@cyclonedx/cdxgen 12.4.2 → 12.4.4

package/lib/helpers/utils.js

@@ -56,6 +56,7 @@ import { getTreeWithPlugin } from "../managers/piptree.js";
 import { IriValidationStrategy, validateIri } from "../parsers/iri.js";
 import Arborist from "../third-party/arborist/lib/index.js";
 import { analyzeSuspiciousJsFile } from "./analyzer.js";
+import { buildAtomCommandEnv } from "./atomUtils.js";
 import { DEFAULT_HBOM_AUDIT_CATEGORIES } from "./auditCategories.js";
 import { parseWorkflowFile } from "./ciParsers/githubActions.js";
 import {
@@ -1115,6 +1116,50 @@ function isWindowsShellHijackRisk(command, options) {
 
 const VERSION_PROBE_ARGS = new Set(["--version", "-version", "version"]);
 
+const POSIX_SHELL_METACHARACTERS = /[;&|<>$`\\\n\r]/;
+const WINDOWS_SHELL_METACHARACTERS = /[&|<>^%\n\r]/;
+
+function hasShellMetacharacters(value) {
+  if (value === undefined || value === null) {
+    return false;
+  }
+  const stringValue = String(value);
+  return isWin
+    ? WINDOWS_SHELL_METACHARACTERS.test(stringValue)
+    : POSIX_SHELL_METACHARACTERS.test(stringValue);
+}
+
+function getUnsafeShellToken(command, args) {
+  if (hasShellMetacharacters(command)) {
+    return command;
+  }
+  const argList = Array.isArray(args)
+    ? args
+    : args === undefined || args === null
+      ? []
+      : [args];
+  return argList.find((arg) => hasShellMetacharacters(arg));
+}
+
+function recordSuspiciousShellPathActivities(files, metadata = {}) {
+  for (const file of files) {
+    if (!hasShellMetacharacters(file)) {
+      continue;
+    }
+    recordActivity({
+      classification: "suspicious-path",
+      discoveryType: metadata.discoveryType,
+      kind: "inspect",
+      pattern: metadata.pattern,
+      reason:
+        "Suspicious path contains shell metacharacters. cdxgen passes direct process arguments as argv values, but review this path before invoking external build tools on untrusted projects.",
+      risk: "shell-metacharacters",
+      status: "completed",
+      target: file,
+    });
+  }
+}
+
 function detectProbeType(command, args = []) {
   const normalizedCommand = basename(String(command || "")).toLowerCase();
   const normalizedArgs = (args || []).map((arg) => String(arg).toLowerCase());
@@ -1297,6 +1342,26 @@ export function safeSpawnSync(command, args, options) {
   if (options.cdxgenActivity) {
     delete options.cdxgenActivity;
   }
+  if (options.shell === true) {
+    const unsafeShellToken = getUnsafeShellToken(command, args);
+    if (unsafeShellToken !== undefined) {
+      const blockedReason = `Blocked shell execution for ${command}: command or argument contains shell metacharacters.`;
+      console.warn(`\x1b[1;31mSecurity Alert: ${blockedReason}\x1b[0m`);
+      recordActivity({
+        kind: activityDescriptor.kind,
+        ...activityDescriptor.metadata,
+        reason: blockedReason,
+        status: "blocked",
+        target: activityDescriptor.target,
+      });
+      return {
+        status: 1,
+        stdout: undefined,
+        stderr: undefined,
+        error: new Error(blockedReason),
+      };
+    }
+  }
   // Inject maxBuffer
   if (!options.maxBuffer) {
     options.maxBuffer = MAX_BUFFER;
@@ -1496,6 +1561,55 @@ export const PREFER_MAVEN_DEPS_TREE = !["false", "0"].includes(
   process.env?.PREFER_MAVEN_DEPS_TREE,
 );
 
+export function parseMavenArgs(argsString) {
+  if (!argsString) {
+    return [];
+  }
+  const args = [];
+  let currentArg = "";
+  let quoteChar = "";
+  for (let i = 0; i < argsString.length; i++) {
+    const char = argsString[i];
+    if (char === "\\") {
+      const nextChar = argsString[i + 1];
+      if (
+        nextChar &&
+        (/\s/.test(nextChar) || nextChar === '"' || nextChar === "'")
+      ) {
+        currentArg += nextChar;
+        i++;
+      } else {
+        currentArg += char;
+      }
+      continue;
+    }
+    if (quoteChar) {
+      if (char === quoteChar) {
+        quoteChar = "";
+      } else {
+        currentArg += char;
+      }
+      continue;
+    }
+    if (char === '"' || char === "'") {
+      quoteChar = char;
+      continue;
+    }
+    if (/\s/.test(char)) {
+      if (currentArg) {
+        args.push(currentArg);
+        currentArg = "";
+      }
+      continue;
+    }
+    currentArg += char;
+  }
+  if (currentArg) {
+    args.push(currentArg);
+  }
+  return args;
+}
+
 /**
  * Determines whether license information should be fetched from remote sources,
  * based on the FETCH_LICENSE environment variable.
@@ -2376,6 +2490,10 @@ export function getAllFilesWithIgnore(
       reasonBuilder: (count) =>
         `Scanned ${dirPath} with glob '${patternValue}' for ${discoveryMetadata.label}; matched ${files.length} path(s)${buildReadCountSuffix(count)}.`,
     });
+    recordSuspiciousShellPathActivities(files, {
+      discoveryType: discoveryMetadata.discoveryType,
+      pattern: patternValue,
+    });
     if (files.length > 1) {
       thoughtLog(
         `Found ${files.length} files for the pattern '${pattern}' at '${dirPath}'.`,
@@ -3519,6 +3637,12 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
       if (isDevelopmentNode) {
         _setNpmDevelopmentProperty(pkg);
       }
+      if (node.optional === true) {
+        _setNpmOptionalProperty(pkg);
+      }
+      if (node.peer === true) {
+        _setNpmPeerProperty(pkg);
+      }
       if (node.resolved) {
         if (node.resolved.startsWith("file:")) {
           pkg.properties.push({
@@ -4101,6 +4225,177 @@ function _parseYarnLine(l) {
   return { group, name };
 }
 
+function _resolveYarnDependencyBomRef(
+  packageName,
+  versionRange,
+  identMap,
+  workspacePackages = [],
+) {
+  if (!packageName || !versionRange) {
+    return undefined;
+  }
+  let packageNameToUse = packageName;
+  let versionRangeToUse = versionRange;
+  if (versionRange.startsWith("npm:")) {
+    if (versionRange.includes("@")) {
+      versionRangeToUse = versionRange.split("@").splice(-1)[0];
+      packageNameToUse = versionRange
+        .replace("npm:", "")
+        .replace(`@${versionRangeToUse}`, "");
+    } else {
+      versionRangeToUse = versionRange.replace("npm:", "");
+    }
+  }
+  let resolvedVersion =
+    identMap[`${packageName}|${versionRangeToUse}`] ||
+    identMap[`${packageNameToUse}|${versionRangeToUse}`];
+  if (!resolvedVersion) {
+    const packageKeys = Object.keys(identMap).filter((key) => {
+      const [pkg] = key.split("|");
+      return pkg === packageName || pkg === packageNameToUse;
+    });
+    resolvedVersion = identMap[packageKeys[0]];
+  }
+  if (!resolvedVersion && workspacePackages?.length) {
+    const matchingWorkspace = findMatchingWorkspace(
+      workspacePackages,
+      packageNameToUse,
+    );
+    if (matchingWorkspace) {
+      const versionMatch = matchingWorkspace.match(/@([^@]+)$/);
+      if (versionMatch) {
+        resolvedVersion = versionMatch[1];
+      }
+    }
+  }
+  let purlPart = `pkg:npm/${encodeURIComponent(packageNameToUse).replace(/%2F/g, "/")}`;
+  if (resolvedVersion?.length) {
+    purlPart = `${purlPart}@${resolvedVersion}`;
+  }
+  return decodeURIComponent(PackageURL.fromString(purlPart).toString());
+}
+
+function _collectYarnRootDependencyRefs(
+  yarnLockFile,
+  identMap,
+  workspacePackages = [],
+) {
+  const rootRefs = _createYarnRootDependencyRefs();
+  const packageJsonFile = join(dirname(yarnLockFile), "package.json");
+  if (!safeExistsSync(packageJsonFile)) {
+    return rootRefs;
+  }
+  let packageJson;
+  try {
+    packageJson = JSON.parse(readFileSync(packageJsonFile, "utf-8"));
+  } catch {
+    return rootRefs;
+  }
+  for (const dependencyType of Object.keys(rootRefs)) {
+    for (const [packageName, versionRange] of Object.entries(
+      packageJson[dependencyType] || {},
+    )) {
+      const bomRef = _resolveYarnDependencyBomRef(
+        packageName,
+        String(versionRange),
+        identMap,
+        workspacePackages,
+      );
+      if (bomRef) {
+        rootRefs[dependencyType].add(bomRef);
+      }
+    }
+  }
+  return rootRefs;
+}
+
+function _createYarnRootDependencyRefs() {
+  return {
+    dependencies: new Set(),
+    devDependencies: new Set(),
+    optionalDependencies: new Set(),
+    peerDependencies: new Set(),
+  };
+}
+
+function _buildDependencyClosure(rootRefs, dependenciesMap) {
+  const closure = new Set();
+  const stack = [...rootRefs];
+  while (stack.length) {
+    const ref = stack.pop();
+    if (!ref || closure.has(ref)) {
+      continue;
+    }
+    closure.add(ref);
+    for (const childRef of dependenciesMap[ref] || []) {
+      stack.push(childRef);
+    }
+  }
+  return closure;
+}
+
+function _markYarnDependencyScopeClosures(
+  pkgList,
+  dependenciesList,
+  yarnRootRefs,
+  yarnOptionalDependencyRefs,
+) {
+  const dependenciesMap = {};
+  for (const dependency of dependenciesList || []) {
+    if (!dependenciesMap[dependency.ref]) {
+      dependenciesMap[dependency.ref] = [];
+    }
+    dependenciesMap[dependency.ref] = Array.from(
+      new Set([
+        ...dependenciesMap[dependency.ref],
+        ...(dependency.dependsOn || []),
+      ]),
+    );
+  }
+  const runtimeClosure = _buildDependencyClosure(
+    yarnRootRefs.dependencies,
+    dependenciesMap,
+  );
+  const devClosure = _buildDependencyClosure(
+    yarnRootRefs.devDependencies,
+    dependenciesMap,
+  );
+  const optionalClosure = _buildDependencyClosure(
+    new Set([
+      ...yarnRootRefs.optionalDependencies,
+      ...yarnOptionalDependencyRefs,
+    ]),
+    dependenciesMap,
+  );
+  const peerClosure = _buildDependencyClosure(
+    yarnRootRefs.peerDependencies,
+    dependenciesMap,
+  );
+  for (const pkg of pkgList) {
+    const ref = pkg["bom-ref"];
+    if (!ref) {
+      continue;
+    }
+    if (
+      optionalClosure.has(ref) &&
+      (!runtimeClosure.has(ref) ||
+        yarnRootRefs.optionalDependencies.has(ref) ||
+        yarnOptionalDependencyRefs.has(ref))
+    ) {
+      pkg.scope = "optional";
+      _setNpmOptionalProperty(pkg);
+    }
+    if (peerClosure.has(ref) && !runtimeClosure.has(ref)) {
+      pkg.scope = "optional";
+      _setNpmPeerProperty(pkg);
+    }
+    if (devClosure.has(ref) && !runtimeClosure.has(ref)) {
+      pkg.scope = "optional";
+      _setNpmDevelopmentProperty(pkg);
+    }
+  }
+}
+
 /**
  * Parse nodejs yarn lock file
  *
@@ -4122,6 +4417,8 @@ export async function parseYarnLock(
   let pkgList = [];
   const dependenciesList = [];
   const depKeys = {};
+  let yarnRootRefs = _createYarnRootDependencyRefs();
+  const yarnOptionalDependencyRefs = new Set();
   if (safeExistsSync(yarnLockFile)) {
     const lockData = readFileSync(yarnLockFile, "utf8");
     let name = "";
@@ -4138,6 +4435,11 @@ export async function parseYarnLock(
     const workspacePurlMap = {};
     // This would have the keys and the resolved version required to solve the dependency tree
     const identMap = yarnLockToIdentMap(lockData);
+    yarnRootRefs = _collectYarnRootDependencyRefs(
+      yarnLockFile,
+      identMap,
+      workspacePackages,
+    );
     lockData.split("\n").forEach((l) => {
       l = l.replace("\r", "");
       if (l.startsWith("#")) {
@@ -4335,66 +4637,19 @@ export async function parseYarnLock(
           if (dgroupname.endsWith(":")) {
             dgroupname = dgroupname.substring(0, dgroupname.length - 1);
           }
-          let dgroupnameToUse = dgroupname;
           const range = tmpA[1].replace(/["']/g, "");
-          let versionRange = range;
-          // Deal with range with npm: prefix such as npm:string-width@^4.2.0, npm:@types/ioredis@^4.28.10
-          if (range.startsWith("npm:")) {
-            if (range.includes("@")) {
-              // Case like npm:string-width@^4.2.0 or npm:@types/ioredis@^4.28.10
-              versionRange = range.split("@").splice(-1)[0];
-              dgroupnameToUse = range
-                .replace("npm:", "")
-                .replace(`@${versionRange}`, "");
-            } else {
-              // Case like npm:^5.1.1 - just a version range with npm: prefix
-              versionRange = range.replace("npm:", "");
-              dgroupnameToUse = dgroupname;
-            }
-          }
-          let resolvedVersion =
-            identMap[`${dgroupname}|${versionRange}`] ||
-            identMap[`${dgroupnameToUse}|${versionRange}`];
-          // If we couldn't resolve the version directly, try to find any resolved version for this package
-          if (!resolvedVersion) {
-            const packageKeys = Object.keys(identMap).filter((key) => {
-              const [pkg] = key.split("|");
-              return pkg === dgroupname || pkg === dgroupnameToUse;
-            });
-
-            if (packageKeys.length > 0) {
-              // Use the first available resolved version for this package
-              resolvedVersion = identMap[packageKeys[0]];
-            }
-          }
-          // If we couldn't resolve the version from yarn.lock, check if it's a workspace package
-          if (!resolvedVersion && workspacePackages?.length) {
-            // Use helper function for more efficient workspace matching
-            const matchingWorkspace = findMatchingWorkspace(
-              workspacePackages,
-              dgroupnameToUse,
-            );
-
-            if (matchingWorkspace) {
-              // Extract version from workspace PURL like "npm:@swc/helpers@0.4.14"
-              const versionMatch = matchingWorkspace.match(/@([^@]+)$/);
-              if (versionMatch) {
-                resolvedVersion = versionMatch[1];
-              }
-            }
-          }
-          // If we still can't resolve the version, use "" as fallback
-          if (!resolvedVersion) {
-            resolvedVersion = "";
+          const depBomRef = _resolveYarnDependencyBomRef(
+            dgroupname,
+            range,
+            identMap,
+            workspacePackages,
+          );
+          if (depBomRef) {
+            deplist.add(depBomRef);
           }
-          // Handle case where the dependency name is really an alias.
-          // Eg: legacy-swc-helpers "npm:@swc/helpers@=0.4.14". Here the dgroupname=@swc/helpers
-          let purlPart = `pkg:npm/${encodeURIComponent(dgroupnameToUse).replace(/%2F/g, "/")}`;
-          if (resolvedVersion?.length) {
-            purlPart = `${purlPart}@${resolvedVersion}`;
+          if (optionalDepsMode && depBomRef) {
+            yarnOptionalDependencyRefs.add(depBomRef);
           }
-          const depPurlString = PackageURL.fromString(purlPart).toString();
-          deplist.add(decodeURIComponent(depPurlString));
         }
       } else if (name !== "") {
         if (!l.startsWith("    ")) {
@@ -4604,6 +4859,13 @@ export async function parseYarnLock(
     }
   }
 
+  _markYarnDependencyScopeClosures(
+    pkgList,
+    dependenciesList,
+    yarnRootRefs,
+    yarnOptionalDependencyRefs,
+  );
+
   if (shouldFetchPackageMetadata() && pkgList?.length) {
     if (DEBUG_MODE) {
       console.log(
@@ -4762,6 +5024,14 @@ function _setNpmDevelopmentProperty(pkg) {
   }
 }
 
+function _setNpmOptionalProperty(pkg) {
+  addComponentProperty(pkg, "cdx:npm:package:optional", "true");
+}
+
+function _setNpmPeerProperty(pkg) {
+  addComponentProperty(pkg, "cdx:npm:package:peer", "true");
+}
+
 function _setTreeWorkspaceRef(
   dependenciesMap,
   depref,
@@ -4863,11 +5133,25 @@ export function parsePnpmWorkspace(workspaceFile) {
   if (!yamlObj) {
     return {};
   }
-  const packages = (yamlObj.packages || [])
-    .filter((n) => !/^(!|\.|__)/.test(n))
-    .map((n) => n.replaceAll("/**", "").replaceAll("/*", ""));
+  const workspacePackages = Array.isArray(yamlObj.packages)
+    ? yamlObj.packages
+    : typeof yamlObj.packages === "string"
+      ? [yamlObj.packages]
+      : [];
+  const excludePackages = workspacePackages
+    .filter((n) => typeof n === "string")
+    .filter((n) => n.startsWith("!"))
+    .map((n) => n.replace(/^!/, ""));
+  const packagePatterns = workspacePackages
+    .filter((n) => typeof n === "string")
+    .filter((n) => !/^(!|\.|__)/.test(n));
+  const packages = packagePatterns.map((n) =>
+    n.replaceAll("/**", "").replaceAll("/*", ""),
+  );
   const catalogs = yamlObj.catalog || {};
   return {
+    excludePackages,
+    packagePatterns,
     packages,
     catalogs,
   };
@@ -4990,12 +5274,20 @@ export function findPnpmPackagePath(baseDir, packageName, version) {
   if (safeExistsSync(pnpmDir)) {
     // pnpm stores packages as {name}@{version} in .pnpm directory
     const encodedName = packageName.replace("/", "%2f");
+    const virtualStoreName = packageName.replace("/", "+");
     let pnpmPackagePath;
 
     // Try different formats that pnpm might use
     const possiblePaths = [
+      join(
+        pnpmDir,
+        `${virtualStoreName}@${version}`,
+        "node_modules",
+        packageName,
+      ),
       join(pnpmDir, `${encodedName}@${version}`, "node_modules", packageName),
       join(pnpmDir, `${packageName}@${version}`, "node_modules", packageName),
+      join(pnpmDir, `${virtualStoreName}@${version}`),
       join(pnpmDir, `${encodedName}@${version}`),
       join(pnpmDir, `${packageName}@${version}`),
     ];
@@ -5041,7 +5333,8 @@ export async function pnpmMetadata(pkgList, lockFilePath) {
   }
   let enhancedCount = 0;
   for (const pkg of pkgList) {
-    const packagePath = findPnpmPackagePath(baseDir, pkg.name, pkg.version);
+    const packageName = pkg.group ? `${pkg.group}/${pkg.name}` : pkg.name;
+    const packagePath = findPnpmPackagePath(baseDir, packageName, pkg.version);
     if (!packagePath) {
       continue;
     }
@@ -5118,9 +5411,10 @@ export async function pnpmMetadata(pkgList, lockFilePath) {
  * @param {Object} parentComponent parent component
  * @param {Array[String]} workspacePackages Workspace packages
  * @param {Object} workspaceSrcFiles Workspace package.json files
- * @param {Object} workspaceCatalogs Workspace catalogs
- * @param {Object} workspaceDirectDeps Direct dependencies of each workspace
+ * @param {Object} _workspaceCatalogs Workspace catalogs
+ * @param {Object} _workspaceDirectDeps Direct dependencies of each workspace
  * @param {Object} depsWorkspaceRefs Workspace references for each dependency
+ * @param {string} projectRoot Root path used to relativize pnpm-lock evidence paths
  */
 export async function parsePnpmLock(
   pnpmLock,
@@ -5130,9 +5424,15 @@ export async function parsePnpmLock(
   _workspaceCatalogs = {},
   _workspaceDirectDeps = {},
   depsWorkspaceRefs = {},
+  projectRoot = undefined,
 ) {
   let pkgList = [];
   const dependenciesList = [];
+  const pnpmLockDir = dirname(pnpmLock);
+  const pnpmEvidenceRoot = projectRoot ? resolve(projectRoot) : pnpmLockDir;
+  const pnpmLockSrcFile = path.isAbsolute(pnpmLock)
+    ? relative(pnpmEvidenceRoot, pnpmLock)
+    : pnpmLock;
   // For lockfile >= 9, we need to track dev and optional packages manually
   // See: #1163
   // Moreover, we have changed >= 9 for >= 6
@@ -5234,7 +5534,9 @@ export async function parsePnpmLock(
       }
       // Find the root optional and peer dependencies
       for (const rdk of Object.keys({ ...rootOptionalDeps, ...rootPeerDeps })) {
-        const version = await getVersionNumPnpm(rootOptionalDeps[rdk]);
+        const version = await getVersionNumPnpm(
+          rootOptionalDeps[rdk] || rootPeerDeps[rdk],
+        );
         let specifier;
         if (
           typeof rootOptionalDeps[rdk] === "object" &&
@@ -5303,8 +5605,12 @@ export async function parsePnpmLock(
         let compPurl;
         let pkgSrcFile;
         let fallbackMode = true;
-        if (safeExistsSync(join(importedComponentName, "package.json"))) {
-          pkgSrcFile = join(importedComponentName, "package.json");
+        if (
+          safeExistsSync(
+            join(pnpmLockDir, importedComponentName, "package.json"),
+          )
+        ) {
+          pkgSrcFile = join(pnpmLockDir, importedComponentName, "package.json");
           const importedComponentObj = await parsePkgJson(pkgSrcFile, true);
           if (importedComponentObj.length) {
             const version = importedComponentObj[0].version;
@@ -5436,7 +5742,9 @@ export async function parsePnpmLock(
           ...componentOptionalDeps,
           ...componentPeerDeps,
         })) {
-          const version = await getVersionNumPnpm(componentOptionalDeps[cdk]);
+          const version = await getVersionNumPnpm(
+            componentOptionalDeps[cdk] || componentPeerDeps[cdk],
+          );
           const dpurl = new PackageURL(
             "npm",
             "",
@@ -5727,7 +6035,7 @@ export async function parsePnpmLock(
           const properties = [
             {
               name: "SrcFile",
-              value: pnpmLock,
+              value: pnpmLockSrcFile,
             },
           ];
           if (hasBin) {
@@ -5838,7 +6146,7 @@ export async function parsePnpmLock(
                   {
                     technique: "manifest-analysis",
                     confidence: 1,
-                    value: pnpmLock,
+                    value: pnpmLockSrcFile,
                   },
                 ],
               },
@@ -5852,6 +6160,9 @@ export async function parsePnpmLock(
               },
             ];
           }
+          if (possibleOptionalDeps[thePkg["bom-ref"]]) {
+            _setNpmOptionalProperty(thePkg);
+          }
           // Don't add internal workspace packages to the components list
           if (thePkg.type !== "application") {
             pkgList.push(thePkg);
@@ -6190,6 +6501,15 @@ export function parsePom(pomFile) {
     attributesKey: "$",
     commentKey: "value",
   }).project;
+  if (project?.modelVersion?._) {
+    properties.modelVersion = project.modelVersion._;
+  }
+  if (project?.$?.root) {
+    properties.mavenRoot = project.$.root;
+  }
+  if (project?.$?.["preserve.model.version"]) {
+    properties.preserveModelVersion = project.$["preserve.model.version"];
+  }
   for (const aprop of [
     "groupId",
     "artifactId",
@@ -6224,14 +6544,20 @@ export function parsePom(pomFile) {
       null,
     ).toString();
   }
+  const moduleEntries = [];
   if (project?.modules?.module) {
-    if (Array.isArray(project.modules.module)) {
-      // If it's an array, proceed with mapping
-      modules = project.modules.module.map((m) => m?._);
-    } else {
-      // If not an array, handle/convert it accordingly. For instance:
-      modules = [project.modules.module._];
-    }
+    moduleEntries.push(project.modules.module);
+  }
+  if (project?.subprojects?.subproject) {
+    moduleEntries.push(project.subprojects.subproject);
+  }
+  if (moduleEntries.length) {
+    modules = moduleEntries.flatMap((entry) => {
+      if (Array.isArray(entry)) {
+        return entry.map((m) => m?._).filter(Boolean);
+      }
+      return entry?._ ? [entry._] : [];
+    });
   }
   if (project?.properties) {
     for (const aprop of Object.keys(project.properties)) {
@@ -6276,18 +6602,28 @@ export function parsePom(pomFile) {
       if (versionStr?.includes("$")) {
         versionStr = properties[versionStr?.replace(/[${}]/g, "")];
       }
-      if (includeMavenTestScope || !adep.scope || adep.scope !== "test") {
+      const scope = adep.scope?._;
+      const type = adep.type?._ || "jar";
+      const classifier = adep.classifier?._;
+      const optional = adep.optional?._;
+      const dependencyProperties = [
+        {
+          name: "SrcFile",
+          value: pomFile,
+        },
+      ];
+      const qualifiers = { type };
+      if (classifier) {
+        qualifiers.classifier = classifier;
+      }
+      if (includeMavenTestScope || scope !== "test") {
         deps.push({
           group: adep.groupId ? adep.groupId._ : "",
           name: adep.artifactId ? adep.artifactId._ : "",
           version: versionStr,
-          qualifiers: { type: "jar" },
-          properties: [
-            {
-              name: "SrcFile",
-              value: pomFile,
-            },
-          ],
+          qualifiers,
+          scope: mapMavenScope(scope, optional === "true"),
+          properties: dependencyProperties,
           evidence: {
             identity: {
               field: "purl",
@@ -6308,6 +6644,194 @@ export function parsePom(pomFile) {
   return { isQuarkus, pomPurl, modules, properties, dependencies: deps };
 }
 
+function mapMavenScope(componentScope, isOptional = false) {
+  if (isOptional || componentScope === "test") {
+    return "optional";
+  }
+  if (["compile", "runtime", "import"].includes(componentScope)) {
+    return "required";
+  }
+  if (["provided", "system"].includes(componentScope)) {
+    return "excluded";
+  }
+  return undefined;
+}
+
+function createMavenComponentFromCoordinateParts(pkgArr, pomFile, isOptional) {
+  let versionStr = pkgArr[pkgArr.length - 2];
+  const componentScope = pkgArr[pkgArr.length - 1];
+  let classifier;
+  if (
+    pkgArr.length >= 6 &&
+    pkgArr[3] !== versionStr &&
+    !pkgArr[3].includes(".jar")
+  ) {
+    classifier = pkgArr[3];
+  }
+  if (pkgArr.length === 4) {
+    versionStr = pkgArr[pkgArr.length - 1];
+  }
+  const qualifiers = { type: pkgArr[2] };
+  if (classifier) {
+    qualifiers.classifier = classifier;
+  }
+  const purlString = new PackageURL(
+    "maven",
+    pkgArr[0],
+    pkgArr[1],
+    versionStr,
+    qualifiers,
+    null,
+  ).toString();
+  const bomRef = decodeURIComponent(purlString);
+  const scope = mapMavenScope(componentScope, isOptional);
+  const properties = [];
+  const apkg = {
+    group: pkgArr[0],
+    name: pkgArr[1],
+    version: versionStr,
+    qualifiers,
+    scope,
+    properties,
+    purl: purlString,
+    "bom-ref": bomRef,
+  };
+  if (pomFile) {
+    properties.push({
+      name: "SrcFile",
+      value: pomFile,
+    });
+    apkg.evidence = {
+      identity: {
+        field: "purl",
+        confidence: 0.5,
+        methods: [
+          {
+            technique: "manifest-analysis",
+            confidence: 0.5,
+            value: pomFile,
+          },
+        ],
+      },
+    };
+  }
+  return apkg;
+}
+
+function createMavenComponentFromTreeNode(node, pomFile) {
+  const type = node.type || "jar";
+  const qualifiers = { type };
+  if (node.classifier) {
+    qualifiers.classifier = node.classifier;
+  }
+  const purlString = new PackageURL(
+    "maven",
+    node.groupId,
+    node.artifactId,
+    node.version,
+    qualifiers,
+    null,
+  ).toString();
+  const bomRef = decodeURIComponent(purlString);
+  const isOptional = node.optional === true || node.optional === "true";
+  const properties = [];
+  const apkg = {
+    group: node.groupId,
+    name: node.artifactId,
+    version: node.version,
+    qualifiers,
+    scope: mapMavenScope(node.scope, isOptional),
+    properties,
+    purl: purlString,
+    "bom-ref": bomRef,
+  };
+  if (pomFile) {
+    properties.push({
+      name: "SrcFile",
+      value: pomFile,
+    });
+    apkg.evidence = {
+      identity: {
+        field: "purl",
+        confidence: 0.5,
+        methods: [
+          {
+            technique: "manifest-analysis",
+            confidence: 0.5,
+            value: pomFile,
+          },
+        ],
+      },
+    };
+  }
+  return apkg;
+}
+
+/**
+ * Parse maven dependency:tree json output
+ *
+ * @param rawOutput
+ * @param pomFile
+ * @returns {{parentComponent: {}, pkgList: *[], dependenciesList: *[]}|{}|{}|*|{parentComponent: {[p: string]: *}|{}, pkgList: [], dependenciesList: []}}
+ */
+export function parseMavenTreeJson(rawOutput, pomFile) {
+  if (!rawOutput) {
+    return {};
+  }
+  let rootNode = rawOutput;
+  if (typeof rawOutput === "string") {
+    try {
+      rootNode = JSON.parse(rawOutput);
+    } catch (_err) {
+      thoughtLog("Unable to parse Maven dependency:tree JSON output");
+      return {};
+    }
+  }
+  const deps = [];
+  const dependenciesList = [];
+  const keysCache = new Set();
+  const levelTrees = {};
+  let parentComponent = {};
+  const visitNode = (node, parentRef) => {
+    if (!node?.groupId || !node?.artifactId || !node?.version) {
+      return undefined;
+    }
+    const component = createMavenComponentFromTreeNode(node, pomFile);
+    const bomRef = component["bom-ref"];
+    if (!Object.keys(parentComponent).length) {
+      parentComponent = { ...component, type: "application" };
+    }
+    if (!keysCache.has(bomRef)) {
+      keysCache.add(bomRef);
+      deps.push(component);
+    }
+    if (!levelTrees[bomRef]) {
+      levelTrees[bomRef] = [];
+    }
+    if (parentRef) {
+      const cnodes = levelTrees[parentRef] || [];
+      cnodes.push(bomRef);
+      levelTrees[parentRef] = cnodes;
+    }
+    for (const child of node.children || []) {
+      visitNode(child, bomRef);
+    }
+    return bomRef;
+  };
+  visitNode(rootNode);
+  for (const lk of Object.keys(levelTrees)) {
+    dependenciesList.push({
+      ref: lk,
+      dependsOn: [...new Set(levelTrees[lk])].sort(),
+    });
+  }
+  return {
+    parentComponent,
+    pkgList: deps,
+    dependenciesList,
+  };
+}
+
 /**
  * Parse maven tree output
  * @param {string} rawOutput Raw string output
@@ -6319,6 +6843,9 @@ export function parseMavenTree(rawOutput, pomFile) {
   if (!rawOutput) {
     return {};
   }
+  if (rawOutput.trim().startsWith("{")) {
+    return parseMavenTreeJson(rawOutput, pomFile);
+  }
   const deps = [];
   const dependenciesList = [];
   const keys_cache = {};
@@ -6330,6 +6857,8 @@ export function parseMavenTree(rawOutput, pomFile) {
   const stack = [];
   tmpA.forEach((l) => {
     l = l.replace("\r", "");
+    const isOptional = /\s+\(optional\)\s*$/.test(l);
+    l = l.replace(/\s+\(optional\)\s*$/, "");
     if (!includeMavenTestScope && l.trim().endsWith(":test")) {
       return;
     }
@@ -6341,118 +6870,50 @@ export function parseMavenTree(rawOutput, pomFile) {
       }
       l = tmpline[tmpline.length - 1];
       const pkgArr = l.split(":");
-      // Support for classifiers
-      // com.github.jnr:jffi:jar:1.3.11:compile
-      // com.github.jnr:jffi:jar:native:1.3.11:runtime
-      let classifier;
       if (pkgArr && pkgArr.length > 2) {
-        let versionStr = pkgArr[pkgArr.length - 2];
         const componentScope = pkgArr[pkgArr.length - 1];
-        if (
-          pkgArr.length >= 6 &&
-          pkgArr[3] !== versionStr &&
-          !pkgArr[3].includes(".jar")
-        ) {
-          classifier = pkgArr[3];
-        }
         // Ignore test scope
         if (!includeMavenTestScope && componentScope === "test") {
           return;
         }
-        let scope;
-        if (["compile", "runtime"].includes(componentScope)) {
-          scope = "required";
-        } else if (componentScope === "test") {
-          scope = "optional";
-        } else if (componentScope === "provided") {
-          scope = "excluded";
-        }
-        if (pkgArr.length === 4) {
-          versionStr = pkgArr[pkgArr.length - 1];
-        }
-        const qualifiers = { type: pkgArr[2] };
-        if (classifier) {
-          qualifiers.classifier = classifier;
-        }
-        const purlString = new PackageURL(
-          "maven",
-          pkgArr[0],
-          pkgArr[1],
-          versionStr,
-          qualifiers,
-          null,
-        ).toString();
-        const bomRef = decodeURIComponent(purlString);
+        const apkg = createMavenComponentFromCoordinateParts(
+          pkgArr,
+          pomFile,
+          isOptional,
+        );
+        const bomRef = apkg["bom-ref"];
         const key = bomRef;
         if (!first_ref) {
           first_ref = bomRef;
         }
         if (!keys_cache[key]) {
           keys_cache[key] = key;
-          const properties = [];
-          if (scope) {
-            properties.push({
-              name: "cdx:maven:component_scope",
-              value: componentScope,
-            });
-          }
-          const apkg = {
-            group: pkgArr[0],
-            name: pkgArr[1],
-            version: versionStr,
-            qualifiers,
-            scope,
-            properties,
-            purl: purlString,
-            "bom-ref": bomRef,
-          };
-          if (pomFile) {
-            properties.push({
-              name: "SrcFile",
-              value: pomFile,
-            });
-            apkg.evidence = {
-              identity: {
-                field: "purl",
-                confidence: 0.5,
-                methods: [
-                  {
-                    technique: "manifest-analysis",
-                    confidence: 0.5,
-                    value: pomFile,
-                  },
-                ],
-              },
-            };
-          }
           deps.push(apkg);
-          if (!level_trees[bomRef]) {
-            level_trees[bomRef] = [];
-          }
-          if (level === 0 || last_purl === "") {
-            stack.push(bomRef);
-          } else if (level > last_level) {
-            const cnodes = level_trees[last_purl] || [];
-            cnodes.push(bomRef);
-            level_trees[last_purl] = cnodes;
-            if (stack[stack.length - 1] !== bomRef) {
-              stack.push(bomRef);
-            }
-          } else {
-            for (let i = level; i <= last_level; i++) {
-              stack.pop();
-            }
-            const last_stack = stack.length
-              ? stack[stack.length - 1]
-              : first_ref;
-            const cnodes = level_trees[last_stack] || [];
-            cnodes.push(bomRef);
-            level_trees[last_stack] = cnodes;
+        }
+        if (!level_trees[bomRef]) {
+          level_trees[bomRef] = [];
+        }
+        if (level === 0 || last_purl === "") {
+          stack.push(bomRef);
+        } else if (level > last_level) {
+          const cnodes = level_trees[last_purl] || [];
+          cnodes.push(bomRef);
+          level_trees[last_purl] = cnodes;
+          if (stack[stack.length - 1] !== bomRef) {
             stack.push(bomRef);
           }
-          last_level = level;
-          last_purl = bomRef;
+        } else {
+          for (let i = level; i <= last_level; i++) {
+            stack.pop();
+          }
+          const last_stack = stack.length ? stack[stack.length - 1] : first_ref;
+          const cnodes = level_trees[last_stack] || [];
+          cnodes.push(bomRef);
+          level_trees[last_stack] = cnodes;
+          stack.push(bomRef);
         }
+        last_level = level;
+        last_purl = bomRef;
       }
     }
   });
@@ -9641,7 +10102,7 @@ export async function getPyModules(src, epkgList, options) {
       modList = slicesData;
     }
   } else {
-    modList = findAppModules(src, "python", "parsedeps", slicesFile);
+    modList = findAppModules(src, "python", "parsedeps", slicesFile, options);
   }
   const pyDefaultModules = new Set(PYTHON_STD_MODULES);
   modList = modList.filter(
@@ -17064,7 +17525,7 @@ export async function collectMvnDependencies(
     `-Dmdep.stripVersion=${process.env.MAVEN_STRIP_VERSION || "false"}`,
   ];
   if (process.env.MVN_ARGS) {
-    const addArgs = process.env.MVN_ARGS.split(" ");
+    const addArgs = parseMavenArgs(process.env.MVN_ARGS);
     copyArgs = copyArgs.concat(addArgs);
   }
   if (basePath && basePath !== MAVEN_CACHE_DIR) {
@@ -17548,11 +18009,11 @@ export function parsePomProperties(pomProperties) {
     return properties;
   }
   pomProperties.split("\n").forEach((l) => {
-    l = l.replace("\r", "");
+    l = l.replaceAll("\r", "");
     if (l.includes("=")) {
-      const tmpA = l.split("=");
-      if (tmpA && tmpA.length === 2) {
-        properties[tmpA[0]] = tmpA[1].replace("\r", "");
+      const separatorIndex = l.indexOf("=");
+      if (separatorIndex !== -1) {
+        properties[l.slice(0, separatorIndex)] = l.slice(separatorIndex + 1);
       }
     }
   });
@@ -19224,11 +19685,9 @@ export function getMavenCommand(srcPath, rootPath) {
   }
   if (isWrapperFound) {
     if (DEBUG_MODE) {
-      console.log(
-        "Testing the wrapper script by invoking wrapper:wrapper task",
-      );
+      console.log("Testing the wrapper script by invoking --version");
     }
-    const result = safeSpawnSync(mavenWrapperCmd, ["wrapper:wrapper"], {
+    const result = safeSpawnSync(mavenWrapperCmd, ["--version"], {
       cdxgenActivity: {
         kind: "probe",
         metadata: {
@@ -19449,6 +19908,7 @@ export function executeAtom(src, args, extra_env = {}) {
  * @param {string} language
  * @param {string} methodology
  * @param {string} slicesFile
+ * @param {Object} options CLI options
  * @returns List of imported modules
  */
 export function findAppModules(
@@ -19456,6 +19916,7 @@ export function findAppModules(
   language,
   methodology = "usages",
   slicesFile = undefined,
+  options = {},
 ) {
   const tempDir = safeMkdtempSync(join(tmpdir(), "atom-deps-"));
   const atomFile = join(tempDir, `${language}-app.atom`);
@@ -19473,7 +19934,7 @@ export function findAppModules(
     resolve(slicesFile),
     resolve(src),
   ];
-  executeAtom(src, args);
+  executeAtom(src, args, buildAtomCommandEnv(options, language));
   if (safeExistsSync(slicesFile)) {
     const slicesData = JSON.parse(readFileSync(slicesFile, "utf-8"), {
       encoding: "utf-8",
@@ -21313,6 +21774,7 @@ export function getCppModules(src, options, osPkgsList, epkgList) {
       options.deep ? "c" : "h",
       "usages",
       options.usagesSlicesFile,
+      options,
     );
   }
   const usageData = parseCUsageSlice(sliceData);