@cyclonedx/cdxgen 12.3.3 → 12.4.1

package/lib/helpers/plugins.js

@@ -0,0 +1,350 @@
+import { arch as runtimeArch, platform as runtimePlatform } from "node:os";
+import { delimiter, join } from "node:path";
+import process from "node:process";
+
+import {
+  DEBUG_MODE,
+  dirNameStr,
+  retrieveCdxgenPluginVersion,
+  safeExistsSync,
+  safeSpawnSync,
+} from "./utils.js";
+
+const PLUGIN_ENV_COMMAND_NAMES = {
+  "cargo-auditable": "CARGO_AUDITABLE_CMD",
+  dosai: "DOSAI_CMD",
+  osquery: "OSQUERY_CMD",
+  sourcekitten: "SOURCEKITTEN_CMD",
+  trivy: "TRIVY_CMD",
+  trustinspector: "TRUSTINSPECTOR_CMD",
+};
+
+function isMusl() {
+  const result = safeSpawnSync("ldd", ["--version"]);
+  return result?.stdout?.includes("musl") || result?.stderr?.includes("musl");
+}
+
+function hasUsablePluginsDir(pluginsDir) {
+  return (
+    safeExistsSync(pluginsDir) &&
+    (safeExistsSync(join(pluginsDir, "plugins-manifest.json")) ||
+      [
+        "cargo-auditable",
+        "dosai",
+        "osquery",
+        "sourcekitten",
+        "trivy",
+        "trustinspector",
+      ].some((pluginName) => safeExistsSync(join(pluginsDir, pluginName))))
+  );
+}
+
+/**
+ * Determine the normalized plugin target tuple for the current runtime.
+ *
+ * @returns {{arch: string, extn: string, platform: string, pluginsBinSuffix: string}}
+ */
+export function getPluginsBinTarget() {
+  let platform = runtimePlatform();
+  let extn = "";
+  let pluginsBinSuffix = "";
+  if (platform === "win32") {
+    platform = "windows";
+    extn = ".exe";
+  } else if (platform === "linux" && isMusl()) {
+    platform = "linuxmusl";
+  }
+
+  let arch = `${runtimeArch()}`;
+  if (arch === "x32") {
+    arch = "386";
+  } else if (arch === "x64") {
+    arch = "amd64";
+    pluginsBinSuffix = `-${platform}-amd64`;
+  } else if (arch === "arm64") {
+    pluginsBinSuffix = `-${platform}-arm64`;
+  } else if (arch === "ppc64") {
+    arch = "ppc64le";
+    pluginsBinSuffix = "-ppc64";
+  }
+
+  return {
+    arch,
+    extn,
+    platform,
+    pluginsBinSuffix,
+  };
+}
+
+/**
+ * Resolve the cdxgen companion plugins directory for the current runtime.
+ *
+ * @returns {{
+ *   arch: string,
+ *   extn: string,
+ *   extraNMBinPath: string|undefined,
+ *   platform: string,
+ *   pluginManifestFile: string|undefined,
+ *   pluginVersion: string|undefined,
+ *   pluginsBinSuffix: string,
+ *   pluginsDir: string,
+ * }}
+ */
+export function resolveCdxgenPlugins() {
+  const target = getPluginsBinTarget();
+  const pluginVersion = retrieveCdxgenPluginVersion();
+  let pluginsDir = process.env.CDXGEN_PLUGINS_DIR || "";
+  let extraNMBinPath;
+
+  if (!pluginsDir && hasUsablePluginsDir(join(dirNameStr, "plugins"))) {
+    pluginsDir = join(dirNameStr, "plugins");
+  }
+
+  if (
+    !pluginsDir &&
+    hasUsablePluginsDir(
+      join(
+        dirNameStr,
+        "node_modules",
+        "@cdxgen",
+        `cdxgen-plugins-bin${target.pluginsBinSuffix}`,
+        "plugins",
+      ),
+    )
+  ) {
+    pluginsDir = join(
+      dirNameStr,
+      "node_modules",
+      "@cdxgen",
+      `cdxgen-plugins-bin${target.pluginsBinSuffix}`,
+      "plugins",
+    );
+    if (safeExistsSync(join(dirNameStr, "node_modules", ".bin"))) {
+      extraNMBinPath = join(dirNameStr, "node_modules", ".bin");
+    }
+  }
+
+  if (!pluginsDir) {
+    let globalNodePath = process.env.GLOBAL_NODE_MODULES_PATH || undefined;
+    if (!globalNodePath) {
+      if (DEBUG_MODE) {
+        console.log(
+          'Trying to find the global node_modules path with "pnpm root -g" command.',
+        );
+      }
+      const result = safeSpawnSync(
+        target.platform === "windows" ? "pnpm.cmd" : "pnpm",
+        ["root", "-g"],
+      );
+      if (result?.stdout) {
+        globalNodePath = `${result.stdout.trim()}/`;
+      }
+    }
+
+    let globalPlugins;
+    if (globalNodePath) {
+      globalPlugins = join(
+        globalNodePath,
+        "@cdxgen",
+        `cdxgen-plugins-bin${target.pluginsBinSuffix}`,
+        "plugins",
+      );
+      extraNMBinPath = join(
+        globalNodePath,
+        "..",
+        ".pnpm",
+        "node_modules",
+        ".bin",
+      );
+    }
+
+    let altGlobalPlugins;
+    if (
+      dirNameStr.includes(join("node_modules", ".pnpm", "@cyclonedx+cdxgen"))
+    ) {
+      const tmpA = dirNameStr.split(join("node_modules", ".pnpm"));
+      altGlobalPlugins = join(
+        tmpA[0],
+        "node_modules",
+        ".pnpm",
+        `@cdxgen+cdxgen-plugins-bin${target.pluginsBinSuffix}@${pluginVersion}`,
+        "node_modules",
+        "@cdxgen",
+        `cdxgen-plugins-bin${target.pluginsBinSuffix}`,
+        "plugins",
+      );
+      if (safeExistsSync(join(tmpA[0], "node_modules", ".bin"))) {
+        extraNMBinPath = join(tmpA[0], "node_modules", ".bin");
+      }
+    } else if (dirNameStr.includes(join(".pnpm", "@cyclonedx+cdxgen"))) {
+      const tmpA = dirNameStr.split(".pnpm");
+      altGlobalPlugins = join(
+        tmpA[0],
+        ".pnpm",
+        `@cdxgen+cdxgen-plugins-bin${target.pluginsBinSuffix}@${pluginVersion}`,
+        "node_modules",
+        "@cdxgen",
+        `cdxgen-plugins-bin${target.pluginsBinSuffix}`,
+        "plugins",
+      );
+      if (safeExistsSync(join(tmpA[0], ".bin"))) {
+        extraNMBinPath = join(tmpA[0], ".bin");
+      }
+    } else if (dirNameStr.includes(join("caxa", "applications"))) {
+      altGlobalPlugins = join(
+        dirNameStr,
+        "node_modules",
+        "pnpm",
+        `@cdxgen+cdxgen-plugins-bin${target.pluginsBinSuffix}@${pluginVersion}`,
+        "node_modules",
+        "@cdxgen",
+        `cdxgen-plugins-bin${target.pluginsBinSuffix}`,
+        "plugins",
+      );
+      extraNMBinPath = join(dirNameStr, "node_modules", ".bin");
+    }
+
+    if (globalPlugins && safeExistsSync(globalPlugins)) {
+      pluginsDir = globalPlugins;
+      if (DEBUG_MODE) {
+        console.log("Found global plugins", pluginsDir);
+      }
+    } else if (altGlobalPlugins && safeExistsSync(altGlobalPlugins)) {
+      pluginsDir = altGlobalPlugins;
+      if (DEBUG_MODE) {
+        console.log("Found global plugins", pluginsDir);
+      }
+    }
+  }
+
+  if (!pluginsDir) {
+    if (DEBUG_MODE) {
+      console.warn(
+        "The optional cdxgen plugin was not found. Please install cdxgen without excluding optional dependencies if needed.",
+      );
+    }
+    pluginsDir = "";
+  }
+
+  const pluginManifestFile = safeExistsSync(
+    join(pluginsDir, "plugins-manifest.json"),
+  )
+    ? join(pluginsDir, "plugins-manifest.json")
+    : undefined;
+
+  return {
+    ...target,
+    extraNMBinPath,
+    pluginManifestFile,
+    pluginVersion,
+    pluginsDir,
+  };
+}
+
+function getPluginRuntimeCacheKey() {
+  return [
+    process.env.CDXGEN_PLUGINS_DIR || "",
+    process.env.GLOBAL_NODE_MODULES_PATH || "",
+  ].join("\u0000");
+}
+
+let cachedPluginRuntime;
+let cachedPluginRuntimeKey;
+
+/**
+ * Retrieve the default plugin runtime, recomputing it only when the
+ * environment that influences plugin discovery changes.
+ *
+ * @returns {ReturnType<typeof resolveCdxgenPlugins>} The resolved plugin runtime.
+ */
+export function getDefaultPluginRuntime() {
+  const cacheKey = getPluginRuntimeCacheKey();
+  if (!cachedPluginRuntime || cachedPluginRuntimeKey !== cacheKey) {
+    cachedPluginRuntime = resolveCdxgenPlugins();
+    cachedPluginRuntimeKey = cacheKey;
+  }
+  return cachedPluginRuntime;
+}
+
+/**
+ * Add the detected node_modules binary directory to PATH when present.
+ *
+ * @param {ReturnType<typeof resolveCdxgenPlugins>} [pluginRuntime] Detected plugin runtime.
+ * @returns {ReturnType<typeof resolveCdxgenPlugins>} The resolved plugin runtime.
+ */
+export function setPluginsPathEnv(pluginRuntime = undefined) {
+  pluginRuntime ??= getDefaultPluginRuntime();
+  if (
+    pluginRuntime.extraNMBinPath &&
+    !process.env?.PATH?.includes(pluginRuntime.extraNMBinPath)
+  ) {
+    process.env.PATH = `${pluginRuntime.extraNMBinPath}${delimiter}${process.env.PATH}`;
+  }
+  return pluginRuntime;
+}
+
+function resolveBundledPluginBinary(toolName, pluginRuntime) {
+  if (!pluginRuntime.pluginsDir) {
+    return undefined;
+  }
+  if (!safeExistsSync(join(pluginRuntime.pluginsDir, toolName))) {
+    return undefined;
+  }
+  switch (toolName) {
+    case "trivy":
+      return join(
+        pluginRuntime.pluginsDir,
+        "trivy",
+        `trivy-cdxgen-${pluginRuntime.platform}-${pluginRuntime.arch}${pluginRuntime.extn}`,
+      );
+    case "cargo-auditable":
+      return join(
+        pluginRuntime.pluginsDir,
+        "cargo-auditable",
+        `cargo-auditable-cdxgen-${pluginRuntime.platform}-${pluginRuntime.arch}${pluginRuntime.extn}`,
+      );
+    case "osquery": {
+      let osqueryBin = join(
+        pluginRuntime.pluginsDir,
+        "osquery",
+        `osqueryi-${pluginRuntime.platform}-${pluginRuntime.arch}${pluginRuntime.extn}`,
+      );
+      if (pluginRuntime.platform === "darwin") {
+        osqueryBin = `${osqueryBin}.app/Contents/MacOS/osqueryd`;
+      }
+      return osqueryBin;
+    }
+    case "dosai":
+      return join(
+        pluginRuntime.pluginsDir,
+        "dosai",
+        `dosai-${pluginRuntime.platform}-${pluginRuntime.arch}${pluginRuntime.extn}`,
+      );
+    case "trustinspector":
+      return join(
+        pluginRuntime.pluginsDir,
+        "trustinspector",
+        `trustinspector-cdxgen-${pluginRuntime.platform}-${pluginRuntime.arch}${pluginRuntime.extn}`,
+      );
+    case "sourcekitten":
+      return join(pluginRuntime.pluginsDir, "sourcekitten", "sourcekitten");
+    default:
+      return undefined;
+  }
+}
+
+/**
+ * Resolve a known plugin binary path, honoring explicit environment overrides.
+ *
+ * @param {string} toolName Tool identifier.
+ * @param {ReturnType<typeof resolveCdxgenPlugins>} [pluginRuntime] Detected plugin runtime.
+ * @returns {string|undefined} Resolved binary path or configured override.
+ */
+export function resolvePluginBinary(toolName, pluginRuntime = undefined) {
+  pluginRuntime ??= getDefaultPluginRuntime();
+  const envCommandName = PLUGIN_ENV_COMMAND_NAMES[toolName];
+  if (envCommandName && process.env[envCommandName]) {
+    return process.env[envCommandName];
+  }
+  return resolveBundledPluginBinary(toolName, pluginRuntime);
+}

package/lib/helpers/plugins.poku.js

@@ -0,0 +1,57 @@
+import { mkdirSync, mkdtempSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import process from "node:process";
+
+import { assert, describe, it } from "poku";
+
+import { resolveCdxgenPlugins, resolvePluginBinary } from "./plugins.js";
+
+describe("plugins helper", () => {
+  it("resolvePluginBinary() prefers explicit OSQUERY_CMD overrides", () => {
+    const previousOsqueryCmd = process.env.OSQUERY_CMD;
+    try {
+      process.env.OSQUERY_CMD = "/tmp/osqueryd";
+      assert.strictEqual(resolvePluginBinary("osquery"), "/tmp/osqueryd");
+    } finally {
+      if (previousOsqueryCmd === undefined) {
+        delete process.env.OSQUERY_CMD;
+      } else {
+        process.env.OSQUERY_CMD = previousOsqueryCmd;
+      }
+    }
+  });
+
+  it("resolveCdxgenPlugins() honors CDXGEN_PLUGINS_DIR for bundled osquery binaries", () => {
+    const pluginsDir = mkdtempSync(join(tmpdir(), "cdxgen-plugins-helper-"));
+    const previousPluginsDir = process.env.CDXGEN_PLUGINS_DIR;
+    try {
+      mkdirSync(join(pluginsDir, "osquery"), { recursive: true });
+      process.env.CDXGEN_PLUGINS_DIR = pluginsDir;
+      const pluginRuntime = resolveCdxgenPlugins();
+      const osqueryBinary = resolvePluginBinary("osquery", pluginRuntime);
+      const expectedPrefix = join(
+        pluginsDir,
+        "osquery",
+        `osqueryi-${pluginRuntime.platform}-${pluginRuntime.arch}${pluginRuntime.extn}`,
+      );
+
+      assert.strictEqual(pluginRuntime.pluginsDir, pluginsDir);
+      if (pluginRuntime.platform === "darwin") {
+        assert.strictEqual(
+          osqueryBinary,
+          `${expectedPrefix}.app/Contents/MacOS/osqueryd`,
+        );
+      } else {
+        assert.strictEqual(osqueryBinary, expectedPrefix);
+      }
+    } finally {
+      rmSync(pluginsDir, { force: true, recursive: true });
+      if (previousPluginsDir === undefined) {
+        delete process.env.CDXGEN_PLUGINS_DIR;
+      } else {
+        process.env.CDXGEN_PLUGINS_DIR = previousPluginsDir;
+      }
+    }
+  });
+});

package/lib/helpers/protobom.js

@@ -1,26 +1,203 @@
 import { readFileSync } from "node:fs";
 
-import { cdx_16, cdx_17 } from "@appthreat/cdx-proto";
 import {
-  fromBinary,
-  fromJsonString,
-  toBinary,
-  toJson,
-} from "@bufbuild/protobuf";
+  createBom,
+  decodeBomBinary,
+  decodeBomJson,
+  encodeBomBinary,
+  encodeBomJson,
+  parseBomBinary,
+  parseBomJson,
+  supportedSpecVersions,
+} from "@appthreat/cdx-proto";
 
+import { toCycloneDxSpecVersionString } from "./bomUtils.js";
 import { safeExistsSync, safeWriteSync } from "./utils.js";
 
+const JSON_READ_OPTIONS = {
+  ignoreUnknownFields: true,
+};
+
+const BINARY_READ_OPTIONS = {
+  readUnknownFields: true,
+};
+
+const BINARY_WRITE_OPTIONS = {
+  writeUnknownFields: true,
+};
+
+const PROTO_BOM_FILE_EXTENSIONS = [".cdx", ".cdx.bin", ".proto"];
+
+const DEFAULT_SPEC_VERSION =
+  supportedSpecVersions[supportedSpecVersions.length - 1];
+const PROTO_SUPPORTED_SPEC_VERSIONS = new Set(
+  supportedSpecVersions.map((specVersion) =>
+    toCycloneDxSpecVersionString(specVersion),
+  ),
+);
+
+const isProtoMessageBom = (bom) =>
+  Boolean(
+    bom &&
+      typeof bom === "object" &&
+      !Array.isArray(bom) &&
+      typeof bom.$typeName === "string" &&
+      bom.specVersion,
+  );
+
+const hasExplicitSpecVersion = (bomJson) =>
+  Boolean(
+    bomJson &&
+      typeof bomJson === "object" &&
+      !Array.isArray(bomJson) &&
+      (bomJson.specVersion !== undefined || bomJson.spec_version !== undefined),
+  );
+
+const resolveExplicitSpecVersion = (bomJson) =>
+  bomJson?.specVersion ?? bomJson?.spec_version;
+
+const hasProvidedSpecVersion = (specVersion) =>
+  specVersion !== undefined &&
+  specVersion !== null &&
+  `${specVersion}`.trim() !== "";
+
+export const isProtoSupportedSpecVersion = (specVersion) => {
+  if (!hasProvidedSpecVersion(specVersion)) {
+    return true;
+  }
+  const normalizedSpecVersion = toCycloneDxSpecVersionString(specVersion);
+  return (
+    normalizedSpecVersion !== undefined &&
+    PROTO_SUPPORTED_SPEC_VERSIONS.has(normalizedSpecVersion)
+  );
+};
+
+export const assertProtoSupportedSpecVersion = (
+  specVersion,
+  operation = "protobuf operations",
+) => {
+  if (!hasProvidedSpecVersion(specVersion)) {
+    return;
+  }
+  const normalizedSpecVersion = toCycloneDxSpecVersionString(specVersion);
+  if (isProtoSupportedSpecVersion(specVersion)) {
+    return;
+  }
+  const displaySpecVersion = normalizedSpecVersion || `${specVersion}`.trim();
+  throw new Error(
+    `CycloneDX ${displaySpecVersion} is not currently supported for ${operation}. @appthreat/cdx-proto supports ${supportedSpecVersions.join(", ")} only.`,
+  );
+};
+
+const OBJECT_WRAPPED_LIST_FIELDS = ["declarations", "definitions"];
+
+const isPlainObject = (value) =>
+  Boolean(value && typeof value === "object" && !Array.isArray(value));
+
+const normalizeObjectWrappedListsForProto = (bomJson) => {
+  if (!isPlainObject(bomJson)) {
+    return bomJson;
+  }
+  const normalizedBomJson = { ...bomJson };
+  for (const fieldName of OBJECT_WRAPPED_LIST_FIELDS) {
+    if (isPlainObject(normalizedBomJson[fieldName])) {
+      normalizedBomJson[fieldName] = [normalizedBomJson[fieldName]];
+    }
+  }
+  return normalizedBomJson;
+};
+
+const mergeObjectWrappedListEntries = (entries) => {
+  const mergedEntry = {};
+  for (const entry of entries) {
+    if (!isPlainObject(entry)) {
+      continue;
+    }
+    for (const [key, value] of Object.entries(entry)) {
+      if (value === undefined) {
+        continue;
+      }
+      if (Array.isArray(value)) {
+        mergedEntry[key] = [...(mergedEntry[key] || []), ...value];
+        continue;
+      }
+      if (isPlainObject(value) && isPlainObject(mergedEntry[key])) {
+        mergedEntry[key] = { ...mergedEntry[key], ...value };
+        continue;
+      }
+      if (mergedEntry[key] === undefined) {
+        mergedEntry[key] = value;
+      }
+    }
+  }
+  return Object.keys(mergedEntry).length ? mergedEntry : undefined;
+};
+
+const normalizeObjectWrappedListsFromProto = (bomJson) => {
+  if (!isPlainObject(bomJson)) {
+    return bomJson;
+  }
+  const normalizedBomJson = { ...bomJson };
+  for (const fieldName of OBJECT_WRAPPED_LIST_FIELDS) {
+    if (!Array.isArray(normalizedBomJson[fieldName])) {
+      continue;
+    }
+    const mergedEntry = mergeObjectWrappedListEntries(
+      normalizedBomJson[fieldName],
+    );
+    if (mergedEntry) {
+      normalizedBomJson[fieldName] = mergedEntry;
+    } else {
+      delete normalizedBomJson[fieldName];
+    }
+  }
+  return normalizedBomJson;
+};
+
+const resolveBomMessage = (bomJson, specVersion = DEFAULT_SPEC_VERSION) => {
+  if (isProtoMessageBom(bomJson)) {
+    return bomJson;
+  }
+  if (typeof bomJson === "string" || bomJson instanceof String) {
+    const parsedBomJson = normalizeObjectWrappedListsForProto(
+      JSON.parse(`${bomJson}`),
+    );
+    if (hasExplicitSpecVersion(parsedBomJson)) {
+      assertProtoSupportedSpecVersion(
+        resolveExplicitSpecVersion(parsedBomJson),
+        "protobuf serialization",
+      );
+      return parseBomJson(parsedBomJson, JSON_READ_OPTIONS);
+    }
+    assertProtoSupportedSpecVersion(specVersion, "protobuf serialization");
+    return decodeBomJson(specVersion, parsedBomJson, JSON_READ_OPTIONS);
+  }
+  if (bomJson && typeof bomJson === "object" && !Array.isArray(bomJson)) {
+    const normalizedBomJson = normalizeObjectWrappedListsForProto(bomJson);
+    if (hasExplicitSpecVersion(normalizedBomJson)) {
+      assertProtoSupportedSpecVersion(
+        resolveExplicitSpecVersion(normalizedBomJson),
+        "protobuf serialization",
+      );
+      return parseBomJson(normalizedBomJson, JSON_READ_OPTIONS);
+    }
+    assertProtoSupportedSpecVersion(specVersion, "protobuf serialization");
+    return decodeBomJson(specVersion, normalizedBomJson, JSON_READ_OPTIONS);
+  }
+  return createBom(specVersion);
+};
+
 /**
- * Stringify the given bom json based on the type.
+ * Determine whether a path looks like a CycloneDX protobuf file.
  *
- * @param {string | Object} bomJson string or object
- * @returns {string} BOM json string
+ * @param {string} filePath File path
+ * @returns {boolean} true when the path looks like a protobuf BOM file
  */
-const stringifyIfNeeded = (bomJson) => {
-  if (typeof bomJson === "string" || bomJson instanceof String) {
-    return bomJson;
-  }
-  return JSON.stringify(bomJson);
+export const isProtoBomFile = (filePath) => {
+  const normalizedPath = `${filePath || ""}`.toLowerCase();
+  return PROTO_BOM_FILE_EXTENSIONS.some((extension) =>
+    normalizedPath.endsWith(extension),
+  );
 };
 
 /**
@@ -28,27 +205,16 @@ const stringifyIfNeeded = (bomJson) => {
  *
  * @param {string | Object} bomJson BOM Json
  * @param {string} binFile Binary file name
+ * @param {string | number} [specVersion] CycloneDX spec version fallback for BOMs without specVersion
  */
-export const writeBinary = (bomJson, binFile) => {
+export const writeBinary = (
+  bomJson,
+  binFile,
+  specVersion = DEFAULT_SPEC_VERSION,
+) => {
   if (bomJson && binFile) {
-    let bomSchema;
-    if (+bomJson.specVersion === 1.7) {
-      bomSchema = cdx_17.BomSchema;
-    } else {
-      bomSchema = cdx_16.BomSchema;
-    }
-    safeWriteSync(
-      binFile,
-      toBinary(
-        bomSchema,
-        fromJsonString(bomSchema, stringifyIfNeeded(bomJson), {
-          ignoreUnknownFields: true,
-        }),
-      ),
-      {
-        writeUnknownFields: true,
-      },
-    );
+    const bomMessage = resolveBomMessage(bomJson, specVersion);
+    safeWriteSync(binFile, encodeBomBinary(bomMessage, BINARY_WRITE_OPTIONS));
   }
 };
 
@@ -57,23 +223,21 @@ export const writeBinary = (bomJson, binFile) => {
  *
  * @param {string} binFile Binary file name
  * @param {boolean} asJson Convert to JSON
- * @param {number} specVersion Specification version. Defaults to 1.7
+ * @param {string | number} [specVersion] Optional specification version. When omitted, cdxgen auto-detects the matching schema.
  */
-export const readBinary = (binFile, asJson = true, specVersion = 1.7) => {
+export const readBinary = (binFile, asJson, specVersion) => {
+  asJson = asJson ?? true;
+  assertProtoSupportedSpecVersion(specVersion, "protobuf decoding");
   if (!safeExistsSync(binFile)) {
     return undefined;
   }
-  let bomSchema;
-  if (specVersion === 1.7) {
-    bomSchema = cdx_17.BomSchema;
-  } else {
-    bomSchema = cdx_16.BomSchema;
-  }
-  const bomObject = fromBinary(bomSchema, readFileSync(binFile), {
-    readUnknownFields: true,
-  });
+  const binaryData = readFileSync(binFile);
+  const bomObject =
+    specVersion !== undefined && specVersion !== null && specVersion !== ""
+      ? decodeBomBinary(specVersion, binaryData, BINARY_READ_OPTIONS)
+      : parseBomBinary(binaryData, BINARY_READ_OPTIONS);
   if (asJson) {
-    return toJson(bomSchema, bomObject, { emitDefaultValues: true });
+    return normalizeObjectWrappedListsFromProto(encodeBomJson(bomObject));
   }
   return bomObject;
 };