cdxgen SBOM Tool Vulnerability: Malicious .npmrc File Can Bypass `--ignore-scripts` and Execute Code

A critical security vulnerability has been identified in the cdxgen Software Bill of Materials (SBOM) generation tool, where a malicious `.npmrc` configuration file can trigger arbitrary code execution even when the `npm install` command is run with the `--ignore-scripts` safety flag. This bypass occurs during the tool's dependency analysis phase, effectively turning a routine security scan into a potential attack vector.

The exploit leverages a specific directive within a `.npmrc` file placed in a target repository. By setting a configuration like `git=./pwn.sh`, the tool's underlying `npm install` process is tricked into executing a local shell script (e.g., `pwn.sh`) when handling git-based dependencies. This execution happens despite the explicit use of `--ignore-scripts`, which is intended to prevent npm lifecycle scripts from running. The vulnerability is reproducible in both the CLI and server modes of cdxgen, as demonstrated in a debug session where the command fails with an `ENOENT` error after attempting to spawn the malicious payload.

This flaw represents a significant supply chain risk, as cdxgen is designed to analyze software dependencies for security compliance. The very tool trusted to audit code for vulnerabilities can be subverted to run unauthorized commands on the host system. The issue highlights a dangerous interaction between npm's configuration precedence and external tooling, putting any automated security or CI/CD pipeline using cdxgen at potential risk of compromise if it processes untrusted repositories.