@cyclonedx/cdxgen 12.4.0 → 12.4.1

package/lib/audit/index.js

@@ -6,6 +6,7 @@ import process from "node:process";
 import { createBom } from "../cli/index.js";
 import { DEFAULT_HBOM_AUDIT_CATEGORIES } from "../helpers/auditCategories.js";
 import {
+  getCycloneDxFormat,
   getNonCycloneDxErrorMessage,
   isCycloneDxBom,
 } from "../helpers/bomUtils.js";
@@ -230,7 +231,7 @@ export async function runDirectBomAuditFromBoms(inputBoms, options = {}) {
     const findings = await auditBom(inputBom.bomJson, directAuditOptions);
     results.push({
       auditOptions: directAuditOptions,
-      bomFormat: inputBom.bomJson?.bomFormat,
+      bomFormat: getCycloneDxFormat(inputBom.bomJson),
       findings,
       serialNumber: inputBom.bomJson?.serialNumber,
       source: inputBom.source,

package/lib/cli/index.js

@@ -41,6 +41,10 @@ import {
   rewriteExtractedArchivePaths,
 } from "../helpers/asarutils.js";
 import { expandBomAuditCategories } from "../helpers/auditCategories.js";
+import {
+  setCycloneDxFormat,
+  toCycloneDxSpecVersionString,
+} from "../helpers/bomUtils.js";
 import { parseCaxaMetadata } from "../helpers/caxa.js";
 import { collectSourceCryptoComponents } from "../helpers/cbomutils.js";
 import {
@@ -1393,13 +1397,16 @@ const buildBomNSData = (options, pkgInfo, ptype, context) => {
     // CycloneDX Json Template
     const jsonTpl = {
       bomFormat: "CycloneDX",
-      specVersion: `${options.specVersion || "1.7"}`,
+      specVersion: toCycloneDxSpecVersionString(options.specVersion || "1.7"),
       serialNumber: serialNum,
       version: 1,
       metadata: metadata,
       components,
       dependencies,
     };
+    setCycloneDxFormat(jsonTpl, jsonTpl.specVersion, {
+      preserveLegacyBomFormat: true,
+    });
     if (services.length) {
       jsonTpl.services = mergeServices([], services);
     }
@@ -8392,16 +8399,19 @@ export function dedupeBom(options, components, parentComponent, dependencies) {
     options,
     parentComponent,
     components,
-    bomJson: {
-      bomFormat: "CycloneDX",
-      specVersion: `${options.specVersion || 1.7}`,
-      serialNumber: serialNum,
-      version: 1,
-      metadata: addMetadata(parentComponent, options, {}),
-      components,
-      services: options.services || [],
-      dependencies,
-    },
+    bomJson: setCycloneDxFormat(
+      {
+        specVersion: toCycloneDxSpecVersionString(options.specVersion || 1.7),
+        serialNumber: serialNum,
+        version: 1,
+        metadata: addMetadata(parentComponent, options, {}),
+        components,
+        services: options.services || [],
+        dependencies,
+      },
+      options.specVersion || 1.7,
+      { preserveLegacyBomFormat: true },
+    ),
   };
 }
 

package/lib/cli/index.poku.js

@@ -623,6 +623,7 @@ describe("CLI tests", () => {
               false,
             );
           },
+          isolateDepsSlicesFile: true,
           expectedSpecVersion: (specVersion) => specVersion,
           name: "cbom",
         },
@@ -651,6 +652,13 @@ describe("CLI tests", () => {
               fixtureRoot,
               `${scenario.name}-${specVersion}.spdx.json`,
             );
+            const depsSlicesPath = join(
+              fixtureRoot,
+              `${scenario.name}-${specVersion}.deps.slices.json`,
+            );
+            const depsSlicesArgs = scenario.isolateDepsSlicesFile
+              ? ["--deps-slices-file", depsSlicesPath]
+              : [];
             const generateResult = spawnSync(
               process.execPath,
               [
@@ -660,6 +668,7 @@ describe("CLI tests", () => {
                 jsonPath,
                 "--spec-version",
                 specVersion,
+                ...depsSlicesArgs,
                 "--export-proto",
                 "--proto-bin-file",
                 protoPath,
@@ -738,6 +747,114 @@ describe("CLI tests", () => {
             scenario.assertRoundTrip(roundTrippedBom);
           }
         }
+        assert.strictEqual(
+          existsSync(join(repoDir, "deps.slices.json")),
+          false,
+          "protobuf round-trip tests must not leave deps.slices.json in the repository root",
+        );
+      } finally {
+        rmSync(join(repoDir, "deps.slices.json"), { force: true });
+        rmSync(fixtureRoot, { force: true, recursive: true });
+      }
+    });
+  });
+
+  describe("CycloneDX 2.0 JSON output", () => {
+    it("generates valid experimental 2.0-dev JSON with specFormat", () => {
+      const fixtureRoot = mkdtempSync(join(tmpdir(), "cdxgen-json20-"));
+      try {
+        const jsonPath = join(fixtureRoot, "bom-2.0.json");
+        const generateResult = spawnSync(
+          process.execPath,
+          [
+            join(repoDir, "bin", "cdxgen.js"),
+            "-t",
+            "js",
+            mcpFixtureDir,
+            "-o",
+            jsonPath,
+            "--spec-version",
+            "2.0",
+            "--no-banner",
+          ],
+          {
+            cwd: repoDir,
+            encoding: "utf8",
+            env: buildMinimalCliEnv(),
+          },
+        );
+        assert.strictEqual(
+          generateResult.status,
+          0,
+          `${generateResult.stdout}${generateResult.stderr}`,
+        );
+
+        const generatedBom = JSON.parse(readFileSync(jsonPath, "utf8"));
+        assert.strictEqual(generatedBom.specFormat, "CycloneDX");
+        assert.strictEqual(generatedBom.bomFormat, undefined);
+        assert.strictEqual(generatedBom.specVersion, "2.0");
+        assert.ok(Array.isArray(generatedBom.metadata?.tools?.components));
+
+        const validateResult = spawnSync(
+          process.execPath,
+          [
+            join(repoDir, "bin", "validate.js"),
+            "-i",
+            jsonPath,
+            "--fail-severity",
+            "critical",
+            "--no-deep",
+            "--report",
+            "json",
+          ],
+          {
+            cwd: repoDir,
+            encoding: "utf8",
+            env: buildMinimalCliEnv(),
+          },
+        );
+        assert.strictEqual(
+          validateResult.status,
+          0,
+          `${validateResult.stdout}${validateResult.stderr}`,
+        );
+      } finally {
+        rmSync(fixtureRoot, { force: true, recursive: true });
+      }
+    });
+
+    it("rejects experimental 2.0-dev protobuf export until cdx-proto supports it", () => {
+      const fixtureRoot = mkdtempSync(join(tmpdir(), "cdxgen-proto20-"));
+      try {
+        const jsonPath = join(fixtureRoot, "bom-2.0.json");
+        const protoPath = join(fixtureRoot, "bom-2.0.cdx");
+        const generateResult = spawnSync(
+          process.execPath,
+          [
+            join(repoDir, "bin", "cdxgen.js"),
+            "-t",
+            "js",
+            mcpFixtureDir,
+            "-o",
+            jsonPath,
+            "--spec-version",
+            "2.0",
+            "--export-proto",
+            "--proto-bin-file",
+            protoPath,
+            "--no-banner",
+          ],
+          {
+            cwd: repoDir,
+            encoding: "utf8",
+            env: buildMinimalCliEnv(),
+          },
+        );
+        assert.strictEqual(generateResult.status, 1);
+        assert.match(
+          `${generateResult.stdout}${generateResult.stderr}`,
+          /CycloneDX 2\.0 is not currently supported for protobuf export/i,
+        );
       } finally {
         rmSync(fixtureRoot, { force: true, recursive: true });
       }

package/lib/helpers/bomUtils.js

@@ -1,8 +1,16 @@
 const SPDX_CONTEXT_PREFIX = "https://spdx.org/rdf/";
 const CYCLONEDX_FORMAT = "CycloneDX";
+const LEGACY_CYCLONEDX_ROOT_KEY = "bomFormat";
+const MODERN_CYCLONEDX_ROOT_KEY = "specFormat";
 const BOM_FORMAT_CYCLONEDX = "cyclonedx";
 const BOM_FORMAT_SPDX = "spdx";
 const BOM_FORMAT_UNKNOWN = "unknown";
+const CYCLONEDX_SPEC_VERSION_PATTERN = /^(\d+)(?:\.(\d+))?$/u;
+const CYCLONEDX_FORMAT_KEYS = new Set([
+  LEGACY_CYCLONEDX_ROOT_KEY,
+  MODERN_CYCLONEDX_ROOT_KEY,
+  "specVersion",
+]);
 
 export const isSpdxJsonLd = (bomJson) =>
   Boolean(
@@ -11,8 +19,154 @@ export const isSpdxJsonLd = (bomJson) =>
       bomJson["@graph"].some((element) => element?.type === "SpdxDocument"),
   );
 
+const parseCycloneDxSpecVersion = (specVersion) => {
+  const match = `${specVersion ?? ""}`
+    .trim()
+    .match(CYCLONEDX_SPEC_VERSION_PATTERN);
+  if (!match) {
+    return undefined;
+  }
+  return {
+    major: Number.parseInt(match[1], 10),
+    minor: Number.parseInt(match[2] || "0", 10),
+    minorText: match[2] || "0",
+  };
+};
+
+export const normalizeCycloneDxSpecVersion = (specVersion) => {
+  const parsed = parseCycloneDxSpecVersion(specVersion);
+  if (!parsed) {
+    return undefined;
+  }
+  return Number(`${parsed.major}.${parsed.minor}`);
+};
+
+export const toCycloneDxSpecVersionString = (specVersion) => {
+  const parsed = parseCycloneDxSpecVersion(specVersion);
+  if (!parsed) {
+    return undefined;
+  }
+  if (typeof specVersion === "string" && parsed.minorText !== "0") {
+    return `${parsed.major}.${parsed.minorText}`;
+  }
+  return `${parsed.major}.${parsed.minor}`;
+};
+
+export const isCycloneDxSpecVersionAtLeast = (specVersion, minimumVersion) => {
+  const parsedSpecVersion = parseCycloneDxSpecVersion(specVersion);
+  const parsedMinimumVersion = parseCycloneDxSpecVersion(minimumVersion);
+  if (!parsedSpecVersion || !parsedMinimumVersion) {
+    return false;
+  }
+  if (parsedSpecVersion.major !== parsedMinimumVersion.major) {
+    return parsedSpecVersion.major > parsedMinimumVersion.major;
+  }
+  return parsedSpecVersion.minor >= parsedMinimumVersion.minor;
+};
+
+export const isCycloneDx20SpecVersion = (specVersion) =>
+  isCycloneDxSpecVersionAtLeast(specVersion, 2);
+
+export const getCycloneDxRootFormatKey = (specVersionOrBom) => {
+  const specVersion =
+    specVersionOrBom && typeof specVersionOrBom === "object"
+      ? specVersionOrBom.specVersion
+      : specVersionOrBom;
+  return isCycloneDx20SpecVersion(specVersion)
+    ? MODERN_CYCLONEDX_ROOT_KEY
+    : LEGACY_CYCLONEDX_ROOT_KEY;
+};
+
+export const getCycloneDxFormat = (bomJson) =>
+  bomJson?.specFormat || bomJson?.bomFormat;
+
+export const hasCycloneDxFormat = (bomJson) =>
+  getCycloneDxFormat(bomJson) === CYCLONEDX_FORMAT;
+
 export const isCycloneDxBom = (bomJson) =>
-  bomJson?.bomFormat === CYCLONEDX_FORMAT && Boolean(bomJson?.specVersion);
+  hasCycloneDxFormat(bomJson) &&
+  normalizeCycloneDxSpecVersion(bomJson?.specVersion) !== undefined;
+
+const rewriteCycloneDxRootFields = (
+  bomJson,
+  rootKey,
+  specVersion,
+  preserveLegacyBomFormat,
+) => {
+  const remainingEntries = Object.entries(bomJson).filter(
+    ([key]) => !CYCLONEDX_FORMAT_KEYS.has(key),
+  );
+  for (const key of Object.keys(bomJson)) {
+    delete bomJson[key];
+  }
+  if (rootKey === LEGACY_CYCLONEDX_ROOT_KEY) {
+    bomJson.bomFormat = CYCLONEDX_FORMAT;
+    if (specVersion !== undefined) {
+      bomJson.specVersion = specVersion;
+    }
+  } else if (preserveLegacyBomFormat) {
+    bomJson.bomFormat = CYCLONEDX_FORMAT;
+    if (specVersion !== undefined) {
+      bomJson.specVersion = specVersion;
+    }
+    bomJson.specFormat = CYCLONEDX_FORMAT;
+  } else {
+    bomJson.specFormat = CYCLONEDX_FORMAT;
+    if (specVersion !== undefined) {
+      bomJson.specVersion = specVersion;
+    }
+  }
+  for (const [key, value] of remainingEntries) {
+    bomJson[key] = value;
+  }
+};
+
+/**
+ * Mutates a CycloneDX BOM object so the appropriate root format key is present
+ * for the requested spec version, while preserving conventional serialized
+ * root-key ordering (`bomFormat`/`specFormat` and `specVersion` first). Only the currently
+ * supported CycloneDX major.minor version shape is accepted; multi-component
+ * future versions such as `2.0.1` intentionally return `undefined` from the
+ * normalizer rather than being silently truncated.
+ *
+ * @param {object} bomJson BOM JSON object to mutate.
+ * @param {string|number} specVersion Desired CycloneDX spec version.
+ * @param {object} options Root-key compatibility options.
+ * @returns {object} The same `bomJson` object, after in-place mutation.
+ */
+export const setCycloneDxFormat = (
+  bomJson,
+  specVersion,
+  { preserveLegacyBomFormat = false } = {},
+) => {
+  if (!bomJson || typeof bomJson !== "object" || Array.isArray(bomJson)) {
+    return bomJson;
+  }
+  const resolvedSpecVersion =
+    toCycloneDxSpecVersionString(specVersion ?? bomJson.specVersion) ||
+    bomJson.specVersion;
+  if (resolvedSpecVersion !== undefined) {
+    bomJson.specVersion = resolvedSpecVersion;
+  }
+  if (
+    getCycloneDxRootFormatKey(resolvedSpecVersion) === MODERN_CYCLONEDX_ROOT_KEY
+  ) {
+    rewriteCycloneDxRootFields(
+      bomJson,
+      MODERN_CYCLONEDX_ROOT_KEY,
+      resolvedSpecVersion,
+      preserveLegacyBomFormat,
+    );
+    return bomJson;
+  }
+  rewriteCycloneDxRootFields(
+    bomJson,
+    LEGACY_CYCLONEDX_ROOT_KEY,
+    resolvedSpecVersion,
+    false,
+  );
+  return bomJson;
+};
 
 export const detectBomFormat = (bomJson) => {
   if (isCycloneDxBom(bomJson)) {

package/lib/helpers/bomUtils.poku.js

@@ -2,9 +2,16 @@ import { assert, describe, it } from "poku";
 
 import {
   detectBomFormat,
+  getCycloneDxFormat,
+  getCycloneDxRootFormatKey,
   getNonCycloneDxErrorMessage,
+  isCycloneDx20SpecVersion,
   isCycloneDxBom,
+  isCycloneDxSpecVersionAtLeast,
   isSpdxJsonLd,
+  normalizeCycloneDxSpecVersion,
+  setCycloneDxFormat,
+  toCycloneDxSpecVersionString,
 } from "./bomUtils.js";
 
 const sampleSpdx = {
@@ -13,7 +20,7 @@ const sampleSpdx = {
 };
 
 describe("bomUtils", () => {
-  it("detects CycloneDX documents", () => {
+  it("detects CycloneDX documents across root format styles", () => {
     assert.strictEqual(
       isCycloneDxBom({
         bomFormat: "CycloneDX",
@@ -21,6 +28,13 @@ describe("bomUtils", () => {
       }),
       true,
     );
+    assert.strictEqual(
+      isCycloneDxBom({
+        specFormat: "CycloneDX",
+        specVersion: "2.0",
+      }),
+      true,
+    );
     assert.strictEqual(isCycloneDxBom(sampleSpdx), false);
   });
 
@@ -35,6 +49,10 @@ describe("bomUtils", () => {
       detectBomFormat({ bomFormat: "CycloneDX", specVersion: "1.6" }),
       "cyclonedx",
     );
+    assert.strictEqual(
+      detectBomFormat({ specFormat: "CycloneDX", specVersion: "2.0" }),
+      "cyclonedx",
+    );
     assert.strictEqual(detectBomFormat({ foo: "bar" }), "unknown");
   });
 
@@ -48,4 +66,64 @@ describe("bomUtils", () => {
       "cdx-sign expects a CycloneDX JSON BOM.",
     );
   });
+
+  it("normalizes CycloneDX spec versions and capability checks", () => {
+    assert.strictEqual(normalizeCycloneDxSpecVersion("2.0"), 2);
+    assert.strictEqual(normalizeCycloneDxSpecVersion(undefined), undefined);
+    assert.strictEqual(normalizeCycloneDxSpecVersion("2.0.1"), undefined);
+    assert.strictEqual(toCycloneDxSpecVersionString(2), "2.0");
+    assert.strictEqual(toCycloneDxSpecVersionString("1.10"), "1.10");
+    assert.strictEqual(toCycloneDxSpecVersionString("2.0.1"), undefined);
+    assert.strictEqual(isCycloneDx20SpecVersion("2.0"), true);
+    assert.strictEqual(isCycloneDx20SpecVersion("1.7"), false);
+    assert.strictEqual(isCycloneDxSpecVersionAtLeast("2.0", 1.7), true);
+    assert.strictEqual(isCycloneDxSpecVersionAtLeast("1.10", "1.7"), true);
+    assert.strictEqual(isCycloneDxSpecVersionAtLeast(undefined, 1.7), false);
+  });
+
+  it("selects and writes the correct CycloneDX root format key", () => {
+    assert.strictEqual(getCycloneDxRootFormatKey("1.7"), "bomFormat");
+    assert.strictEqual(getCycloneDxRootFormatKey("2.0"), "specFormat");
+
+    const bom17 = setCycloneDxFormat(
+      { name: "demo", specVersion: "1.7" },
+      "1.7",
+    );
+    assert.strictEqual(bom17.bomFormat, "CycloneDX");
+    assert.strictEqual(bom17.specFormat, undefined);
+    assert.strictEqual(getCycloneDxFormat(bom17), "CycloneDX");
+    assert.deepStrictEqual(Object.keys(bom17), [
+      "bomFormat",
+      "specVersion",
+      "name",
+    ]);
+
+    const bom20Input = { name: "demo", specVersion: 2 };
+    const bom20 = setCycloneDxFormat(bom20Input, 2);
+    assert.strictEqual(bom20, bom20Input);
+    assert.strictEqual(bom20.specFormat, "CycloneDX");
+    assert.strictEqual(bom20.bomFormat, undefined);
+    assert.strictEqual(bom20.specVersion, "2.0");
+    assert.deepStrictEqual(Object.keys(bom20), [
+      "specFormat",
+      "specVersion",
+      "name",
+    ]);
+
+    const internalBom20 = setCycloneDxFormat(
+      { name: "demo", specVersion: 2 },
+      2,
+      {
+        preserveLegacyBomFormat: true,
+      },
+    );
+    assert.strictEqual(internalBom20.specFormat, "CycloneDX");
+    assert.strictEqual(internalBom20.bomFormat, "CycloneDX");
+    assert.deepStrictEqual(Object.keys(internalBom20), [
+      "bomFormat",
+      "specVersion",
+      "specFormat",
+      "name",
+    ]);
+  });
 });

package/lib/helpers/plugins.js

@@ -24,6 +24,21 @@ function isMusl() {
   return result?.stdout?.includes("musl") || result?.stderr?.includes("musl");
 }
 
+function hasUsablePluginsDir(pluginsDir) {
+  return (
+    safeExistsSync(pluginsDir) &&
+    (safeExistsSync(join(pluginsDir, "plugins-manifest.json")) ||
+      [
+        "cargo-auditable",
+        "dosai",
+        "osquery",
+        "sourcekitten",
+        "trivy",
+        "trustinspector",
+      ].some((pluginName) => safeExistsSync(join(pluginsDir, pluginName))))
+  );
+}
+
 /**
  * Determine the normalized plugin target tuple for the current runtime.
  *
@@ -81,17 +96,13 @@ export function resolveCdxgenPlugins() {
   let pluginsDir = process.env.CDXGEN_PLUGINS_DIR || "";
   let extraNMBinPath;
 
-  if (
-    !pluginsDir &&
-    safeExistsSync(join(dirNameStr, "plugins")) &&
-    safeExistsSync(join(dirNameStr, "plugins", "trivy"))
-  ) {
+  if (!pluginsDir && hasUsablePluginsDir(join(dirNameStr, "plugins"))) {
     pluginsDir = join(dirNameStr, "plugins");
   }
 
   if (
     !pluginsDir &&
-    safeExistsSync(
+    hasUsablePluginsDir(
       join(
         dirNameStr,
         "node_modules",
@@ -99,16 +110,6 @@ export function resolveCdxgenPlugins() {
         `cdxgen-plugins-bin${target.pluginsBinSuffix}`,
         "plugins",
       ),
-    ) &&
-    safeExistsSync(
-      join(
-        dirNameStr,
-        "node_modules",
-        "@cdxgen",
-        `cdxgen-plugins-bin${target.pluginsBinSuffix}`,
-        "plugins",
-        "trivy",
-      ),
     )
   ) {
     pluginsDir = join(

package/lib/helpers/protobom.js

@@ -11,6 +11,7 @@ import {
   supportedSpecVersions,
 } from "@appthreat/cdx-proto";
 
+import { toCycloneDxSpecVersionString } from "./bomUtils.js";
 import { safeExistsSync, safeWriteSync } from "./utils.js";
 
 const JSON_READ_OPTIONS = {
@@ -29,6 +30,11 @@ const PROTO_BOM_FILE_EXTENSIONS = [".cdx", ".cdx.bin", ".proto"];
 
 const DEFAULT_SPEC_VERSION =
   supportedSpecVersions[supportedSpecVersions.length - 1];
+const PROTO_SUPPORTED_SPEC_VERSIONS = new Set(
+  supportedSpecVersions.map((specVersion) =>
+    toCycloneDxSpecVersionString(specVersion),
+  ),
+);
 
 const isProtoMessageBom = (bom) =>
   Boolean(
@@ -47,6 +53,42 @@ const hasExplicitSpecVersion = (bomJson) =>
       (bomJson.specVersion !== undefined || bomJson.spec_version !== undefined),
   );
 
+const resolveExplicitSpecVersion = (bomJson) =>
+  bomJson?.specVersion ?? bomJson?.spec_version;
+
+const hasProvidedSpecVersion = (specVersion) =>
+  specVersion !== undefined &&
+  specVersion !== null &&
+  `${specVersion}`.trim() !== "";
+
+export const isProtoSupportedSpecVersion = (specVersion) => {
+  if (!hasProvidedSpecVersion(specVersion)) {
+    return true;
+  }
+  const normalizedSpecVersion = toCycloneDxSpecVersionString(specVersion);
+  return (
+    normalizedSpecVersion !== undefined &&
+    PROTO_SUPPORTED_SPEC_VERSIONS.has(normalizedSpecVersion)
+  );
+};
+
+export const assertProtoSupportedSpecVersion = (
+  specVersion,
+  operation = "protobuf operations",
+) => {
+  if (!hasProvidedSpecVersion(specVersion)) {
+    return;
+  }
+  const normalizedSpecVersion = toCycloneDxSpecVersionString(specVersion);
+  if (isProtoSupportedSpecVersion(specVersion)) {
+    return;
+  }
+  const displaySpecVersion = normalizedSpecVersion || `${specVersion}`.trim();
+  throw new Error(
+    `CycloneDX ${displaySpecVersion} is not currently supported for ${operation}. @appthreat/cdx-proto supports ${supportedSpecVersions.join(", ")} only.`,
+  );
+};
+
 const OBJECT_WRAPPED_LIST_FIELDS = ["declarations", "definitions"];
 
 const isPlainObject = (value) =>
@@ -121,15 +163,25 @@ const resolveBomMessage = (bomJson, specVersion = DEFAULT_SPEC_VERSION) => {
       JSON.parse(`${bomJson}`),
     );
     if (hasExplicitSpecVersion(parsedBomJson)) {
+      assertProtoSupportedSpecVersion(
+        resolveExplicitSpecVersion(parsedBomJson),
+        "protobuf serialization",
+      );
       return parseBomJson(parsedBomJson, JSON_READ_OPTIONS);
     }
+    assertProtoSupportedSpecVersion(specVersion, "protobuf serialization");
     return decodeBomJson(specVersion, parsedBomJson, JSON_READ_OPTIONS);
   }
   if (bomJson && typeof bomJson === "object" && !Array.isArray(bomJson)) {
     const normalizedBomJson = normalizeObjectWrappedListsForProto(bomJson);
     if (hasExplicitSpecVersion(normalizedBomJson)) {
+      assertProtoSupportedSpecVersion(
+        resolveExplicitSpecVersion(normalizedBomJson),
+        "protobuf serialization",
+      );
       return parseBomJson(normalizedBomJson, JSON_READ_OPTIONS);
     }
+    assertProtoSupportedSpecVersion(specVersion, "protobuf serialization");
     return decodeBomJson(specVersion, normalizedBomJson, JSON_READ_OPTIONS);
   }
   return createBom(specVersion);
@@ -175,6 +227,7 @@ export const writeBinary = (
  */
 export const readBinary = (binFile, asJson, specVersion) => {
   asJson = asJson ?? true;
+  assertProtoSupportedSpecVersion(specVersion, "protobuf decoding");
   if (!safeExistsSync(binFile)) {
     return undefined;
   }