@trustify-da/trustify-da-javascript-client 0.3.0-ea.0e9ba23 → 0.3.0-ea.29f6867

package/README.md

@@ -43,6 +43,21 @@ let imageAnalysisWithArch = await client.imageAnalysis(['httpd:2.4.49^^amd64'])
 ```
 </li>
 </ul>
+
+<h3>License Detection</h3>
+<p>
+The client automatically detects your project's license with intelligent fallback:
+</p>
+<ul>
+<li><strong>Manifest-first:</strong> For ecosystems with license support (Maven, JavaScript), reads from manifest file (<code>pom.xml</code>, <code>package.json</code>)</li>
+<li><strong>LICENSE file fallback:</strong> If no license in manifest, or for ecosystems without license support (Gradle, Go, Python), automatically reads from <code>LICENSE</code>, <code>LICENSE.md</code>, or <code>LICENSE.txt</code></li>
+<li><strong>SBOM integration:</strong> Detected licenses are included in generated SBOMs for all ecosystems</li>
+<li><strong>SPDX support:</strong> Automatically detects common licenses (Apache-2.0, MIT, GPL, BSD) from LICENSE file content</li>
+</ul>
+<p>
+See <a href="./docs/license-resolution-and-compliance.md">License Resolution and Compliance</a> for detailed documentation.
+</p>
+
 <ul>
 <li>
 Use as ESM Module from Common-JS module
@@ -183,6 +198,21 @@ $ trustify-da-javascript-client license /path/to/package.json
 <li><a href="https://gradle.org/">Gradle (Groovy and Kotlin DSL)</a> - <a href="https://gradle.org/install/">Gradle Installation</a></li>
 </ul>
 
+<h3>License Detection</h3>
+<p>
+The client automatically detects your project's license with intelligent fallback:
+</p>
+<ul>
+<li><strong>Manifest-first:</strong> For ecosystems with license support (Maven, JavaScript), reads from manifest file (<code>pom.xml</code>, <code>package.json</code>)</li>
+<li><strong>LICENSE file fallback:</strong> If no license in manifest, or for ecosystems without license support (Gradle, Go, Python), automatically reads from <code>LICENSE</code>, <code>LICENSE.md</code>, or <code>LICENSE.txt</code></li>
+<li><strong>SBOM integration:</strong> Detected licenses are included in generated SBOMs for all ecosystems</li>
+<li><strong>SPDX support:</strong> Automatically detects common licenses (Apache-2.0, MIT, GPL, BSD) from LICENSE file content</li>
+</ul>
+<p>
+See <a href="./docs/license-resolution-and-compliance.md">License Resolution and Compliance</a> for detailed documentation.
+</p>
+
+
 <h3>Excluding Packages</h3>
 <p>
 Excluding a package from any analysis can be achieved by marking the package for exclusion.

package/dist/package.json

@@ -40,8 +40,11 @@
         "test": "c8 npm run tests",
         "tests": "mocha --config .mocharc.json --grep \".*analysis module.*\" --invert",
         "tests:rep": "mocha --reporter-option maxDiffSize=0 --reporter json > unit-tests-result.json",
+        "pretest": "cp node_modules/tree-sitter-requirements/tree-sitter-requirements.wasm src/providers/tree-sitter-requirements.wasm",
         "precompile": "rm -rf dist",
-        "compile": "tsc -p tsconfig.json"
+        "compile": "tsc -p tsconfig.json",
+        "compile:dev": "tsc -p tsconfig.dev.json",
+        "postcompile": "cp node_modules/tree-sitter-requirements/tree-sitter-requirements.wasm dist/src/providers/tree-sitter-requirements.wasm"
     },
     "dependencies": {
         "@babel/core": "^7.23.2",

package/dist/src/index.d.ts

@@ -131,4 +131,4 @@ declare function imageAnalysis(imageRefs: Array<string>, html?: boolean | undefi
  * @throws {Error} if the backend request failed.
  */
 declare function validateToken(opts?: Options): Promise<object>;
-export { getProjectLicense, findLicenseFilePath, identifyLicenseViaBackend, getLicenseDetails, licensesFromReport, normalizeLicensesResponse, runLicenseCheck, getCompatibility } from "./license/index.js";
+export { getProjectLicense, findLicenseFilePath, identifyLicense, getLicenseDetails, licensesFromReport, normalizeLicensesResponse, runLicenseCheck, getCompatibility } from "./license/index.js";

package/dist/src/index.js

@@ -8,7 +8,7 @@ import.meta.dirname;
 import * as url from 'url';
 export { parseImageRef } from "./oci_image/utils.js";
 export { ImageRef } from "./oci_image/images.js";
-export { getProjectLicense, findLicenseFilePath, identifyLicenseViaBackend, getLicenseDetails, licensesFromReport, normalizeLicensesResponse, runLicenseCheck, getCompatibility } from "./license/index.js";
+export { getProjectLicense, findLicenseFilePath, identifyLicense, getLicenseDetails, licensesFromReport, normalizeLicensesResponse, runLicenseCheck, getCompatibility } from "./license/index.js";
 export default { componentAnalysis, stackAnalysis, imageAnalysis, validateToken };
 /**
  * @typedef {{

package/dist/src/license/index.d.ts

@@ -23,6 +23,6 @@ export function runLicenseCheck(sbomContent: string, manifestPath: string, url:
     }>;
     error?: string;
 }>;
-export { getCompatibility } from "./compatibility.js";
-export { getProjectLicense, findLicenseFilePath, identifyLicense as identifyLicenseViaBackend } from "./project_license.js";
+export { getCompatibility } from "./license_utils.js";
+export { getProjectLicense, findLicenseFilePath, identifyLicense } from "./project_license.js";
 export { licensesFromReport, normalizeLicensesResponse, getLicenseDetails } from "./licenses_api.js";

package/dist/src/license/index.js

@@ -3,10 +3,10 @@
  */
 import { getProjectLicense, findLicenseFilePath, identifyLicense } from './project_license.js';
 import { licensesFromReport, getLicenseDetails } from './licenses_api.js';
-import { getCompatibility } from './compatibility.js';
-export { getProjectLicense, findLicenseFilePath, identifyLicense as identifyLicenseViaBackend } from './project_license.js';
+import { getCompatibility } from './license_utils.js';
+export { getProjectLicense, findLicenseFilePath, identifyLicense } from './project_license.js';
 export { licensesFromReport, normalizeLicensesResponse, getLicenseDetails } from './licenses_api.js';
-export { getCompatibility } from './compatibility.js';
+export { getCompatibility } from './license_utils.js';
 /**
  * Run full license check: resolve project license (with backend identification and details),
  * get dependency licenses from analysis report, and compute incompatibilities.
@@ -20,7 +20,7 @@ export { getCompatibility } from './compatibility.js';
  */
 export async function runLicenseCheck(sbomContent, manifestPath, url, opts = {}, analysisResult = null) {
     // Resolve project license from manifest and LICENSE file
-    const projectLicense = getProjectLicense(manifestPath, opts);
+    const projectLicense = getProjectLicense(manifestPath);
     // Try backend identification for LICENSE file (more accurate than local pattern matching)
     const licenseFilePath = findLicenseFilePath(manifestPath);
     let backendFileId = null;

package/dist/src/license/license_utils.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Find LICENSE file path in the same directory as the manifest.
+ * @param {string} manifestPath
+ * @returns {string|null} - path to LICENSE file or null if not found
+ */
+export function findLicenseFilePath(manifestPath: string): string | null;
+/**
+ * Very simple SPDX detection from common license text (first ~500 chars).
+ * @param {string} text
+ * @returns {string|null}
+ */
+export function detectSpdxFromText(text: string): string | null;
+/**
+ * Read LICENSE file and detect SPDX identifier.
+ * @param {string} manifestPath - path to manifest
+ * @returns {string|null} - SPDX identifier from LICENSE file or null
+ */
+export function readLicenseFile(manifestPath: string): string | null;
+/**
+ * Get project license from manifest or LICENSE file.
+ * Returns manifestLicense if provided, otherwise tries LICENSE file.
+ * @param {string|null} manifestLicense - license from manifest (or null)
+ * @param {string} manifestPath - path to manifest
+ * @returns {string|null} - SPDX identifier or null
+ */
+export function getLicense(manifestLicense: string | null, manifestPath: string): string | null;
+/**
+ * Normalize SPDX identifier for comparison (lowercase, strip common suffixes).
+ * @param {string} spdxOrName
+ * @returns {string}
+ */
+export function normalizeSpdx(spdxOrName: string): string;
+/**
+ * Check if a dependency's license is compatible with the project license based on backend categories.
+ *
+ * @param {string} [projectCategory] - backend category for project license: PERMISSIVE | WEAK_COPYLEFT | STRONG_COPYLEFT | UNKNOWN
+ * @param {string} [dependencyCategory] - backend category for dependency license: PERMISSIVE | WEAK_COPYLEFT | STRONG_COPYLEFT | UNKNOWN
+ * @returns {'compatible'|'incompatible'|'unknown'}
+ */
+export function getCompatibility(projectCategory?: string, dependencyCategory?: string): "compatible" | "incompatible" | "unknown";

package/dist/src/license/license_utils.js

@@ -0,0 +1,134 @@
+/**
+ * License utilities: file reading, SPDX detection, normalization, compatibility.
+ * This module has NO dependencies on providers or backend to avoid circular dependencies.
+ */
+import fs from 'node:fs';
+import path from 'node:path';
+const LICENSE_FILES = ['LICENSE', 'LICENSE.md', 'LICENSE.txt'];
+/**
+ * Find LICENSE file path in the same directory as the manifest.
+ * @param {string} manifestPath
+ * @returns {string|null} - path to LICENSE file or null if not found
+ */
+export function findLicenseFilePath(manifestPath) {
+    const manifestDir = path.dirname(path.resolve(manifestPath));
+    for (const name of LICENSE_FILES) {
+        const filePath = path.join(manifestDir, name);
+        try {
+            if (fs.statSync(filePath).isFile()) {
+                return filePath;
+            }
+        }
+        catch {
+            // skip
+        }
+    }
+    return null;
+}
+/**
+ * Very simple SPDX detection from common license text (first ~500 chars).
+ * @param {string} text
+ * @returns {string|null}
+ */
+export function detectSpdxFromText(text) {
+    const head = text.slice(0, 500);
+    if (/Apache License,?\s*Version 2\.0/i.test(head)) {
+        return 'Apache-2.0';
+    }
+    if (/MIT License/i.test(head) && /Permission is hereby granted/i.test(head)) {
+        return 'MIT';
+    }
+    if (/GNU AFFERO GENERAL PUBLIC LICENSE\s+Version 3/i.test(head)) {
+        return 'AGPL-3.0-only';
+    }
+    if (/GNU LESSER GENERAL PUBLIC LICENSE\s+Version 3/i.test(head)) {
+        return 'LGPL-3.0-only';
+    }
+    if (/GNU LESSER GENERAL PUBLIC LICENSE\s+Version 2\.1/i.test(head)) {
+        return 'LGPL-2.1-only';
+    }
+    if (/GNU GENERAL PUBLIC LICENSE\s+Version 2/i.test(head)) {
+        return 'GPL-2.0-only';
+    }
+    if (/GNU GENERAL PUBLIC LICENSE\s+Version 3/i.test(head)) {
+        return 'GPL-3.0-only';
+    }
+    if (/BSD 2-Clause/i.test(head)) {
+        return 'BSD-2-Clause';
+    }
+    if (/BSD 3-Clause/i.test(head)) {
+        return 'BSD-3-Clause';
+    }
+    return null;
+}
+/**
+ * Read LICENSE file and detect SPDX identifier.
+ * @param {string} manifestPath - path to manifest
+ * @returns {string|null} - SPDX identifier from LICENSE file or null
+ */
+export function readLicenseFile(manifestPath) {
+    const licenseFilePath = findLicenseFilePath(manifestPath);
+    if (!licenseFilePath) {
+        return null;
+    }
+    try {
+        const content = fs.readFileSync(licenseFilePath, 'utf-8');
+        return detectSpdxFromText(content) || content.split('\n')[0]?.trim() || null;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Get project license from manifest or LICENSE file.
+ * Returns manifestLicense if provided, otherwise tries LICENSE file.
+ * @param {string|null} manifestLicense - license from manifest (or null)
+ * @param {string} manifestPath - path to manifest
+ * @returns {string|null} - SPDX identifier or null
+ */
+export function getLicense(manifestLicense, manifestPath) {
+    return manifestLicense || readLicenseFile(manifestPath) || null;
+}
+/**
+ * Normalize SPDX identifier for comparison (lowercase, strip common suffixes).
+ * @param {string} spdxOrName
+ * @returns {string}
+ */
+export function normalizeSpdx(spdxOrName) {
+    const s = String(spdxOrName).trim().toLowerCase();
+    if (s.endsWith(' license')) {
+        return s.slice(0, -8);
+    }
+    return s;
+}
+/**
+ * Check if a dependency's license is compatible with the project license based on backend categories.
+ *
+ * @param {string} [projectCategory] - backend category for project license: PERMISSIVE | WEAK_COPYLEFT | STRONG_COPYLEFT | UNKNOWN
+ * @param {string} [dependencyCategory] - backend category for dependency license: PERMISSIVE | WEAK_COPYLEFT | STRONG_COPYLEFT | UNKNOWN
+ * @returns {'compatible'|'incompatible'|'unknown'}
+ */
+export function getCompatibility(projectCategory, dependencyCategory) {
+    if (!projectCategory || !dependencyCategory) {
+        return 'unknown';
+    }
+    const proj = projectCategory.toUpperCase();
+    const dep = dependencyCategory.toUpperCase();
+    if (proj === 'UNKNOWN' || dep === 'UNKNOWN') {
+        return 'unknown';
+    }
+    const restrictiveness = {
+        'PERMISSIVE': 1,
+        'WEAK_COPYLEFT': 2,
+        'STRONG_COPYLEFT': 3
+    };
+    const projLevel = restrictiveness[proj];
+    const depLevel = restrictiveness[dep];
+    if (projLevel === undefined || depLevel === undefined) {
+        return 'unknown';
+    }
+    if (depLevel > projLevel) {
+        return 'incompatible';
+    }
+    return 'compatible';
+}

package/dist/src/license/project_license.d.ts

@@ -10,12 +10,6 @@ export function getProjectLicense(manifestPath: string): {
     fromFile: string | null;
     mismatch: boolean;
 };
-/**
- * Find LICENSE file path in the same directory as the manifest.
- * @param {string} manifestPath
- * @returns {string|null} - path to LICENSE file or null if not found
- */
-export function findLicenseFilePath(manifestPath: string): string | null;
 /**
  * Call backend /licenses/identify endpoint to identify license from file.
  * @param {string} licenseFilePath - path to LICENSE file
@@ -23,3 +17,12 @@ export function findLicenseFilePath(manifestPath: string): string | null;
  * @returns {Promise<string|null>} - SPDX identifier or null
  */
 export function identifyLicense(licenseFilePath: string, opts?: {}): Promise<string | null>;
+/**
+ * Get license for SBOM root component with fallback to LICENSE file.
+ * Priority: manifest license > LICENSE file > null
+ * This is used by providers to populate the license field in the SBOM.
+ * @param {string} manifestPath - path to manifest
+ * @returns {string|null} - SPDX identifier or null
+ */
+export function getLicenseForSbom(manifestPath: string): string | null;
+export { findLicenseFilePath, readLicenseFile } from "./license_utils.js";

package/dist/src/license/project_license.js

@@ -7,7 +7,7 @@ import path from 'node:path';
 import { selectTrustifyDABackend } from '../index.js';
 import { matchForLicense, availableProviders } from '../provider.js';
 import { addProxyAgent, getTokenHeaders } from '../tools.js';
-const LICENSE_FILES = ['LICENSE', 'LICENSE.md', 'LICENSE.txt'];
+import { normalizeSpdx, readLicenseFile } from './license_utils.js';
 /**
  * Resolve project license from manifest and from LICENSE / LICENSE.md in manifest dir or git root.
  * Uses local pattern matching for LICENSE file identification (synchronous).
@@ -19,7 +19,7 @@ export function getProjectLicense(manifestPath) {
     const resolved = path.resolve(manifestPath);
     const provider = matchForLicense(resolved, availableProviders);
     const fromManifest = provider.readLicenseFromManifest(resolved);
-    const fromFile = readLicenseFromFile(resolved);
+    const fromFile = readLicenseFile(resolved);
     const mismatch = Boolean(fromManifest && fromFile && normalizeSpdx(fromManifest) !== normalizeSpdx(fromFile));
     return {
         fromManifest: fromManifest || null,
@@ -27,26 +27,7 @@ export function getProjectLicense(manifestPath) {
         mismatch
     };
 }
-/**
- * Find LICENSE file path in the same directory as the manifest.
- * @param {string} manifestPath
- * @returns {string|null} - path to LICENSE file or null if not found
- */
-export function findLicenseFilePath(manifestPath) {
-    const manifestDir = path.dirname(path.resolve(manifestPath));
-    for (const name of LICENSE_FILES) {
-        const filePath = path.join(manifestDir, name);
-        try {
-            if (fs.statSync(filePath).isFile()) {
-                return filePath;
-            }
-        }
-        catch {
-            // skip
-        }
-    }
-    return null;
-}
+export { findLicenseFilePath, readLicenseFile } from './license_utils.js';
 /**
  * Call backend /licenses/identify endpoint to identify license from file.
  * @param {string} licenseFilePath - path to LICENSE file
@@ -57,7 +38,7 @@ export async function identifyLicense(licenseFilePath, opts = {}) {
     try {
         const fileContent = fs.readFileSync(licenseFilePath);
         const backendUrl = selectTrustifyDABackend(opts);
-        const url = new URL(`${backendUrl}/licenses/identify`);
+        const url = new URL(`${backendUrl}/api/v5/licenses/identify`);
         const tokenHeaders = getTokenHeaders(opts);
         const fetchOptions = addProxyAgent({
             method: 'POST',
@@ -80,60 +61,13 @@ export async function identifyLicense(licenseFilePath, opts = {}) {
     }
 }
 /**
- * Find and read LICENSE or LICENSE.md; use local pattern matching for identification.
- * @param {string} manifestPath
- * @returns {string|null}
- */
-function readLicenseFromFile(manifestPath) {
-    const licenseFilePath = findLicenseFilePath(manifestPath);
-    if (!licenseFilePath) {
-        return null;
-    }
-    try {
-        const content = fs.readFileSync(licenseFilePath, 'utf-8');
-        return detectSpdxFromText(content) || content.split('\n')[0]?.trim() || null;
-    }
-    catch {
-        return null;
-    }
-}
-/**
- * Very simple SPDX detection from common license text (first ~500 chars).
- * @param {string} text
- * @returns {string|null}
- */
-function detectSpdxFromText(text) {
-    const head = text.slice(0, 500);
-    if (/Apache License,?\s*Version 2\.0/i.test(head)) {
-        return 'Apache-2.0';
-    }
-    if (/MIT License/i.test(head) && /Permission is hereby granted/i.test(head)) {
-        return 'MIT';
-    }
-    if (/GNU GENERAL PUBLIC LICENSE\s+Version 2/i.test(head)) {
-        return 'GPL-2.0-only';
-    }
-    if (/GNU GENERAL PUBLIC LICENSE\s+Version 3/i.test(head)) {
-        return 'GPL-3.0-only';
-    }
-    if (/BSD 2-Clause/i.test(head)) {
-        return 'BSD-2-Clause';
-    }
-    if (/BSD 3-Clause/i.test(head)) {
-        return 'BSD-3-Clause';
-    }
-    return null;
-}
-/**
- * Normalize for comparison (lowercase, strip common suffixes).
- * @param {string} spdxOrName
- * @returns {string}
+ * Get license for SBOM root component with fallback to LICENSE file.
+ * Priority: manifest license > LICENSE file > null
+ * This is used by providers to populate the license field in the SBOM.
+ * @param {string} manifestPath - path to manifest
+ * @returns {string|null} - SPDX identifier or null
  */
-function normalizeSpdx(spdxOrName) {
-    const s = String(spdxOrName).trim().toLowerCase();
-    // e.g. "MIT" vs "MIT License"
-    if (s.endsWith(' license')) {
-        return s.slice(0, -8);
-    }
-    return s;
+export function getLicenseForSbom(manifestPath) {
+    const { fromManifest, fromFile } = getProjectLicense(manifestPath);
+    return fromManifest || fromFile || null;
 }

package/dist/src/providers/base_javascript.js

@@ -1,6 +1,7 @@
 import fs from 'node:fs';
 import os from "node:os";
 import path from 'node:path';
+import { getLicense } from '../license/license_utils.js';
 import Sbom from '../sbom.js';
 import { getCustom, getCustomPath, invokeCommand, toPurl, toPurlFromString } from "../tools.js";
 import Manifest from './manifest.js';
@@ -138,21 +139,22 @@ export default class Base_javascript {
      * @returns {string|null}
      */
     readLicenseFromManifest(manifestPath) {
+        let manifestLicense;
         try {
             const content = JSON.parse(fs.readFileSync(manifestPath, 'utf-8'));
             if (typeof content.license === 'string') {
-                return content.license.trim() || null;
+                manifestLicense = content.license.trim() || null;
             }
-            if (Array.isArray(content.licenses) && content.licenses.length > 0) {
+            else if (Array.isArray(content.licenses) && content.licenses.length > 0) {
                 const first = content.licenses[0];
                 const name = first.type || first.name;
-                return typeof name === 'string' ? name.trim() : null;
+                manifestLicense = (typeof name === 'string' ? name.trim() : null);
             }
-            return null;
         }
         catch {
-            return null;
+            manifestLicense = null;
         }
+        return getLicense(manifestLicense, manifestPath);
     }
     /**
    * Builds the dependency tree for the project

package/dist/src/providers/golang_gomodules.js

@@ -2,6 +2,7 @@ import fs from 'node:fs';
 import path from 'node:path';
 import { EOL } from "os";
 import { PackageURL } from 'packageurl-js';
+import { readLicenseFile } from '../license/license_utils.js';
 import Sbom from '../sbom.js';
 import { getCustom, getCustomPath, invokeCommand } from "../tools.js";
 export default { isSupported, validateLockFile, provideComponent, provideStack, readLicenseFromManifest };
@@ -28,7 +29,7 @@ function isSupported(manifestName) {
  * @returns {string|null}
 */
 // eslint-disable-next-line no-unused-vars
-function readLicenseFromManifest(manifestPath) { return null; }
+function readLicenseFromManifest(manifestPath) { return readLicenseFile(manifestPath); }
 /**
  * @param {string} manifestDir - the directory where the manifest lies
  */

package/dist/src/providers/java_gradle.js

@@ -2,6 +2,7 @@ import fs from 'node:fs';
 import path from 'node:path';
 import { EOL } from 'os';
 import TOML from 'fast-toml';
+import { readLicenseFile } from '../license/license_utils.js';
 import Sbom from '../sbom.js';
 import Base_java, { ecosystem_gradle } from "./base_java.js";
 /** @typedef {import('../provider.js').Provider} */
@@ -55,7 +56,7 @@ export default class Java_gradle extends Base_java {
      * @returns {null}
      */
     // eslint-disable-next-line no-unused-vars
-    readLicenseFromManifest(manifestPath) { return null; }
+    readLicenseFromManifest(manifestPath) { return readLicenseFile(manifestPath); }
     /**
      * Provide content and content type for stack analysis.
      * @param {string} manifest - the manifest path or name

package/dist/src/providers/java_maven.d.ts

@@ -28,7 +28,7 @@ export default class Java_maven extends Base_java {
      */
     provideComponent(manifest: string, opts?: {}): Provided;
     /**
-     * Read license from pom.xml manifest
+     * Read license from pom.xml manifest, with fallback to LICENSE file
      * @param {string} manifestPath - path to pom.xml
      * @returns {string|null}
      */

package/dist/src/providers/java_maven.js

@@ -3,6 +3,7 @@ import os from 'node:os';
 import path from 'node:path';
 import { EOL } from 'os';
 import { XMLParser } from 'fast-xml-parser';
+import { getLicense } from '../license/license_utils.js';
 import Sbom from '../sbom.js';
 import { getCustom } from '../tools.js';
 import Base_java, { ecosystem_maven } from "./base_java.js";
@@ -52,28 +53,28 @@ export default class Java_maven extends Base_java {
         };
     }
     /**
-     * Read license from pom.xml manifest
+     * Read license from pom.xml manifest, with fallback to LICENSE file
      * @param {string} manifestPath - path to pom.xml
      * @returns {string|null}
      */
     readLicenseFromManifest(manifestPath) {
+        let fromPom = null;
         try {
             const xml = fs.readFileSync(manifestPath, 'utf-8');
             const parser = new XMLParser({ ignoreAttributes: false });
             const obj = parser.parse(xml);
             const project = obj?.project;
-            if (!project?.licenses?.license) {
-                return null;
+            if (project?.licenses?.license) {
+                const license = Array.isArray(project.licenses.license)
+                    ? project.licenses.license[0]
+                    : project.licenses.license;
+                fromPom = (license?.name && license.name.trim()) || null;
             }
-            const license = Array.isArray(project.licenses.license)
-                ? project.licenses.license[0]
-                : project.licenses.license;
-            const name = (license?.name && license.name.trim()) || null;
-            return name || null;
         }
         catch {
-            return null;
+            // leave fromPom as null
         }
+        return getLicense(fromPom, manifestPath);
     }
     /**
      * Create a Dot Graph dependency tree for a manifest path.

package/dist/src/providers/python_pip.js

@@ -1,5 +1,6 @@
 import fs from 'node:fs';
 import { PackageURL } from 'packageurl-js';
+import { readLicenseFile } from '../license/license_utils.js';
 import Sbom from '../sbom.js';
 import { environmentVariableIsPopulated, getCustom, getCustomPath, invokeCommand } from "../tools.js";
 import Python_controller from './python_controller.js';
@@ -24,7 +25,7 @@ function isSupported(manifestName) {
  * @returns {string|null}
  */
 // eslint-disable-next-line no-unused-vars
-function readLicenseFromManifest(manifestPath) { return null; }
+function readLicenseFromManifest(manifestPath) { return readLicenseFile(manifestPath); }
 /**
  * @param {string} manifestDir - the directory where the manifest lies
  */

package/dist/src/providers/requirements_parser.js

@@ -1,13 +1,10 @@
-import { createRequire } from 'node:module';
+import { readFile } from 'node:fs/promises';
 import { Language, Parser, Query } from 'web-tree-sitter';
-const require = createRequire(import.meta.url);
+const wasmUrl = new URL('./tree-sitter-requirements.wasm', import.meta.url);
 async function init() {
-    await Parser.init({
-        locateFile() {
-            return require.resolve('web-tree-sitter/web-tree-sitter.wasm');
-        }
-    });
-    return await Language.load(require.resolve('tree-sitter-requirements/tree-sitter-requirements.wasm'));
+    await Parser.init();
+    const wasmBytes = new Uint8Array(await readFile(wasmUrl));
+    return await Language.load(wasmBytes);
 }
 export async function getParser() {
     const language = await init();

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@trustify-da/trustify-da-javascript-client",
-	"version": "0.3.0-ea.0e9ba23",
+	"version": "0.3.0-ea.29f6867",
 	"description": "Code-Ready Dependency Analytics JavaScript API.",
 	"license": "Apache-2.0",
 	"homepage": "https://github.com/guacsec/trustify-da-javascript-client#README.md",
@@ -40,8 +40,11 @@
 		"test": "c8 npm run tests",
 		"tests": "mocha --config .mocharc.json --grep \".*analysis module.*\" --invert",
 		"tests:rep": "mocha --reporter-option maxDiffSize=0 --reporter json > unit-tests-result.json",
+		"pretest": "cp node_modules/tree-sitter-requirements/tree-sitter-requirements.wasm src/providers/tree-sitter-requirements.wasm",
 		"precompile": "rm -rf dist",
-		"compile": "tsc -p tsconfig.json"
+		"compile": "tsc -p tsconfig.json",
+		"compile:dev": "tsc -p tsconfig.dev.json",
+		"postcompile": "cp node_modules/tree-sitter-requirements/tree-sitter-requirements.wasm dist/src/providers/tree-sitter-requirements.wasm"
 	},
 	"dependencies": {
 		"@babel/core": "^7.23.2",

package/dist/src/license/compatibility.d.ts

@@ -1,18 +0,0 @@
-/**
- * License compatibility: whether a dependency license is compatible with the project license.
- * Relies on backend-provided license categories.
- *
- * Compatibility is based on restrictiveness hierarchy:
- * PERMISSIVE < WEAK_COPYLEFT < STRONG_COPYLEFT
- *
- * A dependency is compatible if it's equal or less restrictive than the project license.
- * A dependency is incompatible if it's more restrictive than the project license.
- */
-/**
- * Check if a dependency's license is compatible with the project license based on backend categories.
- *
- * @param {string} [projectCategory] - backend category for project license: PERMISSIVE | WEAK_COPYLEFT | STRONG_COPYLEFT | UNKNOWN
- * @param {string} [dependencyCategory] - backend category for dependency license: PERMISSIVE | WEAK_COPYLEFT | STRONG_COPYLEFT | UNKNOWN
- * @returns {'compatible'|'incompatible'|'unknown'}
- */
-export function getCompatibility(projectCategory?: string, dependencyCategory?: string): "compatible" | "incompatible" | "unknown";

package/dist/src/license/compatibility.js

@@ -1,45 +0,0 @@
-/**
- * License compatibility: whether a dependency license is compatible with the project license.
- * Relies on backend-provided license categories.
- *
- * Compatibility is based on restrictiveness hierarchy:
- * PERMISSIVE < WEAK_COPYLEFT < STRONG_COPYLEFT
- *
- * A dependency is compatible if it's equal or less restrictive than the project license.
- * A dependency is incompatible if it's more restrictive than the project license.
- */
-/**
- * Check if a dependency's license is compatible with the project license based on backend categories.
- *
- * @param {string} [projectCategory] - backend category for project license: PERMISSIVE | WEAK_COPYLEFT | STRONG_COPYLEFT | UNKNOWN
- * @param {string} [dependencyCategory] - backend category for dependency license: PERMISSIVE | WEAK_COPYLEFT | STRONG_COPYLEFT | UNKNOWN
- * @returns {'compatible'|'incompatible'|'unknown'}
- */
-export function getCompatibility(projectCategory, dependencyCategory) {
-    if (!projectCategory || !dependencyCategory) {
-        return 'unknown';
-    }
-    const proj = projectCategory.toUpperCase();
-    const dep = dependencyCategory.toUpperCase();
-    // Unknown categories
-    if (proj === 'UNKNOWN' || dep === 'UNKNOWN') {
-        return 'unknown';
-    }
-    // Define restrictiveness levels (higher number = more restrictive)
-    const restrictiveness = {
-        'PERMISSIVE': 1,
-        'WEAK_COPYLEFT': 2,
-        'STRONG_COPYLEFT': 3
-    };
-    const projLevel = restrictiveness[proj];
-    const depLevel = restrictiveness[dep];
-    if (projLevel === undefined || depLevel === undefined) {
-        return 'unknown';
-    }
-    // Dependency is more restrictive than project → incompatible
-    if (depLevel > projLevel) {
-        return 'incompatible';
-    }
-    // Dependency is equal or less restrictive → compatible
-    return 'compatible';
-}