chore(deps): bump @cyclonedx/cdxgen from 12.2.0 to 12.5.1

[dependabot]

Bumps @cyclonedx/cdxgen from 12.2.0 to 12.5.1.

Release notes

Sourced from @​cyclonedx/cdxgen's releases.

Release v12.5.1

cdxgen now supports generating AI/ML-BOM with the new -t ai type. For JavaScript and Python projects, AI-BOM would also include the exact occurrence evidence.

evinse is now supported for Rust projects. Pass --profile research to generate SBOM with rich occurrence and call-stack evidence. We have also added initial support for CBOM for Rust. This feature is powered by rusi.

Full Changelog: cdxgen/cdxgen@v12.5.0...v12.5.1

Release v12.5.0

Highlights

This release introduces go evinse with golem integration for deep, data-flow-aware analysis of go projects. The JavaScript analyzer gains type-only import detection, better Vue.js scope resolution, and new npm build script metadata. Angular projects have improved CSS, template, and CLI evidence collection.

Major Features

go evinse with golem (#4073) — Full integration of the golem plugin binary for Go project analysis. Includes call graph and data-flow extraction, evidence collection (callstacks, locations, supply-chain scope), and crypto-flow evidence with cryptographic-asset component generation.

Angular analyzer enhancements (#4074) — Improved required-scope detection for CSS, template, and CLI-based package usage. Style file parsing handles .css, .scss, and .less references. Template and icon class heuristics cover material-symbols, primeicons,bootstrap-icons, and fontawesome. Analyzer now detects CLI scripts including npx and pnpm dlx wrappers and hydrates npm package metadata from disk in deep mode.

Vue.js precision improvements (#4115) — Scope detection parses vite.config.* and vue.config.* to reduce false negatives. astgen from atom-parsetools is improved to better infer types for angular and vue.js in JavaScript and TypeScript.

JavaScript type-only imports (#4110) — The JS/TS analyzer now detects and prunes type-only imports and exports (import type { X }, export type { Y }), producing more accurate scope assignment and reducing false positives for packages used only at compiletime.

@​types packages excluded from runtime scope (#4108) — @types/* npm packages are now filtered out from runtime scope and excluded from requiredOnly BOMs, so they appear correctly as dev-only.

Other Changes

cdxgen-plugins-bin updated: Includes dosai 3.0.5 support with more improvement for dotnet and R. Pixi parsing hardened (#4077): Better handling of missing base paths and malformed toml in pixi.lock workspace files.

Full Changelog: cdxgen/cdxgen@v12.4.4...v12.5.0

Release v12.4.4

What's Changed

• java maven improvements cdxgen/cdxgen#4064
• component type filter cdxgen/cdxgen#4063
• javascript improvements cdxgen/cdxgen#4066
• pass exclude arguments to atom cdxgen/cdxgen#4069

Full Changelog: cdxgen/cdxgen@v12.4.3...v12.4.4

Release v12.4.3

This release includes one security fix.

• [Security] harden maven shell metacharacters in #4059. Thanks, @​aleff-github

... (truncated)

Commits

• 67fb144 Evinse for Rust (#4127)
• ae46cbd docs
• 04a262a Add npx cache layout support for plugin resolution and update plugins… (#4123)
• d673707 Harden AI metadata normalization and remove high-allocation paths in ingestio...
• 9c9c9a7 Docs
• 1761170 Bump version
• 593cc38 Add JavaScript and Python AI-BOM implementation (#4117)
• 66982a7 Tweaks
• cbc57c3 fix: correct ENV.md regex docs and add .mts/.cts to JS/TS AST file enumeratio...
• 30acac7 Update cdxgen plugins (#4112)
• Additional commits viewable in compare view