@trustify-da/trustify-da-javascript-client 0.2.4-ea-1

package/dist/src/providers/java_maven.js

@@ -0,0 +1,263 @@
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+import { EOL } from 'os';
+import { XMLParser } from 'fast-xml-parser';
+import Sbom from '../sbom.js';
+import { getCustom } from '../tools.js';
+import Base_java, { ecosystem_maven } from "./base_java.js";
+/** @typedef {import('../provider').Provider} */
+/** @typedef {import('../provider').Provided} Provided */
+/** @typedef {{name: string, version: string}} Package */
+/** @typedef {{groupId: string, artifactId: string, version: string, scope: string, ignore: boolean}} Dependency */
+export default class Java_maven extends Base_java {
+    constructor() {
+        super('mvn', 'mvnw' + (process.platform === 'win32' ? '.cmd' : ''));
+    }
+    /**
+     * @param {string} manifestName - the subject manifest name-type
+     * @returns {boolean} - return true if `pom.xml` is the manifest name-type
+     */
+    isSupported(manifestName) {
+        return 'pom.xml' === manifestName;
+    }
+    /**
+     * @param {string} manifestDir - the directory where the manifest lies
+     */
+    validateLockFile() { return true; }
+    /**
+     * Provide content and content type for maven-maven stack analysis.
+     * @param {string} manifest - the manifest path or name
+     * @param {{}} [opts={}] - optional various options to pass along the application
+     * @returns {Provided}
+     */
+    provideStack(manifest, opts = {}) {
+        return {
+            ecosystem: ecosystem_maven,
+            content: this.#createSbomStackAnalysis(manifest, opts),
+            contentType: 'application/vnd.cyclonedx+json'
+        };
+    }
+    /**
+     * Provide content and content type for maven-maven component analysis.
+     * @param {string} manifest - path to the manifest file
+     * @param {{}} [opts={}] - optional various options to pass along the application
+     * @returns {Provided}
+     */
+    provideComponent(manifest, opts = {}) {
+        return {
+            ecosystem: ecosystem_maven,
+            content: this.#getSbomForComponentAnalysis(manifest, opts),
+            contentType: 'application/vnd.cyclonedx+json'
+        };
+    }
+    /**
+     * Create a Dot Graph dependency tree for a manifest path.
+     * @param {string} manifest - path for pom.xml
+     * @param {{}} [opts={}] - optional various options to pass along the application
+     * @returns {string} the Dot Graph content
+     * @private
+     */
+    #createSbomStackAnalysis(manifest, opts = {}) {
+        const manifestDir = path.dirname(manifest);
+        const mvn = this.selectToolBinary(manifest, opts);
+        const mvnArgs = JSON.parse(getCustom('TRUSTIFY_DA_MVN_ARGS', '[]', opts));
+        if (!Array.isArray(mvnArgs)) {
+            throw new Error(`configured maven args is not an array, is a ${typeof mvnArgs}`);
+        }
+        // clean maven target
+        try {
+            this._invokeCommand(mvn, ['-q', 'clean', ...mvnArgs], { cwd: manifestDir });
+        }
+        catch (error) {
+            throw new Error(`failed to clean maven target`, { cause: error });
+        }
+        // create dependency graph in a temp file
+        let tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'exhort_'));
+        let tmpDepTree = path.join(tmpDir, 'mvn_deptree.txt');
+        // build initial command (dot outputType is not available for verbose mode)
+        let depTreeCmdArgs = ['-q', 'org.apache.maven.plugins:maven-dependency-plugin:3.6.0:tree',
+            '-Dscope=compile', '-Dverbose',
+            '-DoutputType=text', `-DoutputFile=${tmpDepTree}`];
+        // exclude ignored dependencies, exclude format is groupId:artifactId:scope:version.
+        // version and scope are marked as '*' if not specified (we do not use scope yet)
+        let ignoredDeps = new Array();
+        let ignoredArgs = new Array();
+        this.#getDependencies(manifest).forEach(dep => {
+            if (dep.ignore) {
+                ignoredArgs.push(`${dep['groupId']}:${dep['artifactId']}`);
+                //version is not reliable because we're not resolving the effective pom
+                ignoredDeps.push(this.toPurl(dep.groupId, dep.artifactId));
+            }
+        });
+        if (ignoredArgs.length > 0) {
+            depTreeCmdArgs.push(`-Dexcludes=${ignoredArgs.join(',')}`);
+        }
+        // execute dependency tree command
+        try {
+            this._invokeCommand(mvn, [...depTreeCmdArgs, ...mvnArgs], { cwd: manifestDir });
+        }
+        catch (error) {
+            throw new Error(`failed creating maven dependency tree`, { cause: error });
+        }
+        // read dependency tree from temp file
+        let content = fs.readFileSync(tmpDepTree);
+        if (process.env["TRUSTIFY_DA_DEBUG"] === "true") {
+            console.error("Dependency tree that will be used as input for creating the BOM =>" + EOL + EOL + content.toString());
+        }
+        let sbom = this.createSbomFileFromTextFormat(content.toString(), ignoredDeps, opts);
+        // delete temp file and directory
+        fs.rmSync(tmpDir, { recursive: true, force: true });
+        // return dependency graph as string
+        return sbom;
+    }
+    /**
+     *
+     * @param {String} textGraphList Text graph String of the manifest
+     * @param {[String]} ignoredDeps List of ignored dependencies to be omitted from sbom
+     * @return {String} formatted sbom Json String with all dependencies
+     */
+    createSbomFileFromTextFormat(textGraphList, ignoredDeps, opts) {
+        let lines = textGraphList.split(EOL);
+        // get root component
+        let root = lines[0];
+        let rootPurl = this.parseDep(root);
+        let sbom = new Sbom();
+        sbom.addRoot(rootPurl);
+        this.parseDependencyTree(root, 0, lines.slice(1), sbom);
+        return sbom.filterIgnoredDeps(ignoredDeps).getAsJsonString(opts);
+    }
+    /**
+     * Create a dependency list for a manifest content.
+     * @param {{}} [opts={}] - optional various options to pass along the application
+     * @returns {[Dependency]} the Dot Graph content
+     * @private
+     */
+    #getSbomForComponentAnalysis(manifestPath, opts = {}) {
+        const mvn = this.selectToolBinary(manifestPath, opts);
+        const mvnArgs = JSON.parse(getCustom('TRUSTIFY_DA_MVN_ARGS', '[]', opts));
+        if (!Array.isArray(mvnArgs)) {
+            throw new Error(`configured maven args is not an array, is a ${typeof mvnArgs}`);
+        }
+        const tmpEffectivePom = path.resolve(path.join(path.dirname(manifestPath), 'effective-pom.xml'));
+        // create effective pom and save to temp file
+        try {
+            this._invokeCommand(mvn, ['-q', 'help:effective-pom', `-Doutput=${tmpEffectivePom}`, ...mvnArgs], { cwd: path.dirname(manifestPath) });
+        }
+        catch (error) {
+            throw new Error(`failed creating maven effective pom`, { cause: error });
+        }
+        // iterate over all dependencies in original pom and collect all ignored ones
+        let ignored = this.#getDependencies(manifestPath).filter(d => d.ignore);
+        // iterate over all dependencies and create a package for every non-ignored one
+        /** @type [Dependency] */
+        let dependencies = this.#getDependencies(tmpEffectivePom)
+            .filter(d => !this.#dependencyIn(d, ignored));
+        let sbom = new Sbom();
+        let rootDependency = this.#getRootFromPom(tmpEffectivePom, manifestPath);
+        let purlRoot = this.toPurl(rootDependency.groupId, rootDependency.artifactId, rootDependency.version);
+        sbom.addRoot(purlRoot);
+        dependencies.forEach(dep => {
+            let currentPurl = this.toPurl(dep.groupId, dep.artifactId, dep.version);
+            sbom.addDependency(purlRoot, currentPurl);
+        });
+        fs.rmSync(tmpEffectivePom);
+        // return dependencies list
+        return sbom.getAsJsonString(opts);
+    }
+    /**
+     *
+     * @param effectivePomManifest effective pom manifest path
+     * @param originalManifest pom.xml manifest path
+     * @return {Dependency} returns the root dependency for the pom
+     * @private
+     */
+    #getRootFromPom(effectivePomManifest) {
+        let parser = new XMLParser();
+        let buf = fs.readFileSync(effectivePomManifest);
+        let effectivePomStruct = parser.parse(buf.toString());
+        let pomRoot;
+        if (effectivePomStruct['project']) {
+            pomRoot = effectivePomStruct['project'];
+        }
+        else { // if there is no project root tag, then it's a multi module/submodules aggregator parent POM
+            for (let proj of effectivePomStruct['projects']['project']) {
+                // need to choose the aggregate POM and not one of the modules.
+                if (proj.packaging && proj.packaging === 'pom') {
+                    pomRoot = proj;
+                }
+            }
+        }
+        /** @type Dependency */
+        let rootDependency = {
+            groupId: pomRoot['groupId'],
+            artifactId: pomRoot['artifactId'],
+            version: pomRoot['version'],
+            scope: '*',
+            ignore: false
+        };
+        return rootDependency;
+    }
+    /**
+     * Get a list of dependencies with marking of dependencies commented with <!--exhortignore-->.
+     * @param {string} manifest - path for pom.xml
+     * @returns {[Dependency]} an array of dependencies
+     * @private
+     */
+    #getDependencies(manifest) {
+        /** @type [Dependency] */
+        let ignored = [];
+        // build xml parser with options
+        let parser = new XMLParser({
+            commentPropName: '#comment',
+            isArray: (_, jpath) => 'project.dependencies.dependency' === jpath,
+            parseTagValue: false
+        });
+        // read manifest pom.xml file into buffer
+        let buf = fs.readFileSync(manifest);
+        // parse manifest pom.xml to json
+        let pomJson = parser.parse(buf.toString());
+        // iterate over all dependencies and chery pick dependencies with a exhortignore comment
+        let pomXml;
+        // project without modules
+        if (pomJson['project']) {
+            if (pomJson['project']['dependencies'] !== undefined) {
+                pomXml = pomJson['project']['dependencies']['dependency'];
+            }
+            else {
+                pomXml = [];
+            }
+        }
+        else { // project with modules
+            pomXml = pomJson['projects']['project'].filter(project => project.dependencies !== undefined).flatMap(project => project.dependencies.dependency);
+        }
+        pomXml.forEach(dep => {
+            let ignore = false;
+            if (dep['#comment'] && dep['#comment'].includes('exhortignore')) { // #comment is an array or a string
+                ignore = true;
+            }
+            if (dep['scope'] !== 'test') {
+                ignored.push({
+                    groupId: dep['groupId'],
+                    artifactId: dep['artifactId'],
+                    version: dep['version'] ? dep['version'].toString() : '*',
+                    scope: '*',
+                    ignore: ignore
+                });
+            }
+        });
+        // return list of dependencies
+        return ignored;
+    }
+    /**
+     * Utility function for looking up a dependency in a list of dependencies ignoring the "ignored"
+     * field
+     * @param dep {Dependency} dependency to look for
+     * @param deps {[Dependency]} list of dependencies to look in
+     * @returns boolean true if found dep in deps
+     * @private
+     */
+    #dependencyIn(dep, deps) {
+        return deps.filter(d => dep.artifactId === d.artifactId && dep.groupId === d.groupId && dep.scope === d.scope).length > 0;
+    }
+}

package/dist/src/providers/javascript_npm.d.ts

@@ -0,0 +1,4 @@
+export default class Javascript_npm extends Base_javascript {
+    _listCmdArgs(includeTransitive: any): string[];
+}
+import Base_javascript from './base_javascript.js';

package/dist/src/providers/javascript_npm.js

@@ -0,0 +1,15 @@
+import Base_javascript from './base_javascript.js';
+export default class Javascript_npm extends Base_javascript {
+    _lockFileName() {
+        return "package-lock.json";
+    }
+    _cmdName() {
+        return "npm";
+    }
+    _listCmdArgs(includeTransitive) {
+        return ['ls', includeTransitive ? '--all' : '--depth=0', '--package-lock-only', '--omit=dev', '--json'];
+    }
+    _updateLockFileCmdArgs() {
+        return ['install', '--package-lock-only'];
+    }
+}

package/dist/src/providers/javascript_pnpm.d.ts

@@ -0,0 +1,5 @@
+export default class Javascript_pnpm extends Base_javascript {
+    _listCmdArgs(includeTransitive: any): string[];
+    _buildDependencyTree(includeTransitive: any, manifest: any): any;
+}
+import Base_javascript from './base_javascript.js';

package/dist/src/providers/javascript_pnpm.js

@@ -0,0 +1,22 @@
+import Base_javascript from './base_javascript.js';
+export default class Javascript_pnpm extends Base_javascript {
+    _lockFileName() {
+        return "pnpm-lock.yaml";
+    }
+    _cmdName() {
+        return "pnpm";
+    }
+    _listCmdArgs(includeTransitive) {
+        return ['ls', includeTransitive ? '--depth=Infinity' : '--depth=0', '--prod', '--json'];
+    }
+    _updateLockFileCmdArgs() {
+        return ['install', '--frozen-lockfile'];
+    }
+    _buildDependencyTree(includeTransitive, manifest) {
+        const tree = super._buildDependencyTree(includeTransitive, manifest);
+        if (Array.isArray(tree) && tree.length > 0) {
+            return tree[0];
+        }
+        return {};
+    }
+}

package/dist/src/providers/javascript_yarn.d.ts

@@ -0,0 +1,11 @@
+export default class Javascript_yarn extends Base_javascript {
+    static VERSION_PATTERN: RegExp;
+    _listCmdArgs(includeTransitive: any, manifestDir: any): any;
+    _updateLockFileCmdArgs(manifestDir: any): any;
+    _setUp(manifestPath: any, opts: any): void;
+    _getRootDependencies(depTree: any): any;
+    _parseDepTreeOutput(output: any): any;
+    _addDependenciesToSbom(sbom: any, depTree: any): void;
+    #private;
+}
+import Base_javascript from './base_javascript.js';

package/dist/src/providers/javascript_yarn.js

@@ -0,0 +1,39 @@
+import Base_javascript from './base_javascript.js';
+import Yarn_berry_processor from './processors/yarn_berry_processor.js';
+import Yarn_classic_processor from './processors/yarn_classic_processor.js';
+export default class Javascript_yarn extends Base_javascript {
+    static VERSION_PATTERN = /^([0-9]+)\./;
+    #processor;
+    _lockFileName() {
+        return "yarn.lock";
+    }
+    _cmdName() {
+        return "yarn";
+    }
+    _listCmdArgs(includeTransitive, manifestDir) {
+        return this.#processor.listCmdArgs(includeTransitive, manifestDir);
+    }
+    _updateLockFileCmdArgs(manifestDir) {
+        return this.#processor.updateLockFileCmdArgs(manifestDir);
+    }
+    _setUp(manifestPath, opts) {
+        super._setUp(manifestPath, opts);
+        const version = this._version() ?? '';
+        const matches = Javascript_yarn.VERSION_PATTERN.exec(version);
+        if (matches?.length !== 2) {
+            throw new Error(`Invalid Yarn version format: ${version}`);
+        }
+        const isClassic = matches[1] === '1';
+        this._setEcosystem(isClassic ? 'yarn-classic' : 'yarn-berry');
+        this.#processor = isClassic ? new Yarn_classic_processor(this._getManifest()) : new Yarn_berry_processor(this._getManifest());
+    }
+    _getRootDependencies(depTree) {
+        return this.#processor.getRootDependencies(depTree);
+    }
+    _parseDepTreeOutput(output) {
+        return this.#processor.parseDepTreeOutput(output);
+    }
+    _addDependenciesToSbom(sbom, depTree) {
+        this.#processor.addDependenciesToSbom(sbom, depTree);
+    }
+}

package/dist/src/providers/manifest.d.ts

@@ -0,0 +1,11 @@
+export default class Manifest {
+    constructor(manifestPath: any);
+    manifestPath: any;
+    dependencies: any[];
+    name: any;
+    version: any;
+    ignored: any[];
+    loadManifest(): any;
+    loadDependencies(content: any): any[];
+    loadIgnored(content: any): any[];
+}

package/dist/src/providers/manifest.js

@@ -0,0 +1,48 @@
+import fs from "fs";
+import { toPurl } from "../tools.js";
+const DEFAULT_VERSION = 'v0.0.0';
+export default class Manifest {
+    constructor(manifestPath) {
+        if (!manifestPath) {
+            throw new Error("Missing required manifest path");
+        }
+        this.manifestPath = manifestPath;
+        const content = this.loadManifest();
+        this.dependencies = this.loadDependencies(content);
+        this.name = content.name;
+        this.version = content.version || DEFAULT_VERSION;
+        this.ignored = this.loadIgnored(content);
+    }
+    loadManifest() {
+        try {
+            let manifest = JSON.parse(fs.readFileSync(this.manifestPath, 'utf-8'));
+            return manifest;
+        }
+        catch (err) {
+            if (err.code === 'ENOENT') {
+                throw new Error("Missing manifest file: " + this.manifestPath, { cause: err });
+            }
+            throw new Error("Unable to parse manifest: " + this.manifestPath, { cause: err });
+        }
+    }
+    loadDependencies(content) {
+        let deps = [];
+        if (!content.dependencies) {
+            return deps;
+        }
+        for (let dep in content.dependencies) {
+            deps.push(dep);
+        }
+        return deps;
+    }
+    loadIgnored(content) {
+        let deps = [];
+        if (!content.exhortignore) {
+            return deps;
+        }
+        for (let i = 0; i < content.exhortignore.length; i++) {
+            deps.push(toPurl("npm", content.exhortignore[i]));
+        }
+        return deps;
+    }
+}

package/dist/src/providers/processors/yarn_berry_processor.d.ts

@@ -0,0 +1,41 @@
+/**
+ * Processor for Yarn Berry package manager
+ * Handles parsing and processing of dependencies for Yarn Berry projects
+ */
+export default class Yarn_berry_processor extends Yarn_processor {
+    static LOCATOR_PATTERN: RegExp;
+    static VIRTUAL_LOCATOR_PATTERN: RegExp;
+    /**
+     * Returns the command arguments for listing dependencies
+     * @param {boolean} includeTransitive - Whether to include transitive dependencies
+     * @returns {string[]} Command arguments for listing dependencies
+     */
+    listCmdArgs(includeTransitive: boolean): string[];
+    /**
+     * Returns the command arguments for updating the lock file
+     * @param {string}  - Directory containing the manifest file
+     * @returns {string[]} Command arguments for updating the lock file
+     */
+    updateLockFileCmdArgs(): string[];
+    /**
+   * Parses the dependency tree output from Yarn Berry
+   * Converts multiple JSON objects into a valid JSON array
+   * @param {string} output - The raw command output
+   * @returns {string} Properly formatted JSON string
+   */
+    parseDepTreeOutput(output: string): string;
+    /**
+   * Extracts root dependencies from the dependency tree
+   * @param {Object} depTree - The dependency tree object
+   * @returns {Map<string, PackageURL>} Map of dependency names to their PackageURL objects
+   */
+    getRootDependencies(depTree: any): Map<string, PackageURL>;
+    /**
+   * Adds dependencies to the SBOM
+   * @param {Sbom} sbom - The SBOM object to add dependencies to
+   * @param {Object} depTree - The dependency tree object
+   */
+    addDependenciesToSbom(sbom: Sbom, depTree: any): void;
+    #private;
+}
+import Yarn_processor from "./yarn_processor.js";

package/dist/src/providers/processors/yarn_berry_processor.js

@@ -0,0 +1,130 @@
+import { EOL } from 'os';
+import { toPurl, toPurlFromString } from "../../tools.js";
+import { purlType } from "../base_javascript.js";
+import Yarn_processor from "./yarn_processor.js";
+/**
+ * Processor for Yarn Berry package manager
+ * Handles parsing and processing of dependencies for Yarn Berry projects
+ */
+export default class Yarn_berry_processor extends Yarn_processor {
+    static LOCATOR_PATTERN = /^(@?[^@]+(?:\/[^@]+)?)@npm:(.+)$/;
+    static VIRTUAL_LOCATOR_PATTERN = /^(@?[^@]+(?:\/[^@]+)?)@virtual:[^#]+#npm:(.+)$/;
+    /**
+     * Returns the command arguments for listing dependencies
+     * @param {boolean} includeTransitive - Whether to include transitive dependencies
+     * @returns {string[]} Command arguments for listing dependencies
+     */
+    listCmdArgs(includeTransitive) {
+        return ['info', includeTransitive ? '--recursive' : '--all', '--json'];
+    }
+    /**
+     * Returns the command arguments for updating the lock file
+     * @param {string}  - Directory containing the manifest file
+     * @returns {string[]} Command arguments for updating the lock file
+     */
+    updateLockFileCmdArgs() {
+        return ['install', '--immutable'];
+    }
+    /**
+   * Parses the dependency tree output from Yarn Berry
+   * Converts multiple JSON objects into a valid JSON array
+   * @param {string} output - The raw command output
+   * @returns {string} Properly formatted JSON string
+   */
+    parseDepTreeOutput(output) {
+        // Normalize line endings to EOL regardless of platform
+        const normalizedOutput = output.replace(/\r\n|\n/g, EOL);
+        const lines = normalizedOutput.split(EOL).filter(line => line.trim());
+        // Transform multiline JSON objects into a valid JSON array
+        const outputArray = lines.join('').replaceAll('}{', '},{');
+        return `[${outputArray}]`;
+    }
+    /**
+   * Extracts root dependencies from the dependency tree
+   * @param {Object} depTree - The dependency tree object
+   * @returns {Map<string, PackageURL>} Map of dependency names to their PackageURL objects
+   */
+    getRootDependencies(depTree) {
+        if (!depTree) {
+            return new Map();
+        }
+        return new Map(depTree.filter(dep => !this.#isRoot(dep.value)).map(dep => {
+            const depName = dep.value;
+            const idx = depName.lastIndexOf('@');
+            const name = depName.substring(0, idx);
+            const version = dep.children.Version;
+            return [name, toPurl(purlType, name, version)];
+        }));
+    }
+    /**
+   * Checks if a dependency is the root package
+   * @param {string} name - Name of the dependency
+   * @returns {boolean} True if the dependency is the root package
+   * @private
+   */
+    #isRoot(name) {
+        if (!name) {
+            return false;
+        }
+        return name.endsWith("@workspace:.");
+    }
+    /**
+   * Adds dependencies to the SBOM
+   * @param {Sbom} sbom - The SBOM object to add dependencies to
+   * @param {Object} depTree - The dependency tree object
+   */
+    addDependenciesToSbom(sbom, depTree) {
+        if (!depTree) {
+            return;
+        }
+        depTree.forEach(n => {
+            const depName = n.value;
+            const from = this.#isRoot(depName) ? toPurlFromString(sbom.getRoot().purl) : this.#purlFromNode(depName, n);
+            const deps = n.children?.Dependencies;
+            if (!deps) {
+                return;
+            }
+            deps.forEach(d => {
+                const to = this.#purlFromLocator(d.locator);
+                if (to) {
+                    sbom.addDependency(from, to);
+                }
+            });
+        });
+    }
+    /**
+   * Creates a PackageURL from a dependency locator
+   * @param {string} locator - The dependency locator
+   * @returns {PackageURL|undefined} The PackageURL or undefined if not valid
+   * @private
+   */
+    #purlFromLocator(locator) {
+        if (!locator) {
+            return undefined;
+        }
+        const matches = Yarn_berry_processor.LOCATOR_PATTERN.exec(locator);
+        if (matches) {
+            return toPurl(purlType, matches[1], matches[2]);
+        }
+        const virtualMatches = Yarn_berry_processor.VIRTUAL_LOCATOR_PATTERN.exec(locator);
+        if (virtualMatches) {
+            return toPurl(purlType, virtualMatches[1], virtualMatches[2]);
+        }
+        return undefined;
+    }
+    /**
+   * Creates a PackageURL from a dependency node
+   * @param {string} depName - The dependency name
+   * @param {Object} node - The dependency node object
+   * @returns {PackageURL|undefined} The PackageURL or undefined if not valid
+   * @private
+   */
+    #purlFromNode(depName, node) {
+        if (!node?.children?.Version) {
+            return undefined;
+        }
+        const name = depName.substring(0, depName.lastIndexOf('@'));
+        const version = node.children.Version;
+        return toPurl(purlType, name, version);
+    }
+}

package/dist/src/providers/processors/yarn_classic_processor.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Processor for Yarn Classic package manager
+ * Handles parsing and processing of dependencies for Yarn Classic projects
+ */
+export default class Yarn_classic_processor extends Yarn_processor {
+    /**
+     * Returns the command arguments for listing dependencies
+     * @param {boolean} includeTransitive - Whether to include transitive dependencies
+     * @returns {string[]} Command arguments for listing dependencies
+     */
+    listCmdArgs(includeTransitive: boolean): string[];
+    /**
+     * Returns the command arguments for updating the lock file
+     * @returns {string[]} Command arguments for updating the lock file
+     */
+    updateLockFileCmdArgs(): string[];
+    /**
+   * Parses the dependency tree output from Yarn Classic
+   * @param {string} output - The raw command output
+   * @returns {string} Unchanged output as it's already in JSON format
+   */
+    parseDepTreeOutput(output: string): string;
+    /**
+   * Extracts root dependencies from the dependency tree
+   * @param {Object} depTree - The dependency tree object
+   * @returns {Map<string, PackageURL>} Map of dependency names to their PackageURL objects
+   */
+    getRootDependencies(depTree: any): Map<string, PackageURL>;
+    /**
+   * Adds dependencies to the SBOM
+   * @param {Sbom} sbom - The SBOM object to add dependencies to
+   * @param {Object} depTree - The dependency tree object
+   */
+    addDependenciesToSbom(sbom: Sbom, depTree: any): void;
+    #private;
+}
+import Yarn_processor from "./yarn_processor.js";