpInventory = { components: [], dependencies: [], services: [] };
-  }
   const aiInventorySummary = summarizeAiInventory(aiInventory);
   if (!exactAiInventoryType) {
     if (aiInventorySummary.instructionCount || aiInventorySummary.skillCount) {
@@ -2946,7 +3053,6 @@ export async function createNodejsBom(path, options) {
         `I found ${aiInventorySummary.mcpConfigCount} MCP config component(s). Use '--exclude-type mcp' to drop them, or '--bom-audit --bom-audit-categories ai-inventory --tlp-classification AMBER' to keep and flag them.`,
       );
     }
-    emitAiInventorySummary(aiInventory, path);
   }
   if (exactAiInventoryType === "ai-skill") {
     const exactComponents = trimComponents([...(aiInventory.components || [])]);
@@ -3126,11 +3232,15 @@ export async function createNodejsBom(path, options) {
       }
       const basePath = dirname(apkgJson);
       let npmrcData;
-      if (safeExistsSync(join(basePath, ".npmrc"))) {
+      const npmrcFile = join(basePath, ".npmrc");
+      if (safeExistsSync(npmrcFile)) {
         thoughtLog(
           "Wait, there is a .npmrc file here! I'm going to check if it has anything malicious.",
         );
-        npmrcData = readFileSync(join(basePath, ".npmrc"), "utf-8");
+        npmrcData = readFileSync(npmrcFile, "utf-8");
+        recordSensitiveFileRead(npmrcFile, {
+          label: "npm registry configuration",
+        });
         const npmrcObj = parseNpmrc(npmrcData);
         for (const [key, value] of Object.entries(npmrcObj)) {
           const baseKey = key.replace(/^(?:\/\/[^/]+\/|@[^:]+:)/, "");
@@ -4061,14 +4171,7 @@ export async function createPythonBom(path, options) {
   let dependencies = [];
   let pkgList = [];
   let formulationList = [];
-  const requestedAiInventoryTypes = getRequestedAiInventoryTypes(options);
-  const excludedAiInventoryTypes = getExcludedAiInventoryTypes(options);
-  const includedAiInventoryTypes = AI_INVENTORY_PROJECT_TYPES.filter(
-    (type) =>
-      (!requestedAiInventoryTypes.length ||
-        requestedAiInventoryTypes.includes(type)) &&
-      !excludedAiInventoryTypes.includes(type),
-  );
+  const includedAiInventoryTypes = getIncludedAiInventoryTypes(options);
   let aiInventory = { components: [], dependencies: [], services: [] };
   let mcpInventory = { components: [], dependencies: [], services: [] };
   const tempDir = safeMkdtempSync(join(getTmpDir(), "cdxgen-venv-"));
@@ -5416,6 +5519,11 @@ export function createCppBom(path, options) {
   let parentComponent;
   let dependencies = [];
   const addedParentComponentsMap = {};
+  const colliderLockFiles = getAllFiles(
+    path,
+    `${options.multiProject ? "**/" : ""}collider.lock`,
+    options,
+  );
   const conanLockFiles = getAllFiles(
     path,
     `${options.multiProject ? "**/" : ""}conan.lock`,
@@ -5492,6 +5600,39 @@ export function createCppBom(path, options) {
       }
     }
   }
+  if (colliderLockFiles.length) {
+    for (const f of colliderLockFiles) {
+      if (DEBUG_MODE) {
+        console.log(`Parsing ${f}`);
+      }
+      const colliderLockData = readFileSync(f, { encoding: "utf-8" });
+      const {
+        pkgList: colliderPkgList,
+        dependencies: colliderDependencies,
+        parentComponentDependencies: parentCompDeps,
+      } = parseColliderLockData(colliderLockData, f);
+
+      if (colliderPkgList.length) {
+        pkgList = pkgList.concat(colliderPkgList);
+      }
+
+      if (Object.keys(colliderDependencies).length) {
+        dependencies = mergeDependencies(
+          dependencies,
+          Object.keys(colliderDependencies).map((dependentBomRef) => ({
+            ref: dependentBomRef,
+            dependsOn: colliderDependencies[dependentBomRef],
+          })),
+        );
+      }
+
+      if (parentCompDeps.length) {
+        parentComponentDependencies = [
+          ...new Set(parentComponentDependencies.concat(parentCompDeps)),
+        ];
+      }
+    }
+  }
   if (cmakeLikeFiles.length) {
     for (const f of cmakeLikeFiles) {
       if (DEBUG_MODE) {
@@ -5876,6 +6017,7 @@ export function createOSBom(_path, options) {
   let pkgList = [];
   let bomData = {};
   let parentComponent = {};
+  let externalTools = getPluginToolComponents(["osquery"]);
   for (const queryCategory of Object.keys(osQueries)) {
     const queryObj = osQueries[queryCategory];
     const results = executeOsQuery(queryObj.query);
@@ -5894,6 +6036,20 @@ export function createOSBom(_path, options) {
       );
     }
   } // for
+  const hostTrustInventory = enrichOSComponentsWithTrustData(pkgList);
+  if (hostTrustInventory?.components?.length) {
+    pkgList = hostTrustInventory.components;
+  }
+  if (hostTrustInventory?.tools?.length) {
+    externalTools = externalTools.concat(hostTrustInventory.tools);
+  }
+  if (externalTools.length) {
+    options.tools = Array.from(
+      new Map(
+        externalTools.map((tool) => [tool["bom-ref"] || tool.name, tool]),
+      ).values(),
+    );
+  }
   if (pkgList.length) {
     bomData = buildBomNSData(options, pkgList, "", {
       src: "",
@@ -6830,24 +6986,26 @@ export async function createContainerSpecLikeBom(path, options) {
 export function createPHPBom(path, options) {
   let dependencies = [];
   let parentComponent = {};
-  // We can look for composer files within node_modules directory
-  if (typeof options.includeNodeModulesDir === "undefined" || options.deep) {
-    options.includeNodeModulesDir = true;
-  }
+  const searchOptions = {
+    ...options,
+    includeNodeModulesDir:
+      typeof options.includeNodeModulesDir === "undefined"
+        ? shouldIncludeNodeModulesDir(options, ["php"])
+        : options.includeNodeModulesDir,
+  };
+  const composerLockSearchOptions = {
+    ...searchOptions,
+    exclude: [...(options.exclude || []), "**/vendor/**"],
+  };
   const composerJsonFiles = getAllFiles(
     path,
     `${options.multiProject ? "**/" : ""}composer.json`,
-    options,
+    searchOptions,
   );
-  if (!options.exclude) {
-    options.exclude = [];
-  }
-  // Ignore vendor directories for lock files
-  options.exclude.push("**/vendor/**");
   let composerLockFiles = getAllFiles(
     path,
     `${options.multiProject ? "**/" : ""}composer.lock`,
-    options,
+    composerLockSearchOptions,
   );
   let pkgList = [];
   const composerJsonMode = composerJsonFiles.length;
@@ -6910,7 +7068,7 @@ export function createPHPBom(path, options) {
   composerLockFiles = getAllFiles(
     path,
     `${options.multiProject ? "**/" : ""}composer.lock`,
-    options,
+    composerLockSearchOptions,
   );
   if (composerLockFiles.length) {
     // Look for any root composer.json to capture the parentComponent
@@ -7695,6 +7853,10 @@ export async function createVscodeExtensionBom(path, options) {
   let pkgList = [];
   let dependencies = [];
   const tempDirs = [];
+  const shouldDiscoverInstalledIdeExtensions = hasExplicitProjectTypeSelection(
+    options,
+    "vscode-extension",
+  );
 
   // Mode 1: Scan for .vsix files in the given directory, or treat the input
   // path as a single .vsix file.
@@ -7740,7 +7902,7 @@ export async function createVscodeExtensionBom(path, options) {
   }
 
   // Mode 2: Auto-discover extensions from known IDE locations
-  if (options.deep || options.projectType?.includes("ide-extensions")) {
+  if (shouldDiscoverInstalledIdeExtensions) {
     const ideDirs = discoverIdeExtensionDirs();
     if (ideDirs.length) {
       if (DEBUG_MODE) {
@@ -7782,6 +7944,198 @@ export async function createVscodeExtensionBom(path, options) {
   });
 }
 
+/**
+ * Function to create BOM for Electron ASAR archives.
+ *
+ * @param {string} path to a single archive or a directory to scan
+ * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object>} Promise resolving to BOM object
+ */
+export async function createAsarBom(path, options) {
+  let pkgList = [];
+  let dependencies = [];
+  let parentComponent = {};
+  const tempDirs = [];
+  const processedArchives = new Set();
+  const maxNestedAsarDepth = 4;
+  const explicitAsarPath = path.endsWith(".asar") ? resolve(path) : undefined;
+  const asarFiles = explicitAsarPath
+    ? [explicitAsarPath]
+    : getAllFiles(path, `${options.multiProject ? "**/" : ""}*.asar`, options);
+
+  const aggregateArchiveResults = (
+    archiveAnalysis,
+    isPrimaryArchive = false,
+  ) => {
+    if (
+      archiveAnalysis.parentComponent &&
+      Object.keys(archiveAnalysis.parentComponent).length
+    ) {
+      if (isPrimaryArchive && !Object.keys(parentComponent).length) {
+        parentComponent = archiveAnalysis.parentComponent;
+      } else {
+        pkgList.push(archiveAnalysis.parentComponent);
+      }
+    }
+    if (archiveAnalysis.components?.length) {
+      pkgList = pkgList.concat(archiveAnalysis.components);
+    }
+    if (archiveAnalysis.dependencies?.length) {
+      dependencies = mergeDependencies(
+        dependencies,
+        archiveAnalysis.dependencies,
+        parentComponent,
+      );
+    }
+  };
+
+  const analyzeExtractedArchive = async (
+    extractedDir,
+    archiveAnalysis,
+    archiveIdentityPath,
+  ) => {
+    if (!archiveAnalysis.packageManifestPaths?.length) {
+      return undefined;
+    }
+    const nodeBomOptions = {
+      ...options,
+      installDeps: false,
+      multiProject: true,
+      noBabel: false,
+      path: extractedDir,
+      projectType: ["js"],
+    };
+    const nodeBomData = await createNodejsBom(extractedDir, nodeBomOptions);
+    if (nodeBomData?.bomJson?.components?.length) {
+      rewriteExtractedArchivePaths(
+        nodeBomData.bomJson.components,
+        extractedDir,
+        archiveIdentityPath,
+      );
+      pkgList = pkgList.concat(nodeBomData.bomJson.components);
+    }
+    if (nodeBomData?.bomJson?.dependencies?.length) {
+      dependencies = mergeDependencies(
+        dependencies,
+        nodeBomData.bomJson.dependencies,
+      );
+    }
+    if (
+      archiveAnalysis.parentComponent?.["bom-ref"] &&
+      nodeBomData?.parentComponent?.["bom-ref"] &&
+      archiveAnalysis.parentComponent["bom-ref"] !==
+        nodeBomData.parentComponent["bom-ref"]
+    ) {
+      rewriteExtractedArchivePaths(
+        nodeBomData.parentComponent,
+        extractedDir,
+        archiveIdentityPath,
+      );
+      dependencies = mergeDependencies(dependencies, [
+        {
+          ref: archiveAnalysis.parentComponent["bom-ref"],
+          dependsOn: [nodeBomData.parentComponent["bom-ref"]],
+        },
+      ]);
+    }
+    return nodeBomData;
+  };
+
+  const processAsarArchive = async (
+    archivePath,
+    archiveIdentityPath,
+    isPrimaryArchive = false,
+    depth = 0,
+  ) => {
+    const processedKey = archiveIdentityPath;
+    if (processedArchives.has(processedKey)) {
+      return undefined;
+    }
+    processedArchives.add(processedKey);
+    const archiveAnalysis = await parseAsarArchive(archivePath, {
+      ...options,
+      asarVirtualPath: archiveIdentityPath,
+    });
+    aggregateArchiveResults(archiveAnalysis, isPrimaryArchive);
+    const shouldExtract =
+      archiveAnalysis.packageManifestPaths?.length ||
+      (depth < maxNestedAsarDepth &&
+        archiveAnalysis.summary?.nestedArchiveCount > 0);
+    if (!shouldExtract) {
+      return archiveAnalysis.parentComponent?.["bom-ref"];
+    }
+    const extractedDir = await extractAsarToTempDir(archivePath);
+    if (!extractedDir) {
+      return archiveAnalysis.parentComponent?.["bom-ref"];
+    }
+    tempDirs.push(extractedDir);
+    await analyzeExtractedArchive(
+      extractedDir,
+      archiveAnalysis,
+      archiveIdentityPath,
+    );
+    if (depth < maxNestedAsarDepth) {
+      const nestedAsarFiles = getAllFiles(extractedDir, "**/*.asar", options);
+      for (const nestedArchivePath of nestedAsarFiles) {
+        const relativeNestedArchivePath = relative(
+          extractedDir,
+          nestedArchivePath,
+        ).replaceAll("\\", "/");
+        if (
+          !relativeNestedArchivePath ||
+          relativeNestedArchivePath.startsWith("..")
+        ) {
+          continue;
+        }
+        const nestedArchiveIdentityPath = `${archiveIdentityPath}#/${relativeNestedArchivePath}`;
+        const nestedParentRef = await processAsarArchive(
+          nestedArchivePath,
+          nestedArchiveIdentityPath,
+          false,
+          depth + 1,
+        );
+        if (
+          archiveAnalysis.parentComponent?.["bom-ref"] &&
+          nestedParentRef &&
+          archiveAnalysis.parentComponent["bom-ref"] !== nestedParentRef
+        ) {
+          dependencies = mergeDependencies(dependencies, [
+            {
+              ref: archiveAnalysis.parentComponent["bom-ref"],
+              dependsOn: [nestedParentRef],
+            },
+          ]);
+        }
+      }
+    }
+    return archiveAnalysis.parentComponent?.["bom-ref"];
+  };
+  try {
+    for (const archivePath of asarFiles) {
+      const isPrimaryArchive =
+        explicitAsarPath && resolve(archivePath) === explicitAsarPath;
+      await processAsarArchive(
+        archivePath,
+        resolve(archivePath),
+        isPrimaryArchive,
+        0,
+      );
+    }
+  } finally {
+    for (const tempDir of tempDirs) {
+      cleanupAsarTempDir(tempDir);
+    }
+  }
+  pkgList = trimComponents(pkgList);
+  return buildBomNSData(options, pkgList, "asar", {
+    src: path,
+    filename: asarFiles.join(", "),
+    nsMapping: {},
+    dependencies,
+    parentComponent,
+  });
+}
+
 /**
  * Function to create BOM for installed Chrome and Chromium-based browser extensions.
  *
@@ -7793,7 +8147,8 @@ export async function createChromeExtensionBom(path, options) {
   let dependencies = [];
   let sourcePaths = [];
   const directResult = collectChromeExtensionsFromPath(path);
-  const chromeDirs = discoverChromiumExtensionDirs();
+  const shouldDiscoverInstalledChromeExtensions =
+    hasExplicitProjectTypeSelection(options, "chrome-extension");
   let pkgList = directResult.components || [];
   if (directResult.extensionDirs?.length) {
     sourcePaths = directResult.extensionDirs.slice();
@@ -7812,20 +8167,23 @@ export async function createChromeExtensionBom(path, options) {
       `Found ${pkgList.length} component(s) from direct Chrome extension path scan`,
     );
   }
-  if (chromeDirs.length) {
-    if (DEBUG_MODE) {
-      thoughtLog(
-        `Discovered Chromium extension directories: ${chromeDirs.map((d) => `${d.browser} (${d.channel}): ${d.dir}`).join(", ")}`,
-      );
-    }
-    if (!pkgList.length) {
-      pkgList = collectInstalledChromeExtensions(chromeDirs);
-      sourcePaths = chromeDirs.map((d) => d.dir);
-    }
-    if (DEBUG_MODE && pkgList.length && !directResult.components?.length) {
-      thoughtLog(
-        `Found ${pkgList.length} Chrome/Chromium extension(s) from ${chromeDirs.length} browser location(s)`,
-      );
+  if (shouldDiscoverInstalledChromeExtensions) {
+    const chromeDirs = discoverChromiumExtensionDirs();
+    if (chromeDirs.length) {
+      if (DEBUG_MODE) {
+        thoughtLog(
+          `Discovered Chromium extension directories: ${chromeDirs.map((d) => `${d.browser} (${d.channel}): ${d.dir}`).join(", ")}`,
+        );
+      }
+      if (!pkgList.length) {
+        pkgList = collectInstalledChromeExtensions(chromeDirs);
+        sourcePaths = chromeDirs.map((d) => d.dir);
+      }
+      if (DEBUG_MODE && pkgList.length && !directResult.components?.length) {
+        thoughtLog(
+          `Found ${pkgList.length} Chrome/Chromium extension(s) from ${chromeDirs.length} browser location(s)`,
+        );
+      }
     }
   }
   pkgList = trimComponents(pkgList);
@@ -7945,6 +8303,26 @@ export async function createCryptoCertsBom(path, options) {
   for (const f of certFiles) {
     const name = basename(f);
     const fileHash = await checksumFile("sha256", f);
+    let evidence;
+    if (options.evidence) {
+      const identityEvidence = {
+        field: "name",
+        confidence: 1,
+        concludedValue: name,
+        methods: [
+          {
+            technique: "filename",
+            confidence: 1,
+            value: f,
+          },
+        ],
+      };
+      evidence = {
+        identity:
+          options.specVersion >= 1.6 ? [identityEvidence] : identityEvidence,
+        occurrences: [{ location: f }],
+      };
+    }
     const apkg = {
       name,
       type: "cryptographic-asset",
@@ -7957,10 +8335,18 @@ export async function createCryptoCertsBom(path, options) {
           implementationPlatform: "unknown",
         },
       },
+      ...(evidence ? { evidence } : {}),
       properties: [{ name: "SrcFile", value: f }],
     };
     pkgList.push(apkg);
   }
+  const sourceCryptoComponents = await collectSourceCryptoComponents(
+    path,
+    options,
+  );
+  if (sourceCryptoComponents.length) {
+    pkgList.push(...sourceCryptoComponents);
+  }
   return {
     bomJson: {
       components: pkgList,
@@ -8051,6 +8437,7 @@ export async function createMultiXBom(pathList, options) {
   ) {
     const {
       osPackages,
+      osPackageFiles,
       dependenciesList,
       allTypes,
       bundledSdks,
@@ -8058,6 +8445,8 @@ export async function createMultiXBom(pathList, options) {
       binPaths,
       executables,
       sharedLibs,
+      services,
+      tools,
     } = await getOSPackages(
       options.allLayersExplodedDir,
       options.exportData?.inspectData?.Config,
@@ -8067,14 +8456,16 @@ export async function createMultiXBom(pathList, options) {
     options.bundledSdks = bundledSdks;
     options.bundledRuntimes = bundledRuntimes;
     options.binPaths = binPaths;
+    options.unpackagedExecutableCount = executables?.length || 0;
+    options.unpackagedSharedLibraryCount = sharedLibs?.length || 0;
     if (DEBUG_MODE) {
       console.log(
-        `**OS**: Found ${osPackages.length} OS packages, ${executables?.length} executables, and ${sharedLibs.length} shared libraries at ${options.allLayersExplodedDir}`,
+        `**OS**: Found ${osPackages.length} OS packages, ${osPackageFiles?.length} package-owned files, ${executables?.length} unpackaged executables, ${sharedLibs.length} unpackaged shared libraries, and ${services?.length || 0} packaged services at ${options.allLayersExplodedDir}`,
       );
     }
     if (osPackages.length) {
       thoughtLog(
-        `I found ${osPackages.length} OS packages and ${executables?.length} executables at ${options.allLayersExplodedDir}`,
+        `I found ${osPackages.length} OS packages, ${osPackageFiles?.length || 0} package-owned files, and ${services?.length || 0} packaged services at ${options.allLayersExplodedDir}`,
       );
     } else if (executables?.length || sharedLibs?.length) {
       thoughtLog(
@@ -8088,15 +8479,28 @@ export async function createMultiXBom(pathList, options) {
     if (allTypes?.length) {
       options.allOSComponentTypes = allTypes;
     }
+    if (tools?.length) {
+      options.tools = (
+        Array.isArray(options.tools)
+          ? options.tools
+          : options.tools?.components || []
+      ).concat(tools);
+    }
     components = components.concat(osPackages);
+    components = components.concat(osPackageFiles || []);
     components = components.concat(executables);
     components = components.concat(sharedLibs);
     if (dependenciesList?.length) {
       dependencies = mergeDependencies(dependencies, dependenciesList);
     }
+    if (services?.length) {
+      options.services = mergeServices(options.services || [], services);
+    }
     if (parentComponent && Object.keys(parentComponent).length) {
       // Make the parent oci image depend on all os components
-      const parentDependsOn = new Set(osPackages.map((p) => p["bom-ref"]));
+      const parentDependsOn = new Set(
+        osPackages.concat(osPackageFiles || []).map((p) => p["bom-ref"]),
+      );
       dependencies.splice(0, 0, {
         ref: parentComponent["bom-ref"],
         dependsOn: Array.from(parentDependsOn).sort(),
@@ -8798,6 +9202,28 @@ export async function createMultiXBom(pathList, options) {
         }
       }
     }
+    if (hasAnyProjectType(["asar"], options)) {
+      setProjectTypeActivityContext("asar", path);
+      bomData = await createAsarBom(path, options);
+      if (bomData?.bomJson?.components?.length) {
+        if (DEBUG_MODE) {
+          console.log(
+            `Found ${bomData.bomJson.components.length} ASAR component(s) at ${path}`,
+          );
+        }
+        components = components.concat(bomData.bomJson.components);
+        dependencies = mergeDependencies(
+          dependencies,
+          bomData.bomJson.dependencies,
+        );
+        if (
+          bomData.parentComponent &&
+          Object.keys(bomData.parentComponent).length
+        ) {
+          parentSubComponents.push(bomData.parentComponent);
+        }
+      }
+    }
     if (hasAnyProjectType(["vscode-extension"], options)) {
       setProjectTypeActivityContext("vscode-extension", path);
       bomData = await createVscodeExtensionBom(path, options);
@@ -9162,6 +9588,11 @@ export async function createXBom(path, options) {
     `${options.multiProject ? "**/" : ""}conan.lock`,
     options,
   );
+  const colliderLockFiles = getAllFiles(
+    path,
+    `${options.multiProject ? "**/" : ""}collider.lock`,
+    options,
+  );
   const conanFiles = getAllFiles(
     path,
     `${options.multiProject ? "**/" : ""}conanfile.txt`,
@@ -9178,6 +9609,7 @@ export async function createXBom(path, options) {
     options,
   );
   if (
+    colliderLockFiles.length ||
     conanLockFiles.length ||
     conanFiles.length ||
     cmakeListFiles.length ||
@@ -9231,6 +9663,16 @@ export async function createXBom(path, options) {
     return await createVscodeExtensionBom(path, options);
   }
 
+  // Electron ASAR archives
+  const asarFiles = getAllFiles(
+    path,
+    `${options.multiProject ? "**/" : ""}*.asar`,
+    options,
+  );
+  if (asarFiles.length) {
+    return await createAsarBom(path, options);
+  }
+
   // Helm charts
   const chartFiles = getAllFiles(
     path,
@@ -9333,6 +9775,35 @@ export async function createXBom(path, options) {
   }
 }
 
+/**
+ * Function to create a hardware BOM for the current host.
+ *
+ * @param {string} _path Source path (unused for live host HBOM generation)
+ * @param {Object} options Parse options from the cli
+ * @returns {Promise<Object>} Promise resolving to BOM object
+ */
+export async function createHBom(_path, options) {
+  ensureHbomRuntimeSupport(options, options.commandName || "hbom");
+  let bomJson = await createHbomDocument(options);
+  if (options.includeRuntime) {
+    const runtimeOptions = {
+      ...options,
+      includeRuntime: false,
+      multiProject: false,
+      projectType: ["os"],
+    };
+    const obomData = await createOSBom(_path, runtimeOptions);
+    bomJson = mergeHostInventoryBoms(bomJson, obomData);
+  } else {
+    bomJson = mergeHostInventoryBoms(bomJson);
+  }
+  return {
+    bomJson,
+    dependencies: bomJson.dependencies || [],
+    parentComponent: bomJson.metadata?.component,
+  };
+}
+
 /**
  * Function to create bom string for various languages
  *
@@ -9345,8 +9816,27 @@ export async function createBom(path, options) {
   if (!projectType) {
     projectType = [];
   }
+  ensureNoMixedHbomProjectTypes(projectType);
+  if (hasHbomProjectType(projectType)) {
+    const selectedHbomProjectType = Array.isArray(projectType)
+      ? projectType[0]
+      : `${projectType}`.split(",")[0];
+    options.projectType = [selectedHbomProjectType];
+    setActivityContext({
+      projectType: selectedHbomProjectType,
+      sourcePath: path,
+    });
+    thoughtLog(
+      "The user wants a Hardware Bill-of-Materials (HBOM) for the current host. Let's use the dedicated hardware collector.",
+    );
+    return await createHBom(path, options);
+  }
   let exportData;
   let isContainerMode = false;
+  const isLocalDirectoryInput =
+    !options.projectType?.includes("universal") &&
+    safeExistsSync(path) &&
+    lstatSync(path).isDirectory();
   // Docker and image archive support
   // TODO: Support any source archive
   if (path.endsWith(".tar") || path.endsWith(".tar.gz")) {
@@ -9359,6 +9849,22 @@ export async function createBom(path, options) {
       return {};
     }
     isContainerMode = true;
+  } else if (
+    isLocalDirectoryInput &&
+    (hasAnyProjectType(["oci-dir"], options, false) ||
+      hasAnyProjectType(["oci"], options, false))
+  ) {
+    isContainerMode = true;
+    exportData = {
+      inspectData: undefined,
+      lastWorkingDir: "",
+      allLayersDir: path,
+      allLayersExplodedDir: path,
+    };
+    if (safeExistsSync(join(path, "all-layers"))) {
+      exportData.allLayersExplodedDir = join(path, "all-layers");
+    }
+    exportData.pkgPathList = getPkgPathList(exportData, undefined);
   } else if (
     (options.projectType &&
       !options.projectType?.includes("universal") &&
@@ -9386,21 +9892,6 @@ export async function createBom(path, options) {
         console.log(path, "doesn't appear to be a valid container image.");
       }
     }
-  } else if (
-    !options.projectType?.includes("universal") &&
-    hasAnyProjectType(["oci-dir"], options, false)
-  ) {
-    isContainerMode = true;
-    exportData = {
-      inspectData: undefined,
-      lastWorkingDir: "",
-      allLayersDir: path,
-      allLayersExplodedDir: path,
-    };
-    if (safeExistsSync(join(path, "all-layers"))) {
-      exportData.allLayersDir = join(path, "all-layers");
-    }
-    exportData.pkgPathList = getPkgPathList(exportData, undefined);
   }
   if (isContainerMode) {
     options.multiProject = true;
@@ -9474,6 +9965,9 @@ export async function createBom(path, options) {
   if (path.endsWith(".war")) {
     projectType = ["java"];
   }
+  if (!projectType.length && path.endsWith(".asar")) {
+    projectType = ["asar"];
+  }
   if (projectType.length > 1) {
     setActivityContext({
       projectType: projectType.join(","),
@@ -9597,6 +10091,9 @@ export async function createBom(path, options) {
   if (PROJECT_TYPE_ALIASES["caxa"].includes(projectType[0])) {
     return await createCaxaBom(path, options);
   }
+  if (PROJECT_TYPE_ALIASES["asar"].includes(projectType[0])) {
+    return await createAsarBom(path, options);
+  }
   if (PROJECT_TYPE_ALIASES["vscode-extension"].includes(projectType[0])) {
     return await createVscodeExtensionBom(path, options);
   }
@@ -9641,17 +10138,33 @@ export async function createBom(path, options) {
  * @throws {Error} if the request fails
  */
 export async function submitBom(args, bomContents) {
+  const dependencyTrackApiUrl = getDependencyTrackBomApiUrl(args.serverUrl);
+  const serverUrl = dependencyTrackApiUrl?.toString();
+  if (!dependencyTrackApiUrl || !serverUrl) {
+    console.log(
+      "Invalid Dependency-Track server URL. Provide an absolute http(s) URL without dangerous characters.",
+    );
+    args.failOnError && process.exit(1);
+    return undefined;
+  }
+  const serverHost = dependencyTrackApiUrl.hostname;
+  if (!isAllowedHttpHost(serverHost)) {
+    console.log(
+      `Dependency-Track server host '${serverHost}' is not allowed by CDXGEN_ALLOWED_HOSTS.`,
+    );
+    args.failOnError && process.exit(1);
+    return undefined;
+  }
   if (isDryRun) {
     recordActivity({
       kind: "network",
       reason:
         "Dry run mode blocks Dependency-Track submission and reports the request instead.",
       status: "blocked",
-      target: getDependencyTrackBomUrl(args.serverUrl),
+      target: serverUrl,
     });
     return undefined;
   }
-  const serverUrl = getDependencyTrackBomUrl(args.serverUrl);
   const bomPayload = buildDependencyTrackBomPayload(args, bomContents);
   if (!bomPayload) {
     console.log(
@@ -9670,27 +10183,31 @@ export async function submitBom(args, bomContents) {
     );
   }
   try {
-    if (DEBUG_MODE && args.skipDtTlsCheck) {
-      console.log(
-        "Calling ",
-        serverUrl,
-        "with --skip-dt-tls-check argument: Skip DT TLS check.",
-      );
-    }
-    // See issue #1963 regarding CRLF hardening
-    return await got(serverUrl, {
+    const requestOptions = {
       method: "PUT",
+      followRedirect: false,
       https: {
         rejectUnauthorized: !args.skipDtTlsCheck,
       },
       headers: {
         "X-Api-Key": (args.apiKey || "").replace(/[\r\n]/g, ""),
         "Content-Type": "application/json",
-        "user-agent": `@CycloneDX/cdxgen ${CDXGEN_VERSION}`,
       },
       json: bomPayload,
       responseType: "json",
-    }).json();
+      context: {
+        activityIntent: "bom-submit",
+      },
+    };
+    if (DEBUG_MODE && args.skipDtTlsCheck) {
+      console.log(
+        "Calling ",
+        serverUrl,
+        "with --skip-dt-tls-check argument: Skip DT TLS check.",
+      );
+    }
+    // See issue #1963 regarding CRLF hardening
+    return await cdxgenAgent(dependencyTrackApiUrl, requestOptions).json();
   } catch (error) {
     if (error.response && error.response.statusCode === 401) {
       // Unauthorized
@@ -9703,18 +10220,21 @@ export async function submitBom(args, bomContents) {
       );
       // Method not allowed errors
       try {
-        return await got(serverUrl, {
+        return await cdxgenAgent(dependencyTrackApiUrl, {
           method: "POST",
+          followRedirect: false,
           https: {
             rejectUnauthorized: !args.skipDtTlsCheck,
           },
           headers: {
-            "X-Api-Key": args.apiKey,
+            "X-Api-Key": (args.apiKey || "").replace(/[\r\n]/g, ""),
             "Content-Type": "application/json",
-            "user-agent": `@CycloneDX/cdxgen ${CDXGEN_VERSION}`,
           },
           json: bomPayload,
           responseType: "json",
+          context: {
+            activityIntent: "bom-submit",
+          },
         }).json();
       } catch (error) {
         if (DEBUG_MODE) {