verimu 0.0.9 → 0.0.13

package/dist/{cli.mjs → cli.js}

@@ -6,7 +6,7 @@ import { createRequire } from "module";
 
 // src/scan.ts
 import { writeFile } from "fs/promises";
-import { basename } from "path";
+import { basename, join, parse } from "path";
 
 // src/scanners/npm/npm-scanner.ts
 import { readFile } from "fs/promises";
@@ -24,7 +24,7 @@ var VerimuError = class extends Error {
 var NoLockfileError = class extends VerimuError {
   constructor(projectPath) {
     super(
-      `No supported lockfile found in ${projectPath}. Supported: package-lock.json (npm), packages.lock.json (NuGet), Cargo.lock (Rust), requirements.txt / Pipfile.lock (Python), pom.xml (Maven), go.sum (Go), Gemfile.lock (Ruby), composer.lock (Composer)`,
+      `No supported lockfile found in ${projectPath}. Supported: package-lock.json (npm), packages.lock.json (NuGet), Cargo.lock (Rust), requirements.txt / Pipfile.lock (pip), poetry.lock (Poetry), uv.lock (uv), pom.xml (Maven), go.sum (Go), Gemfile.lock (Ruby), composer.lock (Composer), yarn.lock (Yarn), pnpm-lock.yaml (pnpm)`,
       "NO_LOCKFILE"
     );
     this.name = "NoLockfileError";
@@ -926,6 +926,993 @@ var ComposerScanner = class {
   }
 };
 
+// src/scanners/yarn/yarn-scanner.ts
+import { readFile as readFile9 } from "fs/promises";
+import { existsSync as existsSync9 } from "fs";
+import path9 from "path";
+import { parse as parseYaml } from "yaml";
+var YarnScanner = class {
+  ecosystem = "npm";
+  lockfileNames = ["yarn.lock"];
+  async detect(projectPath) {
+    const lockfilePath = path9.join(projectPath, "yarn.lock");
+    return existsSync9(lockfilePath) ? lockfilePath : null;
+  }
+  async scan(projectPath, lockfilePath) {
+    const [lockfileRaw, packageJsonRaw] = await Promise.all([
+      readFile9(lockfilePath, "utf-8"),
+      readFile9(path9.join(projectPath, "package.json"), "utf-8").catch(() => null)
+    ]);
+    const directNames = /* @__PURE__ */ new Set();
+    if (packageJsonRaw) {
+      try {
+        const pkg2 = JSON.parse(packageJsonRaw);
+        for (const name of Object.keys(pkg2.dependencies ?? {})) {
+          directNames.add(name);
+        }
+        for (const name of Object.keys(pkg2.devDependencies ?? {})) {
+          directNames.add(name);
+        }
+      } catch {
+      }
+    }
+    const dependencies = this.parseLockfile(lockfileRaw, lockfilePath, directNames);
+    return {
+      projectPath,
+      ecosystem: "npm",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Parses yarn.lock file and extracts dependencies.
+   * Automatically detects and handles both v1 (Classic) and v2+ (Berry) formats.
+   */
+  parseLockfile(content, lockfilePath, directNames) {
+    try {
+      const isV2Plus = this.isYarnV2Plus(content);
+      if (isV2Plus) {
+        return this.parseLockfileV2Plus(content, lockfilePath, directNames);
+      } else {
+        return this.parseLockfileV1(content, lockfilePath, directNames);
+      }
+    } catch (err) {
+      throw new LockfileParseError(
+        lockfilePath,
+        `Failed to parse yarn.lock: ${err instanceof Error ? err.message : "Unknown error"}`
+      );
+    }
+  }
+  /**
+   * Detects if the lockfile is Yarn v2+ (Berry) format.
+   * v2+ uses YAML format and contains __metadata section.
+   */
+  isYarnV2Plus(content) {
+    return content.startsWith("__metadata:") || content.includes("\n__metadata:");
+  }
+  /**
+   * Parses Yarn v2+ (Berry) lockfile format.
+   * 
+   * Yarn v2+ format (YAML):
+   * ```yaml
+   * __metadata:
+   *   version: 6
+   * 
+   * "package-name@npm:^1.0.0":
+   *   version: 1.2.3
+   *   resolution: "package-name@npm:1.2.3"
+   *   dependencies:
+   *     dep1: ^2.0.0
+   *   checksum: ...
+   *   languageName: node
+   *   linkType: hard
+   * ```
+   */
+  parseLockfileV2Plus(content, lockfilePath, directNames) {
+    const deps = [];
+    const seen = /* @__PURE__ */ new Map();
+    try {
+      const parsed = parseYaml(content);
+      if (!parsed || typeof parsed !== "object") {
+        throw new Error("Invalid YAML format");
+      }
+      for (const [key, value] of Object.entries(parsed)) {
+        if (key === "__metadata" || key.includes("@workspace:")) {
+          continue;
+        }
+        if (typeof value !== "object" || value === null) {
+          continue;
+        }
+        const entry = value;
+        let name = null;
+        if (entry.resolution && typeof entry.resolution === "string") {
+          name = this.extractPackageNameFromResolution(entry.resolution);
+        }
+        if (!name) {
+          name = this.extractPackageNameV2Plus(key);
+        }
+        const version = entry.version;
+        if (!name || !version || typeof version !== "string") {
+          continue;
+        }
+        const depKey = `${name}@${version}`;
+        if (seen.has(depKey)) {
+          continue;
+        }
+        seen.set(depKey, true);
+        deps.push({
+          name,
+          version,
+          direct: directNames.has(name),
+          ecosystem: "npm",
+          purl: this.buildPurl(name, version)
+        });
+      }
+    } catch (err) {
+      throw new Error(`Failed to parse Yarn v2+ lockfile: ${err instanceof Error ? err.message : "Unknown error"}`);
+    }
+    return deps;
+  }
+  /**
+   * Extracts package name from Yarn v2+ resolution field.
+   * The resolution field contains the real package name.
+   * Examples:
+   *   "express@npm:4.18.2" → "express"
+   *   "@types/node@npm:20.11.5" → "@types/node"
+   *   "lodash@npm:4.17.21" → "lodash"
+   */
+  extractPackageNameFromResolution(resolution) {
+    if (resolution.startsWith("@")) {
+      const match2 = resolution.match(/^(@[^@]+\/[^@]+)@/);
+      if (match2) {
+        return match2[1];
+      }
+    }
+    const match = resolution.match(/^([^@]+)@/);
+    if (match) {
+      return match[1];
+    }
+    return null;
+  }
+  /**
+   * Extracts package name from Yarn v2+ package key.
+   * Examples:
+   *   "express@npm:^4.18.0" → "express"
+   *   "@types/node@npm:^20.0.0" → "@types/node"
+   *   "pkg@npm:other@npm:^1.0.0" → "pkg" (aliased packages)
+   */
+  extractPackageNameV2Plus(key) {
+    if (key.startsWith("@")) {
+      const match2 = key.match(/^(@[^@]+\/[^@]+)@/);
+      if (match2) {
+        return match2[1];
+      }
+    }
+    const match = key.match(/^([^@]+)@/);
+    if (match) {
+      return match[1];
+    }
+    return null;
+  }
+  /**
+   * Parses Yarn v1 (Classic) lockfile format.
+   *
+   * Yarn v1 format:
+   * ```
+   * "package-name@^1.0.0":
+   *   version "1.2.3"
+   *   resolved "https://..."
+   *   integrity sha512-...
+   *   dependencies:
+   *     dep1 "^2.0.0"
+   * ```
+   */
+  parseLockfileV1(content, lockfilePath, directNames) {
+    const deps = [];
+    const seen = /* @__PURE__ */ new Map();
+    const lines = content.split("\n");
+    let currentPackage = null;
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (line.trim().startsWith("#") || line.trim() === "") {
+        continue;
+      }
+      if (line.match(/^["\w@]/) && line.includes(":") && !line.startsWith("  ")) {
+        if (currentPackage?.version) {
+          this.addDependency(currentPackage, directNames, seen, deps);
+        }
+        const pkgLine = line.substring(0, line.lastIndexOf(":"));
+        const names = pkgLine.split(",").map((s) => s.trim().replace(/^["']|["']$/g, "")).map((s) => this.extractPackageName(s)).filter((s) => !!s);
+        currentPackage = { names, version: void 0 };
+      } else if (line.trim().startsWith("version ") && currentPackage) {
+        const match = line.match(/version\s+"([^"]+)"/);
+        if (match) {
+          currentPackage.version = match[1];
+        }
+      }
+    }
+    if (currentPackage?.version) {
+      this.addDependency(currentPackage, directNames, seen, deps);
+    }
+    return deps;
+  }
+  /**
+   * Adds a dependency to the result list (deduplicates by name@version)
+   */
+  addDependency(pkg2, directNames, seen, deps) {
+    if (!pkg2.version) return;
+    const name = pkg2.names[0];
+    if (!name) return;
+    const key = `${name}@${pkg2.version}`;
+    if (seen.has(key)) return;
+    seen.set(key, true);
+    deps.push({
+      name,
+      version: pkg2.version,
+      direct: directNames.has(name),
+      ecosystem: "npm",
+      purl: this.buildPurl(name, pkg2.version)
+    });
+  }
+  /**
+   * Extracts package name from yarn.lock package declaration.
+   * Examples:
+   *   "express@^4.18.0" → "express"
+   *   "@types/node@^20.0.0" → "@types/node"
+   *   "pkg@npm:other@^1.0.0" → "pkg" (aliased packages)
+   */
+  extractPackageName(pkgDeclaration) {
+    if (pkgDeclaration.includes("@npm:")) {
+      const beforeAlias = pkgDeclaration.split("@npm:")[0];
+      return beforeAlias || null;
+    }
+    if (pkgDeclaration.startsWith("@")) {
+      const parts = pkgDeclaration.split("@");
+      if (parts.length >= 3) {
+        return `@${parts[1]}`;
+      }
+    } else {
+      const atIndex = pkgDeclaration.indexOf("@");
+      if (atIndex > 0) {
+        return pkgDeclaration.substring(0, atIndex);
+      }
+    }
+    return null;
+  }
+  /**
+   * Builds a purl (Package URL) for an npm package.
+   *
+   * Per the purl spec:
+   * "The npm scope @ sign prefix is always percent encoded."
+   *
+   * So @types/node@20.11.5 → pkg:npm/%40types/node@20.11.5
+   * And express@4.18.2 → pkg:npm/express@4.18.2
+   */
+  buildPurl(name, version) {
+    if (name.startsWith("@")) {
+      return `pkg:npm/%40${name.slice(1)}@${version}`;
+    }
+    return `pkg:npm/${name}@${version}`;
+  }
+};
+
+// src/scanners/pnpm/pnpm-scanner.ts
+import { readFile as readFile10 } from "fs/promises";
+import { existsSync as existsSync10 } from "fs";
+import path10 from "path";
+import { parse as parseYaml2 } from "yaml";
+var PnpmScanner = class {
+  ecosystem = "npm";
+  lockfileNames = ["pnpm-lock.yaml"];
+  async detect(projectPath) {
+    const lockfilePath = path10.join(projectPath, "pnpm-lock.yaml");
+    return existsSync10(lockfilePath) ? lockfilePath : null;
+  }
+  async scan(projectPath, lockfilePath) {
+    const lockfileRaw = await readFile10(lockfilePath, "utf-8");
+    const dependencies = this.parseLockfile(lockfileRaw, lockfilePath);
+    return {
+      projectPath,
+      ecosystem: "npm",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Parses pnpm-lock.yaml file and extracts dependencies.
+   * 
+   * pnpm-lock.yaml format (v5.4+):
+   * ```yaml
+   * lockfileVersion: 5.4
+   * 
+   * dependencies:
+   *   express: 4.18.2
+   * 
+   * devDependencies:
+   *   typescript: 5.0.0
+   * 
+   * packages:
+   *   /express/4.18.2:
+   *     resolution: {integrity: sha512-...}
+   *     dependencies:
+   *       accepts: 1.3.8
+   *   /@types/node/20.11.5:
+   *     resolution: {integrity: sha512-...}
+   *     dev: true
+   * ```
+   * 
+   * pnpm-lock.yaml format (v6.0+):
+   * ```yaml
+   * lockfileVersion: '6.0'
+   * 
+   * dependencies:
+   *   express:
+   *     specifier: ^4.18.0
+   *     version: 4.18.2
+   * 
+   * packages:
+   *   /express@4.18.2:
+   *     resolution: {integrity: sha512-...}
+   * ```
+   */
+  parseLockfile(content, lockfilePath) {
+    try {
+      const parsed = parseYaml2(content);
+      if (!parsed || typeof parsed !== "object") {
+        throw new Error("Invalid YAML format");
+      }
+      const lockfile = parsed;
+      const lockfileVersion = this.parseLockfileVersion(lockfile.lockfileVersion);
+      const directNames = this.extractDirectDependencies(lockfile);
+      return this.extractDependencies(lockfile, lockfileVersion, directNames);
+    } catch (err) {
+      throw new LockfileParseError(
+        lockfilePath,
+        `Failed to parse pnpm-lock.yaml: ${err instanceof Error ? err.message : "Unknown error"}`
+      );
+    }
+  }
+  /**
+   * Extracts direct dependency names from pnpm lockfile.
+   * 
+   * Supports both formats:
+   * - pnpm v5.x: root-level dependencies/devDependencies
+   * - pnpm v6+: importers['.'].dependencies/devDependencies
+   */
+  extractDirectDependencies(lockfile) {
+    const directNames = /* @__PURE__ */ new Set();
+    if (lockfile.importers && typeof lockfile.importers === "object") {
+      const rootImporter = lockfile.importers["."];
+      if (rootImporter && typeof rootImporter === "object") {
+        if (rootImporter.dependencies && typeof rootImporter.dependencies === "object") {
+          for (const name of Object.keys(rootImporter.dependencies)) {
+            directNames.add(name);
+          }
+        }
+        if (rootImporter.devDependencies && typeof rootImporter.devDependencies === "object") {
+          for (const name of Object.keys(rootImporter.devDependencies)) {
+            directNames.add(name);
+          }
+        }
+      }
+    }
+    if (directNames.size === 0) {
+      if (lockfile.dependencies && typeof lockfile.dependencies === "object") {
+        for (const name of Object.keys(lockfile.dependencies)) {
+          directNames.add(name);
+        }
+      }
+      if (lockfile.devDependencies && typeof lockfile.devDependencies === "object") {
+        for (const name of Object.keys(lockfile.devDependencies)) {
+          directNames.add(name);
+        }
+      }
+    }
+    return directNames;
+  }
+  /**
+   * Parses lockfile version (can be string or number)
+   */
+  parseLockfileVersion(version) {
+    if (typeof version === "number") {
+      return version;
+    }
+    if (typeof version === "string") {
+      const parsed = parseFloat(version);
+      return isNaN(parsed) ? 5.4 : parsed;
+    }
+    return 5.4;
+  }
+  /**
+   * Extracts dependencies from the lockfile packages section
+   */
+  extractDependencies(lockfile, lockfileVersion, directNames) {
+    const deps = [];
+    const seen = /* @__PURE__ */ new Map();
+    if (!lockfile.packages || typeof lockfile.packages !== "object") {
+      return deps;
+    }
+    for (const [pkgPath, pkgInfo] of Object.entries(lockfile.packages)) {
+      if (!pkgInfo || typeof pkgInfo !== "object") {
+        continue;
+      }
+      if (pkgPath.includes("@workspace:")) {
+        continue;
+      }
+      const { name, version } = this.parsePackagePath(pkgPath, lockfileVersion);
+      if (!name || !version) {
+        continue;
+      }
+      const depKey = `${name}@${version}`;
+      if (seen.has(depKey)) {
+        continue;
+      }
+      seen.set(depKey, true);
+      deps.push({
+        name,
+        version,
+        direct: directNames.has(name),
+        ecosystem: "npm",
+        purl: this.buildPurl(name, version)
+      });
+    }
+    return deps;
+  }
+  /**
+   * Parses package path to extract name and version.
+   * 
+   * pnpm v5.x format:
+   *   "/express/4.18.2" → name: "express", version: "4.18.2"
+   *   "/@types/node/20.11.5" → name: "@types/node", version: "20.11.5"
+   *   "/accepts/1.3.8" → name: "accepts", version: "1.3.8"
+   * 
+   * pnpm v6+ format:
+   *   "/express@4.18.2" → name: "express", version: "4.18.2"
+   *   "/@types/node@20.11.5" → name: "@types/node", version: "20.11.5"
+   *   "/accepts@1.3.8" → name: "accepts", version: "1.3.8"
+   * 
+   * Also handles peer dependency suffixes:
+   *   "/pkg@1.0.0_dep@2.0.0" → name: "pkg", version: "1.0.0"
+   *   "/pkg@1.0.0(dep@2.0.0)" → name: "pkg", version: "1.0.0"
+   */
+  parsePackagePath(pkgPath, lockfileVersion) {
+    const path14 = pkgPath.startsWith("/") ? pkgPath.slice(1) : pkgPath;
+    const cleanPath = path14.split("_")[0].split("(")[0];
+    if (!cleanPath) {
+      return { name: null, version: null };
+    }
+    if (lockfileVersion >= 6) {
+      return this.parseV6Format(cleanPath);
+    }
+    return this.parseV5Format(cleanPath);
+  }
+  /**
+   * Parses v6+ format: "express@4.18.2" or "@types/node@20.11.5"
+   */
+  parseV6Format(path14) {
+    if (path14.startsWith("@")) {
+      const lastAtIndex = path14.lastIndexOf("@");
+      if (lastAtIndex <= 0) {
+        return { name: null, version: null };
+      }
+      const name2 = path14.substring(0, lastAtIndex);
+      const version2 = path14.substring(lastAtIndex + 1);
+      return { name: name2, version: version2 };
+    }
+    const atIndex = path14.indexOf("@");
+    if (atIndex < 0) {
+      return { name: null, version: null };
+    }
+    const name = path14.substring(0, atIndex);
+    const version = path14.substring(atIndex + 1);
+    return { name, version };
+  }
+  /**
+   * Parses v5.x format: "express/4.18.2" or "@types/node/20.11.5"
+   */
+  parseV5Format(path14) {
+    if (path14.startsWith("@")) {
+      const parts = path14.split("/");
+      if (parts.length < 3) {
+        return { name: null, version: null };
+      }
+      const name2 = `${parts[0]}/${parts[1]}`;
+      const version2 = parts[2];
+      return { name: name2, version: version2 };
+    }
+    const slashIndex = path14.indexOf("/");
+    if (slashIndex < 0) {
+      return { name: null, version: null };
+    }
+    const name = path14.substring(0, slashIndex);
+    const version = path14.substring(slashIndex + 1);
+    return { name, version };
+  }
+  /**
+   * Builds a purl (Package URL) for an npm package.
+   *
+   * Per the purl spec:
+   * "The npm scope @ sign prefix is always percent encoded."
+   *
+   * So @types/node@20.11.5 → pkg:npm/%40types/node@20.11.5
+   * And express@4.18.2 → pkg:npm/express@4.18.2
+   */
+  buildPurl(name, version) {
+    if (name.startsWith("@")) {
+      return `pkg:npm/%40${name.slice(1)}@${version}`;
+    }
+    return `pkg:npm/${name}@${version}`;
+  }
+};
+
+// src/scanners/deno/deno-scanner.ts
+import { readFile as readFile11 } from "fs/promises";
+import { existsSync as existsSync11 } from "fs";
+import path11 from "path";
+var DenoScanner = class {
+  ecosystem = "deno";
+  lockfileNames = ["deno.lock"];
+  async detect(projectPath) {
+    for (const name of this.lockfileNames) {
+      const lockfilePath = path11.join(projectPath, name);
+      if (existsSync11(lockfilePath)) return lockfilePath;
+    }
+    return null;
+  }
+  async scan(projectPath, lockfilePath) {
+    const lockfileRaw = await readFile11(lockfilePath, "utf-8");
+    let lockfile;
+    try {
+      lockfile = JSON.parse(lockfileRaw);
+    } catch {
+      throw new LockfileParseError(lockfilePath, "Invalid JSON");
+    }
+    const dependencies = this.parseLockfile(lockfile);
+    return {
+      projectPath,
+      ecosystem: "deno",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Parses the lockfile and extracts dependencies from both
+   * npm and jsr package registries.
+   *
+   * Supports v3 (packages nested under `packages`), v4, and v5 (top-level jsr/npm sections).
+   * Uses lockfile specifiers to determine direct vs transitive dependencies.
+   */
+  parseLockfile(lockfile) {
+    const deps = [];
+    const directNames = this.extractDirectDependencies(lockfile);
+    const jsrPackages = lockfile.jsr ?? lockfile.packages?.jsr ?? {};
+    const npmPackages = lockfile.npm ?? lockfile.packages?.npm ?? {};
+    for (const key of Object.keys(jsrPackages)) {
+      const parsed = this.parsePackageKey(key);
+      if (!parsed) continue;
+      deps.push({
+        name: parsed.name,
+        version: parsed.version,
+        direct: directNames.has(`jsr:${parsed.name}`),
+        ecosystem: "deno",
+        // JSR packages belong to Deno ecosystem
+        purl: this.buildJsrPurl(parsed.name, parsed.version)
+      });
+    }
+    for (const key of Object.keys(npmPackages)) {
+      const parsed = this.parsePackageKey(key);
+      if (!parsed) continue;
+      deps.push({
+        name: parsed.name,
+        version: parsed.version,
+        direct: directNames.has(`npm:${parsed.name}`),
+        ecosystem: "npm",
+        // npm packages belong to npm ecosystem (for CVE tracking)
+        purl: this.buildNpmPurl(parsed.name, parsed.version)
+      });
+    }
+    return deps;
+  }
+  /**
+   * Extracts direct dependency names from lockfile specifiers.
+   *
+   * Returns a set of ecosystem-qualified package names like "jsr:@std/assert" or "npm:express".
+   * The ecosystem prefix prevents collisions if the same package name exists in both registries.
+   */
+  extractDirectDependencies(lockfile) {
+    const directNames = /* @__PURE__ */ new Set();
+    const specifiers = lockfile.specifiers ?? lockfile.packages?.specifiers ?? {};
+    for (const [constraint, resolved] of Object.entries(specifiers)) {
+      if (resolved.startsWith("file:") || resolved.startsWith("https:") || resolved.startsWith("http:") || resolved.startsWith("data:")) {
+        continue;
+      }
+      let ecosystem = null;
+      if (constraint.startsWith("jsr:")) {
+        ecosystem = "jsr";
+      } else if (constraint.startsWith("npm:")) {
+        ecosystem = "npm";
+      }
+      if (!ecosystem) continue;
+      let resolvedKey = resolved;
+      if (resolved.startsWith("jsr:") || resolved.startsWith("npm:")) {
+        resolvedKey = resolved.replace(/^(jsr:|npm:)/, "");
+        const parsed = this.parsePackageKey(resolvedKey);
+        if (parsed) {
+          directNames.add(`${ecosystem}:${parsed.name}`);
+        }
+      } else {
+        const name = this.extractNameFromSpecifier(constraint);
+        if (name) {
+          directNames.add(`${ecosystem}:${name}`);
+        }
+      }
+    }
+    return directNames;
+  }
+  /**
+   * Parses a package key like "@std/assert@1.0.10" or "express@4.21.2"
+   * into { name, version }.
+   *
+   * Handles scoped packages where the name starts with @ (e.g., @std/assert).
+   * In that case the version separator is the LAST @ sign.
+   */
+  parsePackageKey(key) {
+    const lastAtIndex = key.lastIndexOf("@");
+    if (lastAtIndex <= 0) return null;
+    const name = key.slice(0, lastAtIndex);
+    const version = key.slice(lastAtIndex + 1);
+    if (!name || !version) return null;
+    return { name, version };
+  }
+  /**
+   * Extracts the package name from a Deno import specifier.
+   *
+   * Examples:
+   *   "jsr:@std/assert@^1.0.0" → "@std/assert"
+   *   "npm:express@^4.18.0"    → "express"
+   *   "npm:@hono/hono@^4.0.0"  → "@hono/hono"
+   *   "lodash" (bare)          → "lodash"
+   */
+  extractNameFromSpecifier(specifier) {
+    const withoutPrefix = specifier.replace(/^(jsr:|npm:)/, "");
+    if (!withoutPrefix) return null;
+    if (withoutPrefix.startsWith("@")) {
+      const slashIndex = withoutPrefix.indexOf("/");
+      if (slashIndex === -1) return null;
+      const afterSlash = withoutPrefix.indexOf("@", slashIndex);
+      if (afterSlash === -1) return withoutPrefix;
+      return withoutPrefix.slice(0, afterSlash);
+    }
+    const atIndex = withoutPrefix.indexOf("@");
+    if (atIndex === -1) return withoutPrefix;
+    return withoutPrefix.slice(0, atIndex);
+  }
+  /**
+   * Builds a purl for a JSR package.
+   *
+   * JSR packages use the "jsr" purl type (non-standard but descriptive).
+   * For scoped packages, both @ and all / characters are percent-encoded.
+   * Example: `pkg:jsr/%40std%2Fassert@1.0.10`
+   */
+  buildJsrPurl(name, version) {
+    if (name.startsWith("@")) {
+      const encoded = "%40" + name.slice(1).replace(/\//g, "%2F");
+      return `pkg:jsr/${encoded}@${version}`;
+    }
+    return `pkg:jsr/${name}@${version}`;
+  }
+  /**
+   * Builds a purl for an npm package used via Deno.
+   *
+   * Uses the standard npm purl type since these are npm packages.
+   * Per npm purl spec, only @ is encoded, / remains as namespace separator.
+   * Example: `pkg:npm/%40std/assert@1.0.10` or `pkg:npm/express@4.21.2`
+   */
+  buildNpmPurl(name, version) {
+    if (name.startsWith("@")) {
+      return `pkg:npm/%40${name.slice(1)}@${version}`;
+    }
+    return `pkg:npm/${name}@${version}`;
+  }
+};
+
+// src/scanners/poetry/poetry-scanner.ts
+import { readFile as readFile12 } from "fs/promises";
+import { existsSync as existsSync12 } from "fs";
+import path12 from "path";
+var PoetryScanner = class {
+  ecosystem = "poetry";
+  lockfileNames = ["poetry.lock"];
+  async detect(projectPath) {
+    const lockfilePath = path12.join(projectPath, "poetry.lock");
+    return existsSync12(lockfilePath) ? lockfilePath : null;
+  }
+  async scan(projectPath, lockfilePath) {
+    const [lockfileRaw, pyprojectRaw] = await Promise.all([
+      readFile12(lockfilePath, "utf-8"),
+      readFile12(path12.join(projectPath, "pyproject.toml"), "utf-8").catch(() => null)
+    ]);
+    const packages = this.parseLockfile(lockfileRaw, lockfilePath);
+    const directNames = pyprojectRaw ? this.parsePyprojectToml(pyprojectRaw) : /* @__PURE__ */ new Set();
+    const dependencies = [];
+    for (const pkg2 of packages) {
+      dependencies.push({
+        name: this.normalizePipName(pkg2.name),
+        version: pkg2.version,
+        direct: directNames.size > 0 ? directNames.has(this.normalizePipName(pkg2.name)) : true,
+        ecosystem: "poetry",
+        purl: this.buildPurl(pkg2.name, pkg2.version)
+      });
+    }
+    return {
+      projectPath,
+      ecosystem: "poetry",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Parses poetry.lock by splitting on [[package]] blocks.
+   * Lightweight parser that handles the regular structure
+   * without needing a full TOML library.
+   */
+  parseLockfile(content, lockfilePath) {
+    const packages = [];
+    const blocks = content.split(/^\[\[package\]\]$/m);
+    for (const block of blocks) {
+      if (!block.trim()) continue;
+      const name = this.extractField(block, "name");
+      const version = this.extractField(block, "version");
+      if (name && version) {
+        packages.push({ name, version });
+      }
+    }
+    if (packages.length === 0 && content.includes("[[package]]")) {
+      throw new LockfileParseError(lockfilePath, "Failed to parse any packages from poetry.lock");
+    }
+    return packages;
+  }
+  /**
+   * Extracts a string field value from a TOML block.
+   * Handles: `name = "value"` format.
+   */
+  extractField(block, fieldName) {
+    const regex = new RegExp(`^${fieldName}\\s*=\\s*"([^"]*)"`, "m");
+    const match = block.match(regex);
+    return match ? match[1] : null;
+  }
+  /**
+   * Parses `pyproject.toml` to extract direct dependency names.
+   *
+   * Looks for:
+   *   - `[tool.poetry.dependencies]` — main dependencies
+   *   - `[tool.poetry.group.dev.dependencies]` — dev dependencies
+   *   - `[tool.poetry.group.*.dependencies]` — other groups
+   *
+   * Supports formats:
+   *   - `requests = "^2.31.0"`
+   *   - `requests = { version = "^2.31.0", optional = true }`
+   *   - `python = "^3.12"` — skipped (the Python interpreter itself)
+   */
+  parsePyprojectToml(content) {
+    const directNames = /* @__PURE__ */ new Set();
+    let inDepsSection = false;
+    for (const rawLine of content.split("\n")) {
+      const line = rawLine.trim();
+      if (line.startsWith("[")) {
+        inDepsSection = line === "[tool.poetry.dependencies]" || /^\[tool\.poetry\.group\.[^\]]+\.dependencies\]$/.test(line);
+        continue;
+      }
+      if (inDepsSection && line && !line.startsWith("#")) {
+        const match = line.match(/^([a-zA-Z0-9_][a-zA-Z0-9._-]*)\s*=/);
+        if (match && match[1]) {
+          const name = this.normalizePipName(match[1]);
+          if (name !== "python") {
+            directNames.add(name);
+          }
+        }
+      }
+    }
+    return directNames;
+  }
+  /**
+   * Normalizes a pip package name per PEP 503.
+   * Converts to lowercase and replaces any run of [-_.] with a single hyphen.
+   */
+  normalizePipName(name) {
+    return name.toLowerCase().replace(/[-_.]+/g, "-");
+  }
+  /**
+   * Builds a purl for a PyPI package.
+   * Per purl spec, the type is "pypi" (not "poetry").
+   */
+  buildPurl(name, version) {
+    return `pkg:pypi/${this.normalizePipName(name)}@${version}`;
+  }
+};
+
+// src/scanners/uv/uv-scanner.ts
+import { readFile as readFile13 } from "fs/promises";
+import { existsSync as existsSync13 } from "fs";
+import path13 from "path";
+var UvScanner = class {
+  ecosystem = "uv";
+  lockfileNames = ["uv.lock"];
+  async detect(projectPath) {
+    const lockfilePath = path13.join(projectPath, "uv.lock");
+    return existsSync13(lockfilePath) ? lockfilePath : null;
+  }
+  async scan(projectPath, lockfilePath) {
+    const [lockfileRaw, pyprojectRaw] = await Promise.all([
+      readFile13(lockfilePath, "utf-8"),
+      readFile13(path13.join(projectPath, "pyproject.toml"), "utf-8").catch(() => null)
+    ]);
+    const packages = this.parseLockfile(lockfileRaw, lockfilePath);
+    const projectName = pyprojectRaw ? this.extractProjectName(pyprojectRaw) : null;
+    const directNames = pyprojectRaw ? this.parsePyprojectDeps(pyprojectRaw) : /* @__PURE__ */ new Set();
+    const dependencies = [];
+    for (const pkg2 of packages) {
+      if (pkg2.isEditable) continue;
+      if (projectName && this.normalizePipName(pkg2.name) === this.normalizePipName(projectName)) {
+        continue;
+      }
+      dependencies.push({
+        name: this.normalizePipName(pkg2.name),
+        version: pkg2.version,
+        direct: directNames.size > 0 ? directNames.has(this.normalizePipName(pkg2.name)) : true,
+        ecosystem: "uv",
+        purl: this.buildPurl(pkg2.name, pkg2.version)
+      });
+    }
+    return {
+      projectPath,
+      ecosystem: "uv",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Parses uv.lock by splitting on [[package]] blocks.
+   * Lightweight parser that handles the regular structure
+   * without needing a full TOML library.
+   */
+  parseLockfile(content, lockfilePath) {
+    const packages = [];
+    const blocks = content.split(/^\[\[package\]\]$/m);
+    for (const block of blocks) {
+      if (!block.trim()) continue;
+      const name = this.extractField(block, "name");
+      const version = this.extractField(block, "version");
+      if (name && version) {
+        const isEditable = /source\s*=\s*\{[^}]*editable\s*=/.test(block) || /source\s*=\s*\{[^}]*virtual\s*=/.test(block);
+        packages.push({ name, version, isEditable });
+      }
+    }
+    if (packages.length === 0 && content.includes("[[package]]")) {
+      throw new LockfileParseError(lockfilePath, "Failed to parse any packages from uv.lock");
+    }
+    return packages;
+  }
+  /**
+   * Extracts a string field value from a TOML block.
+   * Handles: `name = "value"` format.
+   */
+  extractField(block, fieldName) {
+    const regex = new RegExp(`^${fieldName}\\s*=\\s*"([^"]*)"`, "m");
+    const match = block.match(regex);
+    return match ? match[1] : null;
+  }
+  /**
+   * Extracts the project name from `pyproject.toml`.
+   * Looks for `name = "..."` under `[project]`.
+   */
+  extractProjectName(content) {
+    let inProjectSection = false;
+    for (const rawLine of content.split("\n")) {
+      const line = rawLine.trim();
+      if (line.startsWith("[")) {
+        inProjectSection = line === "[project]";
+        continue;
+      }
+      if (inProjectSection) {
+        const match = line.match(/^name\s*=\s*"([^"]*)"/);
+        if (match) return match[1];
+      }
+    }
+    return null;
+  }
+  /**
+   * Parses `pyproject.toml` to extract direct dependency names.
+   *
+   * Looks for:
+   *   - `[project]` → `dependencies = [...]` (PEP 621)
+   *   - `[project.optional-dependencies]` (extras)
+   *   - `[dependency-groups]` (PEP 735, used by uv for dev deps)
+   *
+   * Dependency strings follow PEP 508:
+   *   - `"requests>=2.31.0"`
+   *   - `"flask[dotenv]>=3.0"`
+   *   - `"black"` (bare name)
+   */
+  parsePyprojectDeps(content) {
+    const directNames = /* @__PURE__ */ new Set();
+    this.extractInlineArray(content, directNames);
+    this.extractDependencyGroups(content, directNames);
+    return directNames;
+  }
+  /**
+   * Extracts dependency names from PEP 621 `dependencies = [...]` arrays
+   * and `[project.optional-dependencies]` sections.
+   */
+  extractInlineArray(content, directNames) {
+    const arrayRegex = /(?:^dependencies|^[a-zA-Z0-9_-]+)\s*=\s*\[([^\]]*)\]/gm;
+    let match;
+    while ((match = arrayRegex.exec(content)) !== null) {
+      const arrayContent = match[1];
+      this.extractPepNames(arrayContent, directNames);
+    }
+  }
+  /**
+   * Extracts dependency names from [dependency-groups] sections.
+   * Format:
+   * ```toml
+   * [dependency-groups]
+   * dev = ["pytest>=7.0", "black"]
+   * ```
+   */
+  extractDependencyGroups(content, directNames) {
+    let inDepGroups = false;
+    for (const rawLine of content.split("\n")) {
+      const line = rawLine.trim();
+      if (line.startsWith("[")) {
+        inDepGroups = line === "[dependency-groups]";
+        continue;
+      }
+      if (inDepGroups && line && !line.startsWith("#")) {
+        const arrayMatch = line.match(/^[a-zA-Z0-9_-]+\s*=\s*\[([^\]]*)\]/);
+        if (arrayMatch) {
+          this.extractPepNames(arrayMatch[1], directNames);
+        }
+      }
+    }
+  }
+  /**
+   * Extracts PEP 508 package names from a comma-separated
+   * list of quoted dependency strings.
+   */
+  extractPepNames(content, directNames) {
+    const depStrings = content.match(/"([^"]*)"/g);
+    if (!depStrings) return;
+    for (const quoted of depStrings) {
+      const depStr = quoted.replace(/"/g, "").trim();
+      if (!depStr) continue;
+      const nameMatch = depStr.match(/^([a-zA-Z0-9_][a-zA-Z0-9._-]*)/);
+      if (nameMatch && nameMatch[1]) {
+        directNames.add(this.normalizePipName(nameMatch[1]));
+      }
+    }
+  }
+  /**
+   * Normalizes a pip package name per PEP 503.
+   * Converts to lowercase and replaces any run of [-_.] with a single hyphen.
+   */
+  normalizePipName(name) {
+    return name.toLowerCase().replace(/[-_.]+/g, "-");
+  }
+  /**
+   * Builds a purl for a PyPI package.
+   * Per purl spec, the type is "pypi" (not "uv").
+   */
+  buildPurl(name, version) {
+    return `pkg:pypi/${this.normalizePipName(name)}@${version}`;
+  }
+};
+
 // src/scanners/registry.ts
 var ScannerRegistry = class {
   scanners;
@@ -935,10 +1922,15 @@ var ScannerRegistry = class {
       new NugetScanner(),
       new CargoScanner(),
       new PipScanner(),
+      new PoetryScanner(),
+      new UvScanner(),
       new MavenScanner(),
       new GoScanner(),
       new RubyScanner(),
-      new ComposerScanner()
+      new ComposerScanner(),
+      new YarnScanner(),
+      new PnpmScanner(),
+      new DenoScanner()
     ];
   }
   /**
@@ -964,48 +1956,88 @@ var ScannerRegistry = class {
   }
 };
 
+// src/sbom/shared.ts
+var VERIMU_TOOL_NAME = "verimu";
+var VERIMU_TOOL_WEBSITE = "https://verimu.com";
+var VERIMU_TOOL_DESCRIPTION = "Verimu CRA Compliance Scanner";
+var DEFAULT_TOOL_VERSION = "0.1.0";
+var DEFAULT_SWID_VERSION = "0.0.0";
+var PURL_TYPE_MAP = {
+  npm: "npm",
+  nuget: "nuget",
+  cargo: "cargo",
+  maven: "maven",
+  pip: "pypi",
+  poetry: "pypi",
+  uv: "pypi",
+  go: "golang",
+  ruby: "gem",
+  composer: "composer",
+  deno: "deno"
+};
+function buildPurl(name, version, ecosystem) {
+  const type = PURL_TYPE_MAP[ecosystem] || ecosystem;
+  if (ecosystem === "npm" && name.startsWith("@")) {
+    return `pkg:${type}/%40${name.slice(1)}@${version}`;
+  }
+  return `pkg:${type}/${name}@${version}`;
+}
+function deriveSupplierName(packageName) {
+  if (packageName.startsWith("@")) {
+    return packageName.split("/")[0];
+  }
+  return packageName;
+}
+function extractProjectName(projectPath) {
+  const parts = projectPath.replace(/\\/g, "/").split("/");
+  return parts[parts.length - 1] || "unknown-project";
+}
+function normalizeDependencies(dependencies) {
+  return dependencies.map((dep) => ({
+    name: dep.name,
+    version: dep.version,
+    ecosystem: dep.ecosystem,
+    direct: dep.direct ?? true,
+    purl: dep.purl ?? buildPurl(dep.name, dep.version, dep.ecosystem),
+    supplierName: deriveSupplierName(dep.name)
+  }));
+}
+
 // src/sbom/cyclonedx.ts
 import { randomUUID } from "crypto";
+var SCHEMA_URLS = {
+  "1.4": "http://cyclonedx.org/schema/bom-1.4.schema.json",
+  "1.5": "http://cyclonedx.org/schema/bom-1.5.schema.json",
+  "1.6": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "1.7": "http://cyclonedx.org/schema/bom-1.7.schema.json"
+};
 var CycloneDxGenerator = class {
+  constructor(specVersion = "1.7") {
+    this.specVersion = specVersion;
+  }
   format = "cyclonedx-json";
-  generate(scanResult, toolVersion = "0.1.0") {
+  generate(scanResult, toolVersion = DEFAULT_TOOL_VERSION) {
     const bom = this.buildBom(scanResult, toolVersion);
     const content = JSON.stringify(bom, null, 2);
     return {
       format: "cyclonedx-json",
-      specVersion: "1.7",
+      specVersion: this.specVersion,
       content,
       componentCount: scanResult.dependencies.length,
       generatedAt: (/* @__PURE__ */ new Date()).toISOString()
     };
   }
   buildBom(scanResult, toolVersion) {
-    const projectName = this.extractProjectName(scanResult.projectPath);
+    const projectName = extractProjectName(scanResult.projectPath);
     return {
-      $schema: "http://cyclonedx.org/schema/bom-1.7.schema.json",
+      $schema: SCHEMA_URLS[this.specVersion],
       bomFormat: "CycloneDX",
-      specVersion: "1.7",
+      specVersion: this.specVersion,
       serialNumber: `urn:uuid:${randomUUID()}`,
       version: 1,
       metadata: {
         timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-        tools: {
-          components: [
-            {
-              type: "application",
-              name: "verimu",
-              version: toolVersion,
-              description: "Verimu CRA Compliance Scanner",
-              supplier: { name: "Verimu" },
-              externalReferences: [
-                {
-                  type: "website",
-                  url: "https://verimu.com"
-                }
-              ]
-            }
-          ]
-        },
+        tools: this.buildTools(toolVersion),
         // NTIA: metadata.supplier — the org supplying the root software
         supplier: {
           name: projectName
@@ -1032,26 +2064,10 @@ var CycloneDxGenerator = class {
       scope: dep.direct ? "required" : "optional",
       // NTIA: component.supplier — derived from npm scope or package name
       supplier: {
-        name: this.deriveSupplierName(dep.name)
+        name: deriveSupplierName(dep.name)
       }
     };
   }
-  /**
-   * Derives a supplier name from a package name.
-   *
-   * For scoped packages like "@vue/reactivity" → "@vue"
-   * For unscoped packages like "express" → "express"
-   *
-   * This is the same heuristic used by Syft, Trivy, and other SBOM tools
-   * when registry metadata (author/publisher) isn't available from the lockfile.
-   */
-  deriveSupplierName(packageName) {
-    if (packageName.startsWith("@")) {
-      const scope = packageName.split("/")[0];
-      return scope;
-    }
-    return packageName;
-  }
   /**
    * Builds the dependency graph section of the SBOM.
    *
@@ -1072,12 +2088,162 @@ var CycloneDxGenerator = class {
       }
     ];
   }
-  /** Extracts project name from path */
-  extractProjectName(projectPath) {
-    const parts = projectPath.replace(/\\/g, "/").split("/");
-    return parts[parts.length - 1] || "unknown-project";
+  /**
+   * Builds the tools metadata section.
+   *
+   * CycloneDX 1.4: tools is a flat array of { vendor, name, version, ... }
+   * CycloneDX 1.5+: tools is an object { components: [...] }
+   */
+  buildTools(toolVersion) {
+    if (this.specVersion === "1.4") {
+      return [
+        {
+          vendor: "Verimu",
+          name: VERIMU_TOOL_NAME,
+          version: toolVersion,
+          externalReferences: [{ type: "website", url: VERIMU_TOOL_WEBSITE }]
+        }
+      ];
+    }
+    return {
+      components: [
+        {
+          type: "application",
+          name: VERIMU_TOOL_NAME,
+          version: toolVersion,
+          description: VERIMU_TOOL_DESCRIPTION,
+          supplier: { name: "Verimu" },
+          externalReferences: [{ type: "website", url: VERIMU_TOOL_WEBSITE }]
+        }
+      ]
+    };
+  }
+};
+
+// src/sbom/spdx.ts
+import { randomUUID as randomUUID2 } from "crypto";
+var SPDX_VERSION = "2.3";
+var SpdxJsonGenerator = class {
+  format = "spdx-json";
+  generate(scanResult, toolVersion = DEFAULT_TOOL_VERSION) {
+    const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+    const projectName = extractProjectName(scanResult.projectPath);
+    const rootPackageId = "SPDXRef-Package-root";
+    const dependencies = normalizeDependencies(scanResult.dependencies);
+    const document = {
+      spdxVersion: `SPDX-${SPDX_VERSION}`,
+      dataLicense: "CC0-1.0",
+      SPDXID: "SPDXRef-DOCUMENT",
+      name: `${projectName}-sbom`,
+      documentNamespace: `https://verimu.com/spdxdocs/${projectName}-${randomUUID2()}`,
+      creationInfo: {
+        created: timestamp,
+        creators: [`Tool: ${VERIMU_TOOL_NAME}@${toolVersion}`]
+      },
+      documentDescribes: [rootPackageId],
+      packages: [
+        {
+          name: projectName,
+          SPDXID: rootPackageId,
+          versionInfo: "NOASSERTION",
+          supplier: `Organization: ${projectName}`,
+          downloadLocation: "NOASSERTION",
+          filesAnalyzed: false,
+          licenseConcluded: "NOASSERTION",
+          licenseDeclared: "NOASSERTION",
+          primaryPackagePurpose: "APPLICATION"
+        },
+        ...dependencies.map((dep, index) => ({
+          name: dep.name,
+          SPDXID: `SPDXRef-Package-${index + 1}`,
+          versionInfo: dep.version,
+          supplier: `Organization: ${dep.supplierName}`,
+          downloadLocation: "NOASSERTION",
+          filesAnalyzed: false,
+          licenseConcluded: "NOASSERTION",
+          licenseDeclared: "NOASSERTION",
+          primaryPackagePurpose: "LIBRARY",
+          externalRefs: [
+            {
+              referenceCategory: "PACKAGE-MANAGER",
+              referenceType: "purl",
+              referenceLocator: dep.purl
+            }
+          ]
+        }))
+      ],
+      relationships: [
+        {
+          spdxElementId: "SPDXRef-DOCUMENT",
+          relationshipType: "DESCRIBES",
+          relatedSpdxElement: rootPackageId
+        },
+        ...dependencies.map((_dep, index) => ({
+          spdxElementId: rootPackageId,
+          relationshipType: "DEPENDS_ON",
+          relatedSpdxElement: `SPDXRef-Package-${index + 1}`
+        }))
+      ]
+    };
+    return {
+      format: "spdx-json",
+      specVersion: SPDX_VERSION,
+      content: JSON.stringify(document, null, 2),
+      componentCount: scanResult.dependencies.length,
+      generatedAt: timestamp
+    };
+  }
+};
+
+// src/sbom/swid.ts
+import { randomUUID as randomUUID3 } from "crypto";
+var SWID_SPEC_VERSION = "ISO/IEC 19770-2:2015";
+var SwidTagGenerator = class {
+  format = "swid-xml";
+  generate(scanResult, toolVersion = DEFAULT_TOOL_VERSION) {
+    const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+    const projectName = extractProjectName(scanResult.projectPath);
+    const tagId = `com.verimu:${sanitizeTagId(projectName)}:${DEFAULT_SWID_VERSION}:${randomUUID3()}`;
+    const content = [
+      '<?xml version="1.0" encoding="UTF-8"?>',
+      "<SoftwareIdentity",
+      '  xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd"',
+      `  name="${escapeXml(projectName)}"`,
+      `  tagId="${escapeXml(tagId)}"`,
+      '  tagVersion="1"',
+      `  version="${DEFAULT_SWID_VERSION}"`,
+      '  versionScheme="semver">',
+      `  <Entity name="${escapeXml(projectName)}" role="softwareCreator" />`,
+      '  <Entity name="Verimu" role="tagCreator" />',
+      `  <Meta product="${escapeXml(projectName)}" generator="${VERIMU_TOOL_NAME}" toolVersion="${toolVersion}" generated="${timestamp}" />`,
+      "  <!-- TODO: Consider adding dependency/package evidence if we need richer SWID coverage. -->",
+      '  <Link rel="describedby" href="https://verimu.com" />',
+      "</SoftwareIdentity>"
+    ].join("\n");
+    return {
+      format: "swid-xml",
+      specVersion: SWID_SPEC_VERSION,
+      content,
+      componentCount: 1,
+      generatedAt: timestamp
+    };
   }
 };
+function escapeXml(value) {
+  return value.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll('"', "&quot;").replaceAll("'", "&apos;");
+}
+function sanitizeTagId(value) {
+  return value.toLowerCase().replace(/[^a-z0-9._-]+/g, "-").replace(/^-+|-+$/g, "");
+}
+
+// src/sbom/artifacts.ts
+function generateSbomArtifacts(scanResult, toolVersion = DEFAULT_TOOL_VERSION, cyclonedxVersion = "1.7") {
+  return {
+    cyclonedx: new CycloneDxGenerator(cyclonedxVersion).generate(scanResult, toolVersion),
+    spdx: new SpdxJsonGenerator().generate(scanResult, toolVersion),
+    swid: new SwidTagGenerator().generate(scanResult, toolVersion)
+  };
+}
 
 // src/cve/osv.ts
 var OSV_API_BASE = "https://api.osv.dev/v1";
@@ -1346,9 +2512,13 @@ var OsvSource = class {
       cargo: "crates.io",
       maven: "Maven",
       pip: "PyPI",
+      poetry: "PyPI",
+      uv: "PyPI",
       go: "Go",
       ruby: "RubyGems",
-      composer: "Packagist"
+      composer: "Packagist",
+      deno: "JSR"
+      // JSR packages (Deno registry)
     };
     return map[ecosystem] ?? ecosystem;
   }
@@ -1455,6 +2625,9 @@ var ConsoleReporter = class {
     lines.push("");
     lines.push(`  \u2713 SBOM generated (${result.sbom.format}, ${result.sbom.specVersion})`);
     lines.push(`    Components: ${result.sbom.componentCount}`);
+    if (result.artifacts) {
+      lines.push(`    Also wrote: ${result.artifacts.spdx.format}, ${result.artifacts.swid.format}`);
+    }
     lines.push("");
     const vulns = result.cveCheck.vulnerabilities;
     if (vulns.length === 0) {
@@ -1544,18 +2717,22 @@ var VerimuApiClient = class {
     return res.json();
   }
   /**
-   * Upload a CycloneDX SBOM to a project and trigger CVE scanning.
+   * Upload a software inventory artifact payload to a project and trigger CVE scanning.
+   *
+   * Backward-compatible:
+   * - string payloads are treated as legacy raw CycloneDX JSON
+   * - object payloads can include CycloneDX + SPDX + SWID together
    */
-  async uploadSbom(projectId, sbomContent) {
-    const sbomJson = JSON.parse(sbomContent);
+  async uploadSbom(projectId, payload) {
+    const body = typeof payload === "string" ? JSON.stringify(JSON.parse(payload)) : JSON.stringify(payload);
     const res = await fetch(`${this.baseUrl}/api/projects/${projectId}/scan`, {
       method: "POST",
       headers: this.headers(),
-      body: JSON.stringify(sbomJson)
+      body
     });
     if (!res.ok) {
-      const body = await res.text();
-      throw new Error(`Verimu API: upload SBOM failed (${res.status}): ${body}`);
+      const body2 = await res.text();
+      throw new Error(`Verimu API: upload SBOM failed (${res.status}): ${body2}`);
     }
     return res.json();
   }
@@ -1573,12 +2750,15 @@ var VerimuApiClient = class {
     const map = {
       npm: "npm",
       pip: "pip",
+      poetry: "poetry",
+      uv: "uv",
       maven: "maven",
       nuget: "nuget",
       go: "gomod",
       cargo: "cargo",
       ruby: "bundler",
-      composer: "composer"
+      composer: "composer",
+      deno: "deno"
     };
     return map[eco] ?? eco;
   }
@@ -1589,13 +2769,19 @@ async function scan(config) {
   const {
     projectPath,
     sbomOutput = "./sbom.cdx.json",
-    skipCveCheck = false
+    skipCveCheck = false,
+    cyclonedxVersion = "1.7"
   } = config;
   const registry = new ScannerRegistry();
   const scanResult = await registry.detectAndScan(projectPath);
-  const sbomGenerator = new CycloneDxGenerator();
-  const sbom = sbomGenerator.generate(scanResult);
-  await writeFile(sbomOutput, sbom.content, "utf-8");
+  const artifacts = generateSbomArtifacts(scanResult, void 0, cyclonedxVersion);
+  const sbom = artifacts.cyclonedx;
+  const outputPaths = deriveArtifactOutputPaths(sbomOutput);
+  await Promise.all([
+    writeFile(outputPaths.cyclonedx, artifacts.cyclonedx.content, "utf-8"),
+    writeFile(outputPaths.spdx, artifacts.spdx.content, "utf-8"),
+    writeFile(outputPaths.swid, artifacts.swid.content, "utf-8")
+  ]);
   let cveCheck;
   if (skipCveCheck) {
     cveCheck = {
@@ -1624,6 +2810,7 @@ async function scan(config) {
       dependencyCount: scanResult.dependencies.length
     },
     sbom,
+    artifacts,
     cveCheck,
     summary,
     generatedAt: (/* @__PURE__ */ new Date()).toISOString()
@@ -1648,7 +2835,7 @@ async function uploadToVerimu(report, config) {
     ecosystem: report.project.ecosystem
   });
   const projectId = upsertRes.project.id;
-  const scanRes = await client.uploadSbom(projectId, report.sbom.content);
+  const scanRes = await client.uploadSbom(projectId, buildUploadPayload(report));
   return {
     projectId,
     projectCreated: upsertRes.created,
@@ -1671,6 +2858,28 @@ function shouldFailCi(report, threshold) {
     (v) => severityOrder3[v.severity] <= thresholdLevel
   );
 }
+function deriveArtifactOutputPaths(cycloneDxOutput) {
+  const parsed = parse(cycloneDxOutput);
+  let baseName = parsed.name;
+  if (parsed.ext === ".json" && baseName.endsWith(".cdx")) {
+    baseName = baseName.slice(0, -4);
+  }
+  return {
+    cyclonedx: cycloneDxOutput,
+    spdx: join(parsed.dir, `${baseName}.spdx.json`),
+    swid: join(parsed.dir, `${baseName}.swid.xml`)
+  };
+}
+function buildUploadPayload(report) {
+  if (!report.artifacts) {
+    return report.sbom.content;
+  }
+  return {
+    cyclonedx: JSON.parse(report.artifacts.cyclonedx.content),
+    spdx: JSON.parse(report.artifacts.spdx.content),
+    swid: report.artifacts.swid.content
+  };
+}
 
 // src/reporters/platform.ts
 function renderPlatformScan(projectPath, result) {
@@ -1696,7 +2905,7 @@ function renderPlatformScan(projectPath, result) {
       const fix = vuln.fixedVersion ? ` \u2192 fix: ${vuln.fixedVersion}` : "";
       lines.push(`    ${severityBadge2(vuln.severity)}  ${vuln.cveId}`);
       lines.push(`           ${vuln.dependencyName}@${vuln.version}${fix}`);
-      lines.push(`           ${vuln.summary.slice(0, 100)}`);
+      lines.push(`           ${(vuln.summary ?? "").slice(0, 100)}`);
       lines.push("");
     }
   }
@@ -1812,7 +3021,8 @@ function parseArgs(argv) {
     sbomOutput: "./sbom.cdx.json",
     failOnSeverity: null,
     skipCveCheck: false,
-    skipUpload: false
+    skipUpload: false,
+    cyclonedxVersion: "1.7"
   };
   let i = 0;
   while (i < args.length) {
@@ -1839,13 +3049,30 @@ function parseArgs(argv) {
       result.skipCveCheck = true;
     } else if (arg === "--skip-upload" || arg === "--offline") {
       result.skipUpload = true;
+    } else if (arg === "--cdx-version" || arg.startsWith("--cdx-version=")) {
+      const val = arg === "--cdx-version" ? args[++i] : arg.split("=")[1];
+      if (!val || val.startsWith("--")) {
+        throw new Error("--cdx-version requires a value");
+      }
+      if (!["1.4", "1.5", "1.6", "1.7"].includes(val)) {
+        throw new Error(`Invalid CycloneDX version: ${val}`);
+      }
+      result.cyclonedxVersion = val;
     }
     i++;
   }
   return result;
 }
 async function main() {
-  const args = parseArgs(process.argv);
+  let args;
+  try {
+    args = parseArgs(process.argv);
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    logError(msg);
+    log("Run 'npx verimu --help' for usage information");
+    process.exit(2);
+  }
   if (args.command === "version") {
     console.log(`verimu ${VERSION}`);
     return;
@@ -1869,6 +3096,7 @@ async function main() {
     projectPath: resolve(args.projectPath),
     sbomOutput: args.sbomOutput,
     skipCveCheck: args.skipCveCheck,
+    cyclonedxVersion: args.cyclonedxVersion,
     // Don't pass apiKey to scan() if --skip-upload — we'll handle upload separately for better logging
     apiKey: apiKey && !args.skipUpload ? void 0 : void 0,
     apiBaseUrl
@@ -1906,7 +3134,7 @@ async function main() {
     }
   }
   console.log("");
-  log("Thanks for using Verimu \u2014 keeping your software CRA-compliant \u{1F6E1}\uFE0F");
+  log("Thanks for using Verimu \u2014 helping your team with CRA readiness");
   console.log("");
   if (args.failOnSeverity && shouldFailCi(report, args.failOnSeverity)) {
     logError(`Vulnerabilities found at or above ${args.failOnSeverity} severity`);
@@ -1926,10 +3154,11 @@ function printHelp() {
 
   Options:
     --path, -p <dir>       Project directory to scan (default: .)
-    --output, -o <file>    SBOM output path (default: ./sbom.cdx.json)
+    --output, -o <file>    CycloneDX output path (SPDX/SWID are written alongside it)
     --fail-on <severity>   Exit 1 if vulns at or above: CRITICAL, HIGH, MEDIUM, LOW
     --skip-cve             Skip CVE vulnerability checking
     --skip-upload          Don't sync to Verimu platform (even if API key is set)
+    --cdx-version <ver>    CycloneDX spec: 1.4, 1.5, 1.6, 1.7 (default: 1.7)
 
   Environment:
     VERIMU_API_KEY         API key for Verimu platform (from app.verimu.com)
@@ -1939,6 +3168,7 @@ function printHelp() {
     npx verimu                                    # Quick scan
     VERIMU_API_KEY=vmu_xxx npx verimu             # Scan + sync to platform
     npx verimu scan --fail-on HIGH                # Fail CI on HIGH+ vulns
+    npx verimu scan --cdx-version 1.5             # Specify CycloneDX version
     npx verimu scan --path ./backend --output ./reports/sbom.json
 
   Supported ecosystems:
@@ -1955,4 +3185,4 @@ main().catch((err) => {
   console.error("Fatal:", err);
   process.exit(2);
 });
-//# sourceMappingURL=cli.mjs.map
+//# sourceMappingURL=cli.js.map