If the generate command gets given a binary file, an empty SBOM may be generated. It could make sense to detect that it is a non-JSON/config file, and generate a single entry SBOM (similar to giving Surfactant a directory). Same for listing a file under extract paths in a config file instead of a folder.

Make sure new system object isn't created by merge subcommand if a duplicate UUID already exists.

Describe the bug
When using Surfactant on Windows the installPath is not updated with a config defined installPrefix.

To Reproduce
Steps to reproduce the behavior:

1. Create config like the following:

[
    {
        "extractPaths": [
            "path/to/directory"
        ],
        "installPrefix": "new/install/path"
    }
]

2. Run Surfactant in a Windows environment.
3. Check the generated SBOM and notice the installPath has not been updated.

Expected behavior
installPath would be updated with the installPrefix.

Screenshots
Configuration file used:

[
  {
    "extractPaths": [ "C:/Program Files/Git/mingw64/bin" ],
    "installPrefix": "new/install/path"
  }
]

Example from the generated SBOM:

    {
      "UUID": "e3b55c39-af35-4041-a1ae-5b27750305a3",
      "name": null,
      "size": 92465,
      "fileName": [
        "acountry.exe"
      ],
      "installPath": [
        "C:/Program Files/Git/mingw64/bin\\acountry.exe"
      ],
      "containerPath": [],
      "captureTime": 1694456199,
      "version": "",
      "vendor": [],
      "description": "",
      "sha1": "ee31a2610f360b4e19066325b19a7deed6e0c8b3",
      "sha256": "cc304d2a3c13f6c1b587e484c53b8750fc740717723c4cc293fa26557f8586bc",
      "md5": "33eaa33f9632e9c84b2100ef9a1eec2c",
      "relationshipAssertion": "Unknown",
      "comments": "",
      "metadata": [
        {
          "collectedBy": "Surfactant",
          "collectionPlatform": "Windows-10-10.0.19045-SP0",
          "fileInfo": {
            "mode": "-rwxrwxrwx",
            "hidden": false
          }
        },
        {
          "OS": "Windows",
          "peMachine": "AMD",
          "peOperatingSystemVersion": "4.0",
          "peSubsystemVersion": "5.2",
          "peSubsystem": "WINDOWS_CUI",
          "peLinkerVersion": "2.40",
          "peImport": [
            "KERNEL32.dll",
            "msvcrt.dll",
            "WS2_32.dll",
            "libcares-2.dll"
          ],
          "peIsExe": true,
          "peIsDll": false,
          "peIsClr": false,
          "dllRedirectionLocal": false
        }
      ],
      "supplementaryFiles": [],
      "provenance": null,
      "recordedInstitution": "LLNL",
      "components": []
    },

System Information (please complete the following information):

• OS: Windows 10

Additional context
This appears to be due to the regex used in real_path_to_install_path that requires a UNIX style separator (/) to be used. However, os.join (which is used to generate the filepaths) uses whatever the OS's path separator happens to be.

Explore how feasible it would be to set up a plugin that runs a program in a sandbox, and collects information while the program is running.

Related:
https://github.com/Rurik/Noriben
https://github.com/LLNL/Surfactant/tree/main/docs/windows_installer_tutorial

There are several warnings when building the PyPI packages.

https://github.com/LLNL/Surfactant/actions/runs/5559696051/jobs/10156061274

• Investigate UserWarning: unexported git archival found
• Investigate UserWarning: git archive did not support describe output
• Investigate _Warning: Package 'surfactant.cmd' is absent from the packages configuration. (add to setuptools packages configuration field? same for several other subfolders)

Similar to the functionality in the merge command, it would be convenient if the generate command can establish a relationship to top-level system UUID that contains everything else.

The ReadtheDocs website has a layout for the different documentation sections and pages -- replace the TODOs with actual content.

• Index/Homepage
• Getting Started
• Configuration
• Usage
• Plugins
• Contributing
  • Link to https://github.com/LLNL/Surfactant/blob/main/CONTRIBUTING.md as most of the content will likely be very similar

Make a logo for including in the README and docs site.

Add the Surfactant logo so it appears as the image for repository on GitHub.

Add a PR template to match recommended community standards: https://github.com/LLNL/Surfactant/community

There are a few different magic bytes patterns that can be used by zlib compressed files. Being able to recognize them for inclusion in generated SBOMs would be good; we've come across a number zlib compressed firmware files, or files such as z19 which is just a zlib compressed motorola s-record file.

Currently what the interesting bits of metadata that give a good indication of what an SBOM field such as version should be is hard-coded in surfactant/cmd/generate.py.

This can probably be done by adding a hookspec that allows a plugin to return hints about what metadata fields can be mapped to specific pieces of key SBOM information. Implementations of the hook for PE and OLE/MSI file metadata should be added. Alternative ideas for how to approach this can be considered.

Look into what it would take to get stickers, or small business card size things printed with some basic info to hand out.

After renaming the logos, the file name wasn't updated in the conf.py file for the RTD site.

Currently the only way to modify an initial SBOM is mainly by overwriting the associated JSON file manually. It might be a better idea and more user friendly in the long run to create a web interface where users can open SBOM files and modify them more easily without producing errors in the final JSON. The Web interface could also incorporate other features like invoking the command line functionality over a GUI Web interface.

Is your feature request related to a problem? Please describe.
Users should be able to configure settings unique to each plugin, and ideally be able to control which plugins run beyond using pip virtual environments. This feature could also be used to let users configure default Surfactant settings, such as the recorded institution and potentially preferred behavior for various scenarios. A config or settings subcommand for editing a user-wide settings file similar to git config could be nice.

Describe the solution you'd like
From discussion in the working group, the following is what we'd like (copy+paste from PowerPoint slides gives an image):

Tests will need to be run on Windows to make sure Surfactant works properly there (and not just in WSL). A test CI run on Windows indicated that the ELF relationship unit tests are failing: https://github.com/LLNL/Surfactant/actions/runs/5558488662/jobs/10153646487#step:5:75

For loading native libraries, .NET specifies that it checks the following name combinations depending on what platform it's running on:

https://learn.microsoft.com/en-us/dotnet/standard/native-interop/native-library-loading

It does not mention what happens if a name like "libname.dll" is provided to a .NET assembly running on Linux/macOS. Does the runtime remove the platform-specific ".dll" extension before adding on ".so" or does it try "libname.dll.so"? Does the same happen if a Linux/macOS name is supplied to a Windows .NET runtime?

Another (external) SBOM may already define the system object -- if so, only create the relationships.

Add support for the magic bytes for static libraries (.a) files used on Linux, and .lib files on Windows.

Some useful references on what the magic bytes are for these files can be found at:
https://github.com/file/file/blob/c8bba134ac1f3c9f5/magic/Magdir/msvc#L22
https://www.garykessler.net/library/file_sigs.html

Currently it is Includes, but there should be an option for the user to change it (with a default of Contains).

If following the instructions in the original readme, the build will fail in a virtual environment if wheel is not installed which then requires the user to manually install wheel before finishing the installation.

Note: I have framed this as a feature request as I'm unsure if the current behavior is a bug or expected.

Is your feature request related to a problem? Please describe.
When I run Surfactant using a config file that only contains an extractPaths entry then no "Uses" relationships are generated for imports. To get the "Uses" relationships to be generated I must include an installPrefix. This requirement is not currently documented, as far as I can see, so I'm not sure if this is expected.

As I initially read the documentation, I expected installPrefix to help in two situations. One, be a way of overriding the generated SBOM's installPath to better reflect an actual installation of the software. Two, it would also give the user an opportunity to remove any local information that may be revealed in the extract path. I didn't expect that I had to specify installPrefix in order to generate relationships.

Describe the solution you'd like
My ideal solution is that the extractPaths are used as the installPath if an installPrefix is not explicitely stated. This would ensure that "Uses" relationships are generated by default. I would include the extractPaths in the generated installPath of the SBOM unless overriden by the installPrefix.

This solution would break existing behavior in two ways:

1. Generate relationships when they used to not.
2. Generate an installPath when it used to be an empty list.

Change 1 can be addressed by the user using --skip_relationships. Change 2 cannot be easily addressed and I believe that is still acceptable. The current implementation generates no installPath information if an installPrefix is not provided.
That makes it so that file system hierarchical information is not collected (i.e. the generated SBOM appears to exist in a flat file system). I don't believe that this is especially useful by default and users would rather collect that information without additional configuration.

Describe alternatives you've considered
One alternative solution would be to use the extract path solely for the sake of calculating relationships but to not save it as the installPath. I believe this would be a more complicated solution as current relationship generating methods appear to rely on the installPath field in the software object.

Another solution is to simply update the documentation to better reflect that an installPrefix must be provided to ensure that "Uses" relationships are captured.

Additional context
If you run Surfactant by passing an extract path directly through the CLI (instead of using a config file), then the extract path is automatically used as the installPrefix and relationships are generated. This behavior matches my proposed solution.

I have found that my documentation of existing behavior is consistent on Windows and Linux for PE and ELF binaries, respectively.

The existing documentation does seem to imply the existing behavior is expected. Example 1 in the README demonstrates a bare config file with no installPrefix and the generated SBOM has no relationships. Example 2 then shows a config file with an installPrefix and the relationships are in fact generated. I would suggest that this behavior be more explicitely stated if it is expected though.

retire.js is a vulnerability scanner for JavaScript, and has a file with a collection of patterns for recognizing various JavaScript libraries and their versions.

1. Look into what it would take to identify a file as JavaScript (or HTML/CSS)
2. Add a method to recognize specific JavaScript libraries and their versions using a database, either from retire.js or another tool that has a similar collection of patterns that we can use as a starting point for pattern matching.

the LIEF library can perform Windows signature checks on linux systems. It would be nice to have this functionality in Surfactant, something along the lines of their example here.

Describe the bug
Installed the latest rc2.
Run generate over files that I know crash surfactant
observe crash

To Reproduce
Steps to reproduce the behavior:

1. Install Surfactant 0.0.0rc2
2. surfactant generate ./_modules.extracted.crashes.surfactant test.sbom.json

Expected behavior
sbom generated

Crash Output
`
└─$ surfactant generate ./_modules.extracted.crashes.surfactant test.sbom.json
2024-01-25 08:45:30.479 | WARNING | surfactant.cmd.generate:sbom:284 - Fixing install path
2024-01-25 08:45:30.479 | INFO | surfactant.cmd.generate:sbom:293 - Processing ./_modules.extracted.crashes.surfactant
Traceback (most recent call last):
File "/home/user/surfactant/bin/surfactant", line 8, in
sys.exit(main())
^^^^^^
File "/home/user/surfactant/lib/python3.11/site-packages/click/core.py", line 1157, in call
return self.main(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/user/surfactant/lib/python3.11/site-packages/click/core.py", line 1078, in main
rv = self.invoke(ctx)
^^^^^^^^^^^^^^^^
File "/home/user/surfactant/lib/python3.11/site-packages/click/core.py", line 1688, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/user/surfactant/lib/python3.11/site-packages/click/core.py", line 1434, in invoke
return ctx.invoke(self.callback, **ctx.params)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/user/surfactant/lib/python3.11/site-packages/click/core.py", line 783, in invoke
return __callback(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/user/surfactant/lib/python3.11/site-packages/surfactant/cmd/generate.py", line 347, in sbom
if ftype := pm.hook.identify_file_type(filepath=filepath):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/user/surfactant/lib/python3.11/site-packages/pluggy/_hooks.py", line 501, in call
return self._hookexec(self.name, self._hookimpls.copy(), kwargs, firstresult)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/user/surfactant/lib/python3.11/site-packages/pluggy/_manager.py", line 119, in _hookexec
return self._inner_hookexec(hook_name, methods, kwargs, firstresult)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/user/surfactant/lib/python3.11/site-packages/pluggy/_callers.py", line 138, in _multicall
raise exception.with_traceback(exception.traceback)
File "/home/user/surfactant/lib/python3.11/site-packages/pluggy/_callers.py", line 102, in _multicall
res = hook_impl.function(*args)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/user/surfactant/lib/python3.11/site-packages/surfactant/filetypeid/id_hex.py", line 82, in identify_file_type
curr = f.readline()
^^^^^^^^^^^^
File "", line 322, in decode
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xc4 in position 35: invalid continuation byte

└─$ surfactant version
0.0.0rc2

`

System Information (please complete the following information):

• OS: Debian 6.1.20-1

Additional context
Cannot share the files but this is the head of the first one in the directory. I'm not sure if this file is the one causing the crash, if Surfactant outputted the file it crashes on I could examine that file further.
xxd 324C016 | head 00000000: 0000 0c48 4c69 6e6f 0210 0000 6d6e 7472 ...HLino....mntr 00000010: 5247 4220 5859 5a20 07ce 0002 0009 0006 RGB XYZ ........ 00000020: 0031 0000 6163 7370 4d53 4654 0000 0000 .1..acspMSFT.... 00000030: 4945 4320 7352 4742 0000 0000 0000 0000 IEC sRGB........ 00000040: 0000 0001 0000 f6d6 0001 0000 0000 d32d ...............- 00000050: 4850 2020 0000 0000 0000 0000 0000 0000 HP ............ 00000060: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000070: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000080: 0000 0011 6370 7274 0000 0150 0000 0033 ....cprt...P...3 00000090: 6465 7363 0000 0184 0000 006c 7774 7074 desc.......lwtpt

I did put that single file in its own directory and reran Surfactant it ran but produced an empty output.
`
└─$ cp ./_modules.extracted.crashes.surfactant/324C016 ./crash1

└─$ surfactant generate ./crash1 test.sbom.json
2024-01-25 08:55:14.539 | WARNING | surfactant.cmd.generate:sbom:284 - Fixing install path
2024-01-25 08:55:14.539 | INFO | surfactant.cmd.generate:sbom:293 - Processing ./crash1

└─$ cat test.sbom.json
{
"systems": [],
"hardware": [],
"software": [],
"relationships": [],
"analysisData": [],
"observations": [],
"starRelationships": []
}

└─$ ls ./crash1
324C016

└─$ file ./crash1/324C016
./crash1/324C016: Microsoft color profile 2.1, type Lino, RGB/XYZ-mntr device, IEC/sRGB model by HP, 3144 bytes, 9-2-1998 6:49:00, relative colorimetric "sRGB IEC61966-2.1"

`

Related to #18. In order to bump up the pinned version of spdx-tools dependency to 0.8.*, there are a number lot of breaking changes that need to be addressed: https://github.com/spdx/tools-python/wiki/How-to-migrate-from-0.7-to-0.8

Despite calling it out in the readme, there is no CONTRIBUTING.md file in the repository

Consider leveraging an existing file magic library to recognize file types instead of doing it ourselves for every file type we want to support.

Create diagrams (one or more?) showing an overview of how Surfactant works — for overview presentations and documentation. Asciinema showing example use of Surfactant could also be useful for the docs.

Add an output writer that outputs relationships in the Graphviz DOT format for generating a graph showing how different files tie together.

Resources for information on the file format include:

• https://graphviz.org/doc/info/lang.html
• https://en.wikipedia.org/wiki/DOT_(graph_description_language)

The graph "type" output should probably be digraph.

The ELF relationships code currently uses os.path.normpath to cleanup and normalize paths, however the behavior of this function is different on Windows than POSIX systems tested (including macOS). This leads to the unit tests for ELF relationships failing on Windows systems.

The description of the Clean function in Go describes a working normalization function for that would be suitable for this, with the exception of a "//" appearing at the start of a path remaining intact. A few examples of this special behavior:

os.path.normpath("/") -> "/"
os.path.normpath("//") -> "//"
os.path.normpath("///") -> "/"
os.path.normpath("////") -> "/"
os.path.normpath("/..") -> "/"
os.path.normpath("/../") -> "/"
os.path.normpath("//../") -> "//"
os.path.normpath("//a//b/c///d") -> "//a/b/c/d"
os.path.normpath("///a//b/c///d") -> "/a/b/c/d"

The Python docs for the os.path.normpath function can be found at https://docs.python.org/3/library/os.path.html#os.path.normpath and they link to the IEEE Standard on pathname resolution

This fix will also make CI tests pass for #7.

Add docstrings to functions, classes, and modules that are missing them. This will take some time to complete, and is likely to be done gradually.

Follows the google docstrings format

Surfactant crashes with an IndexError when attempting to process linux kernel boot images (vmlinux) as it incorrectly assumes that they are Windows PE files and then fails when processing the non-existent 'optional' header.

To reproduce:

• run surfactant generate on a container that has a linux kernel boot image in COFF format

The root cause of this is that filetypeinfo/id_magic.py assumes any file with the magic bytes MZ is a PE file, when MZ really denotes a DOS EXE file, which PE is built off of. The COFF linux boot image format starts with the same MZ, but notably is lacking the standard DOS stub of 'This program cannot be run in DOS mode` and does not have the windows-specific 'optional' header. A more robust means of checking for PE files could also check for that message, or for the optional header located after the DOS stub and standard COFF headers.

This is system-agnostic.

Describe the bug
When running Surfactant on a particular binary it crashed due to an object not having a StringTable attribute.
The binary was the "uninstall.exe" binary generated by IDA Freeware 8.3.

To Reproduce
Steps to reproduce the behavior:

1. Run Surfactant on IDA Freeware 8.3 directory
2. Surfactant crashes upon attempting to analyze "uninstall.exe"

Expected behavior
Surfactant to run without crashing on the specified binary.

Screenshots
Stack trace:

Traceback (most recent call last):
  File "/home/doug/projects/Surfactant/venv/bin/surfactant", line 8, in <module>
    sys.exit(main())
  File "/home/doug/projects/Surfactant/venv/lib/python3.10/site-packages/click/core.py", line 1157, in __call__
    return self.main(*args, **kwargs)
  File "/home/doug/projects/Surfactant/venv/lib/python3.10/site-packages/click/core.py", line 1078, in main
    rv = self.invoke(ctx)
  File "/home/doug/projects/Surfactant/venv/lib/python3.10/site-packages/click/core.py", line 1688, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/home/doug/projects/Surfactant/venv/lib/python3.10/site-packages/click/core.py", line 1434, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/home/doug/projects/Surfactant/venv/lib/python3.10/site-packages/click/core.py", line 783, in invoke
    return __callback(*args, **kwargs)
  File "/home/doug/projects/Surfactant/surfactant/cmd/generate.py", line 267, in sbom
    get_software_entry(
  File "/home/doug/projects/Surfactant/surfactant/cmd/generate.py", line 43, in get_software_entry
    extracted_info_results = pluginmanager.hook.extract_file_info(
  File "/home/doug/projects/Surfactant/venv/lib/python3.10/site-packages/pluggy/_hooks.py", line 433, in __call__
    return self._hookexec(self.name, self._hookimpls, kwargs, firstresult)
  File "/home/doug/projects/Surfactant/venv/lib/python3.10/site-packages/pluggy/_manager.py", line 112, in _hookexec
    return self._inner_hookexec(hook_name, methods, kwargs, firstresult)
  File "/home/doug/projects/Surfactant/venv/lib/python3.10/site-packages/pluggy/_callers.py", line 116, in _multicall
    raise exception.with_traceback(exception.__traceback__)
  File "/home/doug/projects/Surfactant/venv/lib/python3.10/site-packages/pluggy/_callers.py", line 80, in _multicall
    res = hook_impl.function(*args)
  File "/home/doug/projects/Surfactant/surfactant/infoextractors/pe_file.py", line 30, in extract_file_info
    return extract_pe_info(filename)
  File "/home/doug/projects/Surfactant/surfactant/infoextractors/pe_file.py", line 143, in extract_pe_info
    for st in fi_entry.StringTable:
AttributeError: 'Structure' object has no attribute 'StringTable'

System Information (please complete the following information):

• OS: Windows 10 / Ubuntu 20.04 using WSL2

Additional context
PR to follow.

• Rename config - context?
• Create dataclass for context entries for files/folders to process
• Propagate context to extract_file_info hook so analysis plugins can add new files/folders to the list of things to analyze

When creating an SBOM from pieces of a container, the files may appear to be in a flat file system within the container.

e.g. A.zip has a file under usr/bin/fileA

An SBOM is generated with a config file that lists:
archive = "A.zip"
extractPaths = "some-directory-with-only-usr/bin-files"

The resulting SBOM should have fileA with a container path of <parent_uuid>/usr/bin/fileA, but it actually just has <parent_uuid>/fileA. This could potentially be inferred to some degree from the provided installPrefix? But msi/exe installers get complicated (are they just a bunch of blobs of file data internally?).

Add an output writer plugin (that is optional/requires extra install step) that uses https://github.com/CoatiSoftware/Sourcetraildb (or that looks at the SQLite schema that the library writes to) to output relationships in a file that can be loaded by Sourcetrail for visualization. See https://github.com/quarkslab/pyrrha?tab=readme-ov-file#visualization-with-sourcetrail for an idea of how relationships could be mapped to the Sourcetrail format.

https://cytoscape.org/

Extracting library dependency names from binary metadata provides a "base" name to check. Variations of this name are used to find the dependency file, or maybe the name is a symlink that refers to a file whose name is a variation of the base name.

For example, "libname" might end up linking with "libname.so.4" or any version number when actually running it. In this case, one check could be against file names that match libname.so.[0-9]. For name variations across different systems, other matching is needed.

As discussed in #28, It would be nice to implement a plugin that gets information from Linux Kernel images. The filetype magic for this is already in place (though it does not detect 'old'/pre-linux 1.3.73 boot images*), so all that is needed is a plugin to extract the relevant data from the header and output that as the appropriate format.

The documentation on the kernel image structure can be found here: https://www.kernel.org/doc/Documentation/x86/boot.txt

There is an overview of the layout in the **** THE REAL-MODE KERNEL HEADER section and then more detailed descriptions of what each field is later.

* Based on what the linux file utility does (https://github.com/file/file/blob/master/magic/Magdir/linux#L137), the check for older kernels could be implemented by checking for the string 'Loading' at offset 0x1e3 or 0x1e9. This is left as an exercise for the reader :)

It is of version 2.0 but the latest version is 2.1(https://github.com/LLNL/Surfactant/blob/main/.github/CODE_OF_CONDUCT.md)

The CycloneDX output writer plugin doesn't set a short name of cyclonedx.

While here, the short name related code should probably also be checked to see if different types of plugins can have the same short name (e.g. both the reader and writer plugins).

Once functions have docstrings, it should be possible to generate API pages for the documentation website -- this will be useful for users looking to use Surfactant as a library. Adding a page with a brief intro to library/programmatic use could also be useful.

Currently the only accurate way to get install paths for files installed by an MSI file is running it in a VM. 3rd party tools for extracting the files don't preserve accurate install path information (and use compiled languages so may not be portable across all platforms when they use e.g. Windows-only APIs).

We should be able to port functionality from those tools to a pure Python module that can dump installed files with enough information on installation paths for creating an accurate SBOM.

Is your feature request related to a problem? Please describe.
Using print doesn't give any control over how much gets printed out, or any indication of how important the information shown is (info/debug/warn/error/etc). Switching to a logging library could allow a user to decide how much information they want Surfactant to show when running, include timestamps, and also enable outputting information to a log file.

Describe the solution you'd like
Look into what Python logging libraries are available, and compare their features. Two that come to mind are logging (which comes with the Python standard library) and loguru, but there are likely several others that could be considered. After picking a library, replace all calls to print with calls to the logging library instead.

This may be a bit of a larger task, but should be relatively straightforward. Look into the Mach-O file format, and extract whatever information could be interesting (see the ELF and PE file extraction code for ideas).

macOS/BSD might both benefit from support for Mach-O files.

In addition to the above, other things that could be looked into include:

• macOS also uses directories ending in .app as a container for programs, which should have some additional metadata files (*.plist perhaps?), in addition to .pkg installers potentially having information of interest
• BSD distributions might have their own packaging file format that contains metadata that could be extracted

Version 6 of the CycloneDX Python library introduced a breaking change by removing a function. Update the CycloneDX writer/reader to work with the new version.

Add support for adding information from Docker Scout output to an SBOM, and potentially also an attempt at parsing Dockerfile/layer information to get additional things that may have been built from source or installed without running a package manager.

This past summer work was done to explore automatically stepping through Windows installers in a VirtualBox VM and detecting what files were written by the installer: https://github.com/LLNL/Surfactant/tree/main/docs/windows_installer_tutorial

Currently it is a bit difficult to get set up and run, and due to trying to make it fully automatic there are aspects that were difficult to make reliable. Some ideas for improving it, and potentially making it more of an interactive tool are:

• Make installation of the minifilter driver easier (installer/script?)
• Add tool/script to simplify fresh VM setup
• Write a tool (GUI) for manually running an installer in a VM that allows picking the installer to run and handles starting/stopping the minifilter driver; show the exact directories that files are written to in the GUI for users to monitor in real time; flag temporary files that were deleted and give instructions for capturing those ephemeral files (consider an option to re-run installer in the tool but copy flagged files as soon as they are written or intercept the delete file event and copy before deletion/suppress deletion)
• Export the written file information as a valid Surfactant config file, maybe with all written files zipped up into a single archive