@trustify-da/trustify-da-javascript-client 0.3.0-ea.1684e79 → 0.3.0-ea.1b02307

package/dist/package.json

@@ -51,11 +51,11 @@
         "@cyclonedx/cyclonedx-library": "^6.13.0",
         "eslint-import-resolver-typescript": "^4.4.4",
         "fast-glob": "^3.3.3",
-        "fast-toml": "^0.5.4",
         "fast-xml-parser": "^5.3.4",
         "help": "^3.0.2",
         "https-proxy-agent": "^7.0.6",
         "js-yaml": "^4.1.1",
+        "jsonc-parser": "^3.3.1",
         "micromatch": "^4.0.8",
         "node-fetch": "^3.3.2",
         "p-limit": "^4.0.0",

package/dist/src/cyclone_dx_sbom.d.ts

@@ -18,9 +18,14 @@ export default class CycloneDxSbom {
      * Adds a dependency relationship between two components in the SBOM
      * @param {PackageURL} sourceRef - The source component (parent)
      * @param {PackageURL} targetRef - The target component (dependency)
+     * @param {string} [scope] - Scope of the dependency
+     * @param {Array<{alg: string, content: string}>} [targetHashes] - Optional hashes for the target component
      * @return {CycloneDxSbom} The updated SBOM
      */
-    addDependency(sourceRef: PackageURL, targetRef: PackageURL, scope: any): CycloneDxSbom;
+    addDependency(sourceRef: PackageURL, targetRef: PackageURL, scope?: string, targetHashes?: Array<{
+        alg: string;
+        content: string;
+    }>): CycloneDxSbom;
     /** @param {{}} opts - various options, settings and configuration of application.
      * @return String CycloneDx Sbom json object in a string format
      */
@@ -50,6 +55,7 @@ export default class CycloneDxSbom {
         version: any;
         scope: any;
         licenses?: any;
+        hashes?: any;
     };
     /**
      * This method gets an array of dependencies to be ignored, and remove all of them from CycloneDx Sbom

package/dist/src/cyclone_dx_sbom.js

@@ -6,10 +6,11 @@ import { PackageURL } from "packageurl-js";
  * @param type type of package - application or library
  * @param scope scope of the component - runtime or compile
  * @param licenses optional license string or array of licenses for the component
- * @return {{"bom-ref": string, name, purl: string, type, version, scope, licenses?}}
+ * @param hashes optional array of hash objects for the component, e.g. [{alg: "SHA-256", content: "..."}]
+ * @return {{"bom-ref": string, name, purl: string, type, version, scope, licenses?, hashes?}}
  * @private
  */
-function getComponent(component, type, scope, licenses) {
+function getComponent(component, type, scope, licenses, hashes) {
     let componentObject;
     if (component instanceof PackageURL) {
         if (component.namespace) {
@@ -40,12 +41,24 @@ function getComponent(component, type, scope, licenses) {
     // Add licenses if provided (CycloneDX format). Callers must provide valid SPDX identifiers.
     if (licenses) {
         const licenseArray = Array.isArray(licenses) ? licenses : [licenses];
-        componentObject.licenses = licenseArray.map(lic => {
+        const validLicenses = licenseArray
+            .map(lic => {
             if (typeof lic === 'string') {
                 return { license: { id: lic } };
             }
-            return lic;
-        });
+            if (typeof lic === 'object' && lic !== null && ('license' in lic || 'expression' in lic)) {
+                return lic;
+            }
+            return null;
+        })
+            .filter(Boolean);
+        if (validLicenses.length > 0) {
+            componentObject.licenses = validLicenses;
+        }
+    }
+    // Add hashes if provided (CycloneDX 1.4 format).
+    if (hashes && hashes.length > 0) {
+        componentObject.hashes = hashes;
     }
     return componentObject;
 }
@@ -86,16 +99,24 @@ export default class CycloneDxSbom {
      * Adds a dependency relationship between two components in the SBOM
      * @param {PackageURL} sourceRef - The source component (parent)
      * @param {PackageURL} targetRef - The target component (dependency)
+     * @param {string} [scope] - Scope of the dependency
+     * @param {Array<{alg: string, content: string}>} [targetHashes] - Optional hashes for the target component
      * @return {CycloneDxSbom} The updated SBOM
      */
-    addDependency(sourceRef, targetRef, scope) {
+    addDependency(sourceRef, targetRef, scope, targetHashes) {
         const sourcePurl = sourceRef.toString();
         const targetPurl = targetRef.toString();
         // Ensure both components exist in the components list
         [sourceRef, targetRef].forEach((ref, index) => {
             const purl = index === 0 ? sourcePurl : targetPurl;
-            if (this.getComponentIndex(purl) < 0) {
-                this.components.push(getComponent(ref, "library", scope));
+            const existingIndex = this.getComponentIndex(purl);
+            if (existingIndex < 0) {
+                const hashes = index === 1 ? targetHashes : undefined;
+                this.components.push(getComponent(ref, "library", scope, undefined, hashes));
+            }
+            else if (index === 1 && targetHashes && targetHashes.length > 0 && !this.components[existingIndex].hashes) {
+                // Update hashes if the component was first seen without them (e.g. as a source)
+                this.components[existingIndex].hashes = targetHashes;
             }
         });
         // Ensure source dependency exists

package/dist/src/index.d.ts

@@ -80,7 +80,7 @@ export type Options = {
 };
 export type BatchAnalysisMetadata = {
     workspaceRoot: string;
-    ecosystem: "javascript" | "cargo" | "unknown";
+    ecosystem: "javascript" | "cargo" | "pyproject" | "unknown";
     total: number;
     successful: number;
     failed: number;
@@ -136,19 +136,74 @@ declare function stackAnalysis(manifest: string, html: false, opts?: Options | u
  * 		or backend request failed
  */
 declare function stackAnalysis(manifest: string, html?: boolean | undefined, opts?: Options | undefined): Promise<string | import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport>;
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {true} html
+ * @param {Options & { batchMetadata: true }} opts
+ * @returns {Promise<{ analysis: string, metadata: BatchAnalysisMetadata }>}
+ * @throws {Error}
+ */
+declare function stackAnalysisBatch(workspaceRoot: string, html: true, opts: Options & {
+    batchMetadata: true;
+}): Promise<{
+    analysis: string;
+    metadata: BatchAnalysisMetadata;
+}>;
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {true} html
+ * @param {Options & { batchMetadata?: false }} [opts={}]
+ * @returns {Promise<string>}
+ * @throws {Error}
+ */
+declare function stackAnalysisBatch(workspaceRoot: string, html: true, opts?: (Options & {
+    batchMetadata?: false;
+}) | undefined): Promise<string>;
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {false} html
+ * @param {Options & { batchMetadata: true }} opts
+ * @returns {Promise<{ analysis: Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>, metadata: BatchAnalysisMetadata }>}
+ * @throws {Error}
+ */
+declare function stackAnalysisBatch(workspaceRoot: string, html: false, opts: Options & {
+    batchMetadata: true;
+}): Promise<{
+    analysis: {
+        [x: string]: import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport;
+    };
+    metadata: BatchAnalysisMetadata;
+}>;
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {false} html
+ * @param {Options & { batchMetadata?: false }} [opts={}]
+ * @returns {Promise<Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>>}
+ * @throws {Error}
+ */
+declare function stackAnalysisBatch(workspaceRoot: string, html: false, opts?: (Options & {
+    batchMetadata?: false;
+}) | undefined): Promise<{
+    [x: string]: import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport;
+}>;
 /**
  * Get stack analysis for all workspace packages/crates (batch).
  * Detects ecosystem from workspace root: Cargo (Cargo.toml + Cargo.lock) or JS/TS (package.json + lock file).
  * SBOMs are generated in parallel (see `batchConcurrency`) unless `continueOnError: false` (fail-fast sequential).
  * With `opts.batchMetadata` / `TRUSTIFY_DA_BATCH_METADATA`, returns `{ analysis, metadata }` including validation and SBOM errors.
  *
+ * @overload
  * @param {string} workspaceRoot - Path to workspace root (containing lock file and workspace config)
  * @param {boolean} [html=false] - true returns HTML, false returns JSON report
  * @param {Options} [opts={}] - `batchConcurrency`, discovery ignores, `continueOnError` (default true), `batchMetadata` (default false)
  * @returns {Promise<string|Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>|{ analysis: string|Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>, metadata: BatchAnalysisMetadata }>}
  * @throws {Error} if workspace root invalid, no manifests found, no packages pass validation, no SBOMs produced, or backend request failed. When `opts.batchMetadata` is set, `error.batchMetadata` may be set on thrown errors.
  */
-declare function stackAnalysisBatch(workspaceRoot: string, html?: boolean, opts?: Options): Promise<string | {
+declare function stackAnalysisBatch(workspaceRoot: string, html?: boolean | undefined, opts?: Options | undefined): Promise<string | {
     [x: string]: import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport;
 } | {
     analysis: string | {
@@ -196,6 +251,10 @@ declare function imageAnalysis(imageRefs: Array<string>, html?: boolean | undefi
  * @throws {Error} if the backend request failed.
  */
 declare function validateToken(opts?: Options): Promise<object>;
+import { discoverMavenModules } from './providers/java_maven.js';
+import { discoverGradleSubprojects } from './providers/java_gradle.js';
+import { discoverGoWorkspaceModules } from './providers/golang_gomodules.js';
+import { discoverUvWorkspaceMembers } from './providers/python_uv.js';
 import { discoverWorkspacePackages } from './workspace.js';
 import { discoverWorkspaceCrates } from './workspace.js';
 import { validatePackageJson } from './workspace.js';
@@ -203,5 +262,5 @@ import { resolveWorkspaceDiscoveryIgnore } from './workspace.js';
 import { filterManifestPathsByDiscoveryIgnore } from './workspace.js';
 import { resolveContinueOnError } from './batch_opts.js';
 import { resolveBatchMetadata } from './batch_opts.js';
-export { discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson, resolveWorkspaceDiscoveryIgnore, filterManifestPathsByDiscoveryIgnore, resolveContinueOnError, resolveBatchMetadata };
+export { discoverMavenModules, discoverGradleSubprojects, discoverGoWorkspaceModules, discoverUvWorkspaceMembers, discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson, resolveWorkspaceDiscoveryIgnore, filterManifestPathsByDiscoveryIgnore, resolveContinueOnError, resolveBatchMetadata };
 export { getProjectLicense, findLicenseFilePath, identifyLicense, getLicenseDetails, licensesFromReport, normalizeLicensesResponse, runLicenseCheck, getCompatibility } from "./license/index.js";

package/dist/src/index.js

@@ -6,6 +6,10 @@ import analysis from './analysis.js';
 import fs from 'node:fs';
 import { getCustom } from "./tools.js";
 import { resolveBatchMetadata, resolveContinueOnError } from './batch_opts.js';
+import { discoverMavenModules } from './providers/java_maven.js';
+import { discoverGradleSubprojects } from './providers/java_gradle.js';
+import { discoverGoWorkspaceModules } from './providers/golang_gomodules.js';
+import { discoverUvWorkspaceMembers } from './providers/python_uv.js';
 import { discoverWorkspaceCrates, discoverWorkspacePackages, filterManifestPathsByDiscoveryIgnore, resolveWorkspaceDiscoveryIgnore, validatePackageJson, } from './workspace.js';
 import.meta.dirname;
 import * as url from 'url';
@@ -13,7 +17,7 @@ export { parseImageRef } from "./oci_image/utils.js";
 export { ImageRef } from "./oci_image/images.js";
 export { getProjectLicense, findLicenseFilePath, identifyLicense, getLicenseDetails, licensesFromReport, normalizeLicensesResponse, runLicenseCheck, getCompatibility } from "./license/index.js";
 export default { componentAnalysis, stackAnalysis, stackAnalysisBatch, imageAnalysis, validateToken, generateSbom };
-export { discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson, resolveWorkspaceDiscoveryIgnore, filterManifestPathsByDiscoveryIgnore, resolveContinueOnError, resolveBatchMetadata, };
+export { discoverMavenModules, discoverGradleSubprojects, discoverGoWorkspaceModules, discoverUvWorkspaceMembers, discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson, resolveWorkspaceDiscoveryIgnore, filterManifestPathsByDiscoveryIgnore, resolveContinueOnError, resolveBatchMetadata, };
 /**
  * @typedef {{
  * TRUSTIFY_DA_CARGO_PATH?: string | undefined,
@@ -64,7 +68,7 @@ export { discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson
 /**
  * @typedef {{
  *   workspaceRoot: string,
- *   ecosystem: 'javascript' | 'cargo' | 'unknown',
+ *   ecosystem: 'javascript' | 'cargo' | 'pyproject' | 'unknown',
  *   total: number,
  *   successful: number,
  *   failed: number,
@@ -171,7 +175,9 @@ async function componentAnalysis(manifest, opts = {}) {
     fs.accessSync(manifest, fs.constants.R_OK);
     opts["manifest-type"] = path.basename(manifest);
     let provider = match(manifest, availableProviders, opts); // throws error if no matching provider
-    return await analysis.requestComponent(provider, manifest, theUrl, opts); // throws error request sending failed
+    const result = await analysis.requestComponent(provider, manifest, theUrl, opts); // throws error request sending failed
+    result.packageManager = provider.packageManagerName();
+    return result;
 }
 /**
  * @overload
@@ -279,17 +285,45 @@ async function generateOneSbom(manifestPath, workspaceOpts) {
  *
  * @param {string} root - Resolved workspace root
  * @param {Options} opts
- * @returns {Promise<{ ecosystem: 'javascript' | 'cargo' | 'unknown', manifestPaths: string[] }>}
+ * @returns {Promise<{ ecosystem: 'javascript' | 'cargo' | 'maven' | 'gradle' | 'gomodules' | 'pyproject' | 'unknown', manifestPaths: string[] }>}
  * @private
  */
 async function detectWorkspaceManifests(root, opts) {
     const cargoToml = path.join(root, 'Cargo.toml');
     const cargoLock = path.join(root, 'Cargo.lock');
     const packageJson = path.join(root, 'package.json');
+    const pomXml = path.join(root, 'pom.xml');
     if (fs.existsSync(cargoToml) && fs.existsSync(cargoLock)) {
         return { ecosystem: 'cargo', manifestPaths: await discoverWorkspaceCrates(root, opts) };
     }
-    const hasJsLock = fs.existsSync(path.join(root, 'pnpm-lock.yaml'))
+    if (fs.existsSync(pomXml)) {
+        const manifestPaths = await discoverMavenModules(root, opts);
+        if (manifestPaths.length > 0) {
+            return { ecosystem: 'maven', manifestPaths };
+        }
+    }
+    const hasGradleSettings = fs.existsSync(path.join(root, 'settings.gradle'))
+        || fs.existsSync(path.join(root, 'settings.gradle.kts'));
+    if (hasGradleSettings) {
+        const manifestPaths = await discoverGradleSubprojects(root, opts);
+        if (manifestPaths.length > 0) {
+            return { ecosystem: 'gradle', manifestPaths };
+        }
+    }
+    if (fs.existsSync(path.join(root, 'go.work'))) {
+        const manifestPaths = await discoverGoWorkspaceModules(root, opts);
+        if (manifestPaths.length > 0) {
+            return { ecosystem: 'gomodules', manifestPaths };
+        }
+    }
+    if (fs.existsSync(path.join(root, 'pyproject.toml')) && fs.existsSync(path.join(root, 'uv.lock'))) {
+        const manifestPaths = await discoverUvWorkspaceMembers(root, opts);
+        if (manifestPaths.length > 0) {
+            return { ecosystem: 'pyproject', manifestPaths };
+        }
+    }
+    const hasJsLock = fs.existsSync(path.join(root, 'bun.lock'))
+        || fs.existsSync(path.join(root, 'pnpm-lock.yaml'))
         || fs.existsSync(path.join(root, 'yarn.lock'))
         || fs.existsSync(path.join(root, 'package-lock.json'));
     if (fs.existsSync(packageJson) && hasJsLock) {
@@ -398,12 +432,45 @@ function batchError(message, wantMetadata, metadata) {
     }
     return err;
 }
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {true} html
+ * @param {Options & { batchMetadata: true }} opts
+ * @returns {Promise<{ analysis: string, metadata: BatchAnalysisMetadata }>}
+ * @throws {Error}
+ */
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {true} html
+ * @param {Options & { batchMetadata?: false }} [opts={}]
+ * @returns {Promise<string>}
+ * @throws {Error}
+ */
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {false} html
+ * @param {Options & { batchMetadata: true }} opts
+ * @returns {Promise<{ analysis: Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>, metadata: BatchAnalysisMetadata }>}
+ * @throws {Error}
+ */
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {false} html
+ * @param {Options & { batchMetadata?: false }} [opts={}]
+ * @returns {Promise<Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>>}
+ * @throws {Error}
+ */
 /**
  * Get stack analysis for all workspace packages/crates (batch).
  * Detects ecosystem from workspace root: Cargo (Cargo.toml + Cargo.lock) or JS/TS (package.json + lock file).
  * SBOMs are generated in parallel (see `batchConcurrency`) unless `continueOnError: false` (fail-fast sequential).
  * With `opts.batchMetadata` / `TRUSTIFY_DA_BATCH_METADATA`, returns `{ analysis, metadata }` including validation and SBOM errors.
  *
+ * @overload
  * @param {string} workspaceRoot - Path to workspace root (containing lock file and workspace config)
  * @param {boolean} [html=false] - true returns HTML, false returns JSON report
  * @param {Options} [opts={}] - `batchConcurrency`, discovery ignores, `continueOnError` (default true), `batchMetadata` (default false)
@@ -434,7 +501,7 @@ async function stackAnalysisBatch(workspaceRoot, html = false, opts = {}) {
         }
     }
     if (manifestPaths.length === 0) {
-        throw new Error(`No workspace manifests found at ${root}. Ensure Cargo.toml+Cargo.lock or package.json+lock file exist.`);
+        throw new Error(`No workspace manifests found at ${root}. Ensure a supported workspace root exists (Cargo.toml+Cargo.lock, pom.xml, build.gradle, go.work, pyproject.toml+uv.lock, or package.json+lock file).`);
     }
     const workspaceOpts = { ...opts, TRUSTIFY_DA_WORKSPACE_DIR: root };
     const concurrency = resolveBatchConcurrency(opts);

package/dist/src/provider.d.ts

@@ -21,7 +21,7 @@ export function match(manifest: string, providers: [Provider], opts?: {
     TRUSTIFY_DA_WORKSPACE_DIR?: string;
 }): Provider;
 /** @typedef {{ecosystem: string, contentType: string, content: string}} Provided */
-/** @typedef {{isSupported: function(string): boolean, validateLockFile: function(string, Object): void, provideComponent: function(string, {}): Provided | Promise<Provided>, provideStack: function(string, {}): Provided | Promise<Provided>, readLicenseFromManifest: function(string): string | null}} Provider */
+/** @typedef {{isSupported: function(string): boolean, validateLockFile: function(string, Object): void, provideComponent: function(string, {}): Provided | Promise<Provided>, provideStack: function(string, {}): Provided | Promise<Provided>, readLicenseFromManifest: function(string, Object=): string | null, packageManagerName: function(): string}} Provider */
 /**
  * MUST include all providers here.
  * @type {[Provider]}
@@ -37,5 +37,6 @@ export type Provider = {
     validateLockFile: (arg0: string, arg1: any) => void;
     provideComponent: (arg0: string, arg1: {}) => Provided | Promise<Provided>;
     provideStack: (arg0: string, arg1: {}) => Provided | Promise<Provided>;
-    readLicenseFromManifest: (arg0: string) => string | null;
+    readLicenseFromManifest: (arg0: string, arg1: any | undefined) => string | null;
+    packageManagerName: () => string;
 };

package/dist/src/provider.js

@@ -3,6 +3,7 @@ import golangGomodulesProvider from './providers/golang_gomodules.js';
 import Java_gradle_groovy from "./providers/java_gradle_groovy.js";
 import Java_gradle_kotlin from "./providers/java_gradle_kotlin.js";
 import Java_maven from "./providers/java_maven.js";
+import Javascript_bun from './providers/javascript_bun.js';
 import Javascript_npm from './providers/javascript_npm.js';
 import Javascript_pnpm from './providers/javascript_pnpm.js';
 import Javascript_yarn from './providers/javascript_yarn.js';
@@ -12,7 +13,7 @@ import Python_poetry from './providers/python_poetry.js';
 import Python_uv from './providers/python_uv.js';
 import rustCargoProvider from './providers/rust_cargo.js';
 /** @typedef {{ecosystem: string, contentType: string, content: string}} Provided */
-/** @typedef {{isSupported: function(string): boolean, validateLockFile: function(string, Object): void, provideComponent: function(string, {}): Provided | Promise<Provided>, provideStack: function(string, {}): Provided | Promise<Provided>, readLicenseFromManifest: function(string): string | null}} Provider */
+/** @typedef {{isSupported: function(string): boolean, validateLockFile: function(string, Object): void, provideComponent: function(string, {}): Provided | Promise<Provided>, provideStack: function(string, {}): Provided | Promise<Provided>, readLicenseFromManifest: function(string, Object=): string | null, packageManagerName: function(): string}} Provider */
 /**
  * MUST include all providers here.
  * @type {[Provider]}
@@ -21,6 +22,7 @@ export const availableProviders = [
     new Java_maven(),
     new Java_gradle_groovy(),
     new Java_gradle_kotlin(),
+    new Javascript_bun(),
     new Javascript_pnpm(),
     new Javascript_yarn(),
     new Javascript_npm(),

package/dist/src/providers/base_java.d.ts

@@ -20,6 +20,11 @@ export default class Base_Java {
     CONFLICT_REGEX: RegExp;
     globalBinary: string;
     localWrapper: string;
+    /**
+     * Returns the package manager name (e.g. mvn, gradle)
+     * @returns {string}
+     */
+    packageManagerName(): string;
     /**
      * Recursively populates the SBOM instance with the parsed graph
      * @param {string} src - Source dependency to start the calculations from
@@ -57,15 +62,6 @@ export default class Base_Java {
      * @returns string
      */
     selectToolBinary(manifestPath: string, opts: {}): string | null;
-    /**
-     *
-     * @param {string} startingManifest - the path of the manifest from which to start searching for the wrapper
-     * @param {string} repoRoot - the root of the repository at which point to stop searching for mvnw, derived via git if unset and then fallsback
-     * to the root of the drive the manifest is on (assumes absolute path is given)
-     * @returns {string|undefined}
-     */
-    traverseForWrapper(startingManifest: string, repoRoot?: string): string | undefined;
-    normalizePath(thePath: any): string;
     #private;
 }
 export type Provided = import("../provider").Provided;

package/dist/src/providers/base_java.js

@@ -1,7 +1,6 @@
-import fs from 'node:fs';
 import path from 'node:path';
 import { PackageURL } from 'packageurl-js';
-import { getCustomPath, getGitRootDir, getWrapperPreference, invokeCommand } from "../tools.js";
+import { getCustomPath, getWrapperPreference, invokeCommand, traverseForWrapper } from "../tools.js";
 /** @typedef {import('../provider').Provider} */
 /** @typedef {import('../provider').Provided} Provided */
 /** @typedef {{name: string, version: string}} Package */
@@ -26,6 +25,13 @@ export default class Base_Java {
         this.globalBinary = globalBinary;
         this.localWrapper = localWrapper;
     }
+    /**
+     * Returns the package manager name (e.g. mvn, gradle)
+     * @returns {string}
+     */
+    packageManagerName() {
+        return this.globalBinary;
+    }
     /**
      * Recursively populates the SBOM instance with the parsed graph
      * @param {string} src - Source dependency to start the calculations from
@@ -131,7 +137,7 @@ export default class Base_Java {
         const toolPath = getCustomPath(this.globalBinary, opts);
         const useWrapper = getWrapperPreference(this.globalBinary, opts);
         if (useWrapper) {
-            const wrapper = this.traverseForWrapper(manifestPath);
+            const wrapper = traverseForWrapper(manifestDir, this.localWrapper);
             if (wrapper !== undefined) {
                 try {
                     this._invokeCommand(wrapper, ['--version'], { cwd: manifestDir });
@@ -156,39 +162,4 @@ export default class Base_Java {
         }
         return toolPath;
     }
-    /**
-     *
-     * @param {string} startingManifest - the path of the manifest from which to start searching for the wrapper
-     * @param {string} repoRoot - the root of the repository at which point to stop searching for mvnw, derived via git if unset and then fallsback
-     * to the root of the drive the manifest is on (assumes absolute path is given)
-     * @returns {string|undefined}
-     */
-    traverseForWrapper(startingManifest, repoRoot = undefined) {
-        const normalizedManifest = this.normalizePath(startingManifest);
-        const currentDir = this.normalizePath(path.dirname(normalizedManifest));
-        repoRoot = repoRoot || getGitRootDir(currentDir) || path.parse(normalizedManifest).root;
-        const wrapperPath = path.join(currentDir, this.localWrapper);
-        try {
-            fs.accessSync(wrapperPath, fs.constants.X_OK);
-            return wrapperPath;
-        }
-        catch (error) {
-            if (error.code === 'ENOENT') {
-                const rootDir = path.parse(currentDir).root;
-                if (currentDir === repoRoot || currentDir === rootDir) {
-                    return undefined;
-                }
-                const parentDir = path.dirname(currentDir);
-                if (parentDir === currentDir || parentDir === rootDir) {
-                    return undefined;
-                }
-                return this.traverseForWrapper(path.join(parentDir, path.basename(normalizedManifest)), repoRoot);
-            }
-            throw new Error(`failure searching for ${this.localWrapper}`, { cause: error });
-        }
-    }
-    normalizePath(thePath) {
-        const normalized = path.resolve(thePath).normalize();
-        return process.platform === 'win32' ? normalized.toLowerCase() : normalized;
-    }
 }

package/dist/src/providers/base_javascript.d.ts

@@ -47,6 +47,11 @@ export default class Base_javascript {
    */
     protected _cmdName(): string;
     /**
+   * Returns the package manager name (e.g. npm, yarn, pnpm, bun)
+   * @returns {string} The package manager name
+   */
+    packageManagerName(): string;
+    /**
    * Returns the command arguments for listing dependencies
    * @returns {Array<string>} The command arguments
    * @abstract
@@ -136,6 +141,12 @@ export default class Base_javascript {
    */
     protected _version(): string;
     /**
+   * Creates or updates the lock file for the package manager
+   * @param {string} manifestDir - Directory containing the manifest file
+   * @protected
+   */
+    protected _createLockFile(manifestDir: string): void;
+    /**
    * Parses the dependency tree output
    * @param {string} output - The output to parse
    * @returns {string} The parsed output

package/dist/src/providers/base_javascript.js

@@ -71,6 +71,13 @@ export default class Base_javascript {
         throw new TypeError("_cmdName must be implemented");
     }
     /**
+   * Returns the package manager name (e.g. npm, yarn, pnpm, bun)
+   * @returns {string} The package manager name
+   */
+    packageManagerName() {
+        return this._cmdName();
+    }
+    /**
    * Returns the command arguments for listing dependencies
    * @returns {Array<string>} The command arguments
    * @abstract
@@ -217,7 +224,7 @@ export default class Base_javascript {
         this._version();
         const manifestDir = path.dirname(this.#manifest.manifestPath);
         const cmdDir = this._findLockFileDir(manifestDir, opts) || manifestDir;
-        this.#createLockFile(cmdDir);
+        this._createLockFile(cmdDir);
         let output = this.#executeListCmd(includeTransitive, cmdDir);
         output = this._parseDepTreeOutput(output);
         return JSON.parse(output);
@@ -363,9 +370,9 @@ export default class Base_javascript {
     /**
    * Creates or updates the lock file for the package manager
    * @param {string} manifestDir - Directory containing the manifest file
-   * @private
+   * @protected
    */
-    #createLockFile(manifestDir) {
+    _createLockFile(manifestDir) {
         const originalDir = process.cwd();
         const isWindows = os.platform() === 'win32';
         if (isWindows) {

package/dist/src/providers/base_pyproject.d.ts

@@ -1,4 +1,4 @@
-/** @typedef {{name: string, version: string, children: string[]}} GraphEntry */
+/** @typedef {{name: string, version: string, children: string[], hashes?: Array<{alg: string, content: string}>}} GraphEntry */
 /** @typedef {{name: string, version: string, dependencies: DepTreeEntry[]}} DepTreeEntry */
 /** @typedef {{directDeps: string[], graph: Map<string, GraphEntry>}} DependencyData */
 /** @typedef {{ecosystem: string, content: string, contentType: string}} Provided */
@@ -61,6 +61,11 @@ export default class Base_pyproject {
      * @protected
      */
     protected _cmdName(): string;
+    /**
+     * Returns the package manager name (e.g. pip, poetry, uv)
+     * @returns {string}
+     */
+    packageManagerName(): string;
     /**
      * Resolve dependencies using the tool-specific command and parser.
      *
@@ -131,6 +136,10 @@ export type GraphEntry = {
     name: string;
     version: string;
     children: string[];
+    hashes?: Array<{
+        alg: string;
+        content: string;
+    }>;
 };
 export type DepTreeEntry = {
     name: string;

package/dist/src/providers/base_pyproject.js

@@ -7,9 +7,10 @@ import Sbom from '../sbom.js';
 import { getCustom } from '../tools.js';
 const ecosystem = 'pip';
 const IGNORE_MARKERS = ['exhortignore', 'trustify-da-ignore'];
+const NO_SCOPE = undefined;
 const DEFAULT_ROOT_NAME = 'default-pip-root';
 const DEFAULT_ROOT_VERSION = '0.0.0';
-/** @typedef {{name: string, version: string, children: string[]}} GraphEntry */
+/** @typedef {{name: string, version: string, children: string[], hashes?: Array<{alg: string, content: string}>}} GraphEntry */
 /** @typedef {{name: string, version: string, dependencies: DepTreeEntry[]}} DepTreeEntry */
 /** @typedef {{directDeps: string[], graph: Map<string, GraphEntry>}} DependencyData */
 /** @typedef {{ecosystem: string, content: string, contentType: string}} Provided */
@@ -144,6 +145,13 @@ export default class Base_pyproject {
     _cmdName() {
         throw new TypeError('_cmdName must be implemented');
     }
+    /**
+     * Returns the package manager name (e.g. pip, poetry, uv)
+     * @returns {string}
+     */
+    packageManagerName() {
+        return this._cmdName();
+    }
     /**
      * Resolve dependencies using the tool-specific command and parser.
      *
@@ -281,7 +289,7 @@ export default class Base_pyproject {
                     continue;
                 }
                 let entry = graph.get(key);
-                sbom.addDependency(rootPurl, this._toPurl(entry.name, entry.version));
+                sbom.addDependency(rootPurl, this._toPurl(entry.name, entry.version), NO_SCOPE, entry.hashes);
             }
             for (let [key, entry] of graph) {
                 if (!reachable.has(key)) {
@@ -293,7 +301,7 @@ export default class Base_pyproject {
                         continue;
                     }
                     let childEntry = graph.get(child);
-                    sbom.addDependency(parentPurl, this._toPurl(childEntry.name, childEntry.version));
+                    sbom.addDependency(parentPurl, this._toPurl(childEntry.name, childEntry.version), NO_SCOPE, childEntry.hashes);
                 }
             }
         }
@@ -306,7 +314,7 @@ export default class Base_pyproject {
                 if (!entry) {
                     continue;
                 }
-                sbom.addDependency(rootPurl, this._toPurl(entry.name, entry.version));
+                sbom.addDependency(rootPurl, this._toPurl(entry.name, entry.version), NO_SCOPE, entry.hashes);
             }
         }
         return sbom.getAsJsonString(opts);

package/dist/src/providers/golang_gomodules.d.ts

@@ -1,9 +1,19 @@
+/**
+ * Discover all go.mod manifest paths in a Go workspace.
+ * Uses `go work edit -json` to get workspace members.
+ *
+ * @param {string} workspaceRoot - Absolute or relative path to workspace root (must contain go.work)
+ * @param {import('../index.js').Options} [opts={}]
+ * @returns {Promise<string[]>} Paths to go.mod files (absolute)
+ */
+export function discoverGoWorkspaceModules(workspaceRoot: string, opts?: import("../index.js").Options): Promise<string[]>;
 declare namespace _default {
     export { isSupported };
     export { validateLockFile };
     export { provideComponent };
     export { provideStack };
     export { readLicenseFromManifest };
+    export function packageManagerName(): string;
 }
 export default _default;
 export type Provided = import("../provider").Provided;