@trustify-da/trustify-da-javascript-client 0.3.0-ea.29f6867 → 0.3.0-ea.2ea1d77

package/dist/src/index.js

@@ -1,17 +1,22 @@
 import path from "node:path";
 import { EOL } from "os";
+import pLimit from 'p-limit';
 import { availableProviders, match } from './provider.js';
 import analysis from './analysis.js';
 import fs from 'node:fs';
 import { getCustom } from "./tools.js";
+import { resolveBatchMetadata, resolveContinueOnError } from './batch_opts.js';
+import { discoverWorkspaceCrates, discoverWorkspacePackages, filterManifestPathsByDiscoveryIgnore, resolveWorkspaceDiscoveryIgnore, validatePackageJson, } from './workspace.js';
 import.meta.dirname;
 import * as url from 'url';
 export { parseImageRef } from "./oci_image/utils.js";
 export { ImageRef } from "./oci_image/images.js";
 export { getProjectLicense, findLicenseFilePath, identifyLicense, getLicenseDetails, licensesFromReport, normalizeLicensesResponse, runLicenseCheck, getCompatibility } from "./license/index.js";
-export default { componentAnalysis, stackAnalysis, imageAnalysis, validateToken };
+export default { componentAnalysis, stackAnalysis, stackAnalysisBatch, imageAnalysis, validateToken };
+export { discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson, resolveWorkspaceDiscoveryIgnore, filterManifestPathsByDiscoveryIgnore, resolveContinueOnError, resolveBatchMetadata, };
 /**
  * @typedef {{
+ * TRUSTIFY_DA_CARGO_PATH?: string | undefined,
  * TRUSTIFY_DA_DOCKER_PATH?: string | undefined,
  * TRUSTIFY_DA_GO_MVS_LOGIC_ENABLED?: string | undefined,
  * TRUSTIFY_DA_GO_PATH?: string | undefined,
@@ -36,14 +41,34 @@ export default { componentAnalysis, stackAnalysis, imageAnalysis, validateToken
  * TRUSTIFY_DA_SYFT_CONFIG_PATH?: string | undefined,
  * TRUSTIFY_DA_SYFT_PATH?: string | undefined,
  * TRUSTIFY_DA_YARN_PATH?: string | undefined,
+ * TRUSTIFY_DA_WORKSPACE_DIR?: string | undefined,
  * TRUSTIFY_DA_LICENSE_CHECK?: string | undefined,
  * MATCH_MANIFEST_VERSIONS?: string | undefined,
  * TRUSTIFY_DA_SOURCE?: string | undefined,
  * TRUSTIFY_DA_TOKEN?: string | undefined,
  * TRUSTIFY_DA_TELEMETRY_ID?: string | undefined,
- * [key: string]: string | undefined,
+ * TRUSTIFY_DA_WORKSPACE_DIR?: string | undefined,
+ * batchConcurrency?: number | undefined,
+ * TRUSTIFY_DA_BATCH_CONCURRENCY?: string | undefined,
+ * workspaceDiscoveryIgnore?: string[] | undefined,
+ * TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE?: string | undefined,
+ * continueOnError?: boolean | undefined,
+ * TRUSTIFY_DA_CONTINUE_ON_ERROR?: string | undefined,
+ * batchMetadata?: boolean | undefined,
+ * TRUSTIFY_DA_BATCH_METADATA?: string | undefined,
+ * [key: string]: string | number | boolean | string[] | undefined,
  * }} Options
  */
+/**
+ * @typedef {{
+ *   workspaceRoot: string,
+ *   ecosystem: 'javascript' | 'cargo' | 'unknown',
+ *   total: number,
+ *   successful: number,
+ *   failed: number,
+ *   errors: Array<{ manifestPath: string, phase: 'validation' | 'sbom', reason: string }>
+ * }} BatchAnalysisMetadata
+ */
 /**
  * Logs messages to the console if the TRUSTIFY_DA_DEBUG environment variable is set to "true".
  * @param {string} alongsideText - The text to prepend to the log message.
@@ -129,7 +154,7 @@ export function selectTrustifyDABackend(opts = {}) {
 async function stackAnalysis(manifest, html = false, opts = {}) {
     const theUrl = selectTrustifyDABackend(opts);
     fs.accessSync(manifest, fs.constants.R_OK); // throws error if file unreadable
-    let provider = match(manifest, availableProviders); // throws error if no matching provider
+    let provider = match(manifest, availableProviders, opts); // throws error if no matching provider
     return await analysis.requestStack(provider, manifest, theUrl, html, opts); // throws error request sending failed
 }
 /**
@@ -143,7 +168,7 @@ async function componentAnalysis(manifest, opts = {}) {
     const theUrl = selectTrustifyDABackend(opts);
     fs.accessSync(manifest, fs.constants.R_OK);
     opts["manifest-type"] = path.basename(manifest);
-    let provider = match(manifest, availableProviders); // throws error if no matching provider
+    let provider = match(manifest, availableProviders, opts); // throws error if no matching provider
     return await analysis.requestComponent(provider, manifest, theUrl, opts); // throws error request sending failed
 }
 /**
@@ -176,6 +201,242 @@ async function imageAnalysis(imageRefs, html = false, opts = {}) {
     const theUrl = selectTrustifyDABackend(opts);
     return await analysis.requestImages(imageRefs, theUrl, html, opts);
 }
+/**
+ * Max concurrent SBOM generations for batch workspace analysis. Env/opts override default 10.
+ * @param {Options} opts
+ * @returns {number}
+ * @private
+ */
+function resolveBatchConcurrency(opts) {
+    const fromEnv = getCustom('TRUSTIFY_DA_BATCH_CONCURRENCY', null, opts);
+    const raw = opts.batchConcurrency ?? fromEnv ?? '10';
+    const n = typeof raw === 'number' ? raw : parseInt(String(raw), 10);
+    if (!Number.isFinite(n) || n < 1) {
+        return 10;
+    }
+    return Math.min(256, n);
+}
+/**
+ * @param {string} root
+ * @param {'javascript' | 'cargo' | 'unknown'} ecosystem
+ * @param {number} totalSbomAttempts
+ * @param {number} successfulSbomCount
+ * @param {Array<{ manifestPath: string, phase: 'validation' | 'sbom', reason: string }>} errors
+ * @returns {BatchAnalysisMetadata}
+ * @private
+ */
+function buildBatchAnalysisMetadata(root, ecosystem, totalSbomAttempts, successfulSbomCount, errors) {
+    return {
+        workspaceRoot: root,
+        ecosystem,
+        total: totalSbomAttempts,
+        successful: successfulSbomCount,
+        failed: errors.length,
+        errors: [...errors],
+    };
+}
+/**
+ * @typedef {{ ok: true, purl: string, sbom: object } | { ok: false, manifestPath: string, reason: string }} SbomResult
+ */
+/**
+ * Generate an SBOM for a single manifest, returning a normalized result.
+ *
+ * @param {string} manifestPath
+ * @param {Options} workspaceOpts - opts with `TRUSTIFY_DA_WORKSPACE_DIR` set
+ * @returns {Promise<SbomResult>}
+ * @private
+ */
+async function generateOneSbom(manifestPath, workspaceOpts) {
+    const provider = match(manifestPath, availableProviders, workspaceOpts);
+    const provided = await provider.provideStack(manifestPath, workspaceOpts);
+    const sbom = JSON.parse(provided.content);
+    const purl = sbom?.metadata?.component?.purl || sbom?.metadata?.component?.['bom-ref'];
+    if (!purl) {
+        return { ok: false, manifestPath, reason: 'missing purl in SBOM' };
+    }
+    return { ok: true, purl, sbom };
+}
+/**
+ * Detect the workspace ecosystem and discover manifest paths.
+ *
+ * @param {string} root - Resolved workspace root
+ * @param {Options} opts
+ * @returns {Promise<{ ecosystem: 'javascript' | 'cargo' | 'unknown', manifestPaths: string[] }>}
+ * @private
+ */
+async function detectWorkspaceManifests(root, opts) {
+    const cargoToml = path.join(root, 'Cargo.toml');
+    const cargoLock = path.join(root, 'Cargo.lock');
+    const packageJson = path.join(root, 'package.json');
+    if (fs.existsSync(cargoToml) && fs.existsSync(cargoLock)) {
+        return { ecosystem: 'cargo', manifestPaths: await discoverWorkspaceCrates(root, opts) };
+    }
+    const hasJsLock = fs.existsSync(path.join(root, 'pnpm-lock.yaml'))
+        || fs.existsSync(path.join(root, 'yarn.lock'))
+        || fs.existsSync(path.join(root, 'package-lock.json'));
+    if (fs.existsSync(packageJson) && hasJsLock) {
+        let manifestPaths = await discoverWorkspacePackages(root, opts);
+        if (manifestPaths.length === 0) {
+            manifestPaths = [packageJson];
+        }
+        return { ecosystem: 'javascript', manifestPaths };
+    }
+    return { ecosystem: 'unknown', manifestPaths: [] };
+}
+/**
+ * Validate discovered JS package.json manifests, collecting errors.
+ *
+ * @param {string[]} manifestPaths
+ * @param {boolean} continueOnError
+ * @param {Array<{ manifestPath: string, phase: 'validation' | 'sbom', reason: string }>} collectedErrors - mutated in place
+ * @returns {{ validPaths: string[] }}
+ * @throws {Error} on first invalid manifest when `continueOnError` is false
+ * @private
+ */
+function validateJsManifests(manifestPaths, continueOnError, collectedErrors) {
+    const validPaths = [];
+    for (const p of manifestPaths) {
+        const v = validatePackageJson(p);
+        if (v.valid) {
+            validPaths.push(p);
+        }
+        else {
+            collectedErrors.push({ manifestPath: p, phase: 'validation', reason: v.error });
+            console.warn(`Skipping invalid package.json (${v.error}): ${p}`);
+            if (!continueOnError) {
+                throw new Error(`Invalid package.json (${v.error}): ${p}`);
+            }
+        }
+    }
+    return { validPaths };
+}
+/**
+ * Generate SBOMs for all manifests. In fail-fast mode, stops on first error.
+ * In continue-on-error mode, runs concurrently and collects failures.
+ *
+ * @param {string[]} manifestPaths
+ * @param {Options} workspaceOpts
+ * @param {boolean} continueOnError
+ * @param {number} concurrency
+ * @param {Array<{ manifestPath: string, phase: 'validation' | 'sbom', reason: string }>} collectedErrors - mutated in place
+ * @returns {Promise<Object.<string, object>>} sbomByPurl map
+ * @throws {Error} on first SBOM failure when `continueOnError` is false
+ * @private
+ */
+async function generateSboms(manifestPaths, workspaceOpts, continueOnError, concurrency, collectedErrors) {
+    /** @type {SbomResult[]} */
+    const results = [];
+    if (!continueOnError) {
+        for (const manifestPath of manifestPaths) {
+            const result = await generateOneSbom(manifestPath, workspaceOpts);
+            if (!result.ok) {
+                collectedErrors.push({ manifestPath: result.manifestPath, phase: 'sbom', reason: result.reason });
+                throw new Error(`${result.manifestPath}: ${result.reason}`);
+            }
+            results.push(result);
+        }
+    }
+    else {
+        const limit = pLimit(concurrency);
+        const settled = await Promise.all(manifestPaths.map(manifestPath => limit(async () => {
+            try {
+                return await generateOneSbom(manifestPath, workspaceOpts);
+            }
+            catch (err) {
+                const msg = err instanceof Error ? err.message : String(err);
+                if (process.env["TRUSTIFY_DA_DEBUG"] === "true") {
+                    console.log(`Skipping ${manifestPath}: ${msg}`);
+                }
+                return { ok: false, manifestPath, reason: msg };
+            }
+        })));
+        for (const r of settled) {
+            results.push(r);
+            if (!r.ok) {
+                collectedErrors.push({ manifestPath: r.manifestPath, phase: 'sbom', reason: r.reason });
+            }
+        }
+    }
+    const sbomByPurl = {};
+    for (const r of results) {
+        if (r.ok) {
+            sbomByPurl[r.purl] = r.sbom;
+        }
+    }
+    return sbomByPurl;
+}
+/**
+ * Create an Error with optional `batchMetadata` attached.
+ * @param {string} message
+ * @param {boolean} wantMetadata
+ * @param {BatchAnalysisMetadata} [metadata]
+ * @returns {Error}
+ * @private
+ */
+function batchError(message, wantMetadata, metadata) {
+    const err = new Error(message);
+    if (wantMetadata && metadata) {
+        err.batchMetadata = metadata;
+    }
+    return err;
+}
+/**
+ * Get stack analysis for all workspace packages/crates (batch).
+ * Detects ecosystem from workspace root: Cargo (Cargo.toml + Cargo.lock) or JS/TS (package.json + lock file).
+ * SBOMs are generated in parallel (see `batchConcurrency`) unless `continueOnError: false` (fail-fast sequential).
+ * With `opts.batchMetadata` / `TRUSTIFY_DA_BATCH_METADATA`, returns `{ analysis, metadata }` including validation and SBOM errors.
+ *
+ * @param {string} workspaceRoot - Path to workspace root (containing lock file and workspace config)
+ * @param {boolean} [html=false] - true returns HTML, false returns JSON report
+ * @param {Options} [opts={}] - `batchConcurrency`, discovery ignores, `continueOnError` (default true), `batchMetadata` (default false)
+ * @returns {Promise<string|Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>|{ analysis: string|Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>, metadata: BatchAnalysisMetadata }>}
+ * @throws {Error} if workspace root invalid, no manifests found, no packages pass validation, no SBOMs produced, or backend request failed. When `opts.batchMetadata` is set, `error.batchMetadata` may be set on thrown errors.
+ */
+async function stackAnalysisBatch(workspaceRoot, html = false, opts = {}) {
+    const theUrl = selectTrustifyDABackend(opts);
+    const root = path.resolve(workspaceRoot);
+    fs.accessSync(root, fs.constants.R_OK);
+    const continueOnError = resolveContinueOnError(opts);
+    const wantMetadata = resolveBatchMetadata(opts);
+    /** @type {Array<{ manifestPath: string, phase: 'validation' | 'sbom', reason: string }>} */
+    const collectedErrors = [];
+    const { ecosystem, manifestPaths: discovered } = await detectWorkspaceManifests(root, opts);
+    let manifestPaths = discovered;
+    if (ecosystem === 'javascript') {
+        try {
+            const { validPaths } = validateJsManifests(manifestPaths, continueOnError, collectedErrors);
+            manifestPaths = validPaths;
+        }
+        catch (err) {
+            throw batchError(err.message, wantMetadata, buildBatchAnalysisMetadata(root, ecosystem, 0, 0, collectedErrors));
+        }
+        if (manifestPaths.length === 0 && discovered.length > 0) {
+            const detail = collectedErrors.map(e => `${e.manifestPath}: ${e.reason}`).join('; ');
+            throw batchError(`No valid packages after validation at ${root}. ${detail}`, wantMetadata, buildBatchAnalysisMetadata(root, ecosystem, 0, 0, collectedErrors));
+        }
+    }
+    if (manifestPaths.length === 0) {
+        throw new Error(`No workspace manifests found at ${root}. Ensure Cargo.toml+Cargo.lock or package.json+lock file exist.`);
+    }
+    const workspaceOpts = { ...opts, TRUSTIFY_DA_WORKSPACE_DIR: root };
+    const concurrency = resolveBatchConcurrency(opts);
+    let sbomByPurl;
+    try {
+        sbomByPurl = await generateSboms(manifestPaths, workspaceOpts, continueOnError, concurrency, collectedErrors);
+    }
+    catch (err) {
+        throw batchError(err.message, wantMetadata, buildBatchAnalysisMetadata(root, ecosystem, manifestPaths.length, 0, collectedErrors));
+    }
+    if (Object.keys(sbomByPurl).length === 0) {
+        throw batchError(`No valid SBOMs produced from ${manifestPaths.length} manifest(s) at ${root}`, wantMetadata, buildBatchAnalysisMetadata(root, ecosystem, manifestPaths.length, 0, collectedErrors));
+    }
+    const analysisResult = await analysis.requestStackBatch(sbomByPurl, theUrl, html, opts);
+    const meta = buildBatchAnalysisMetadata(root, ecosystem, manifestPaths.length, Object.keys(sbomByPurl).length, collectedErrors);
+    if (wantMetadata) {
+        return { analysis: analysisResult, metadata: meta };
+    }
+    return analysisResult;
+}
 /**
  * Validates the Exhort token.
  * @param {Options} [opts={}] - Optional parameters, potentially including token override.

package/dist/src/license/licenses_api.js

@@ -4,6 +4,7 @@
  * @see https://github.com/guacsec/trustify-dependency-analytics#license-analysis-apiv5licenses
  * @see https://github.com/guacsec/trustify-da-api-spec/blob/main/api/v5/openapi.yaml
  */
+import { PackageURL } from 'packageurl-js';
 import { selectTrustifyDABackend } from '../index.js';
 import { addProxyAgent, getTokenHeaders } from '../tools.js';
 /**
@@ -39,6 +40,10 @@ export async function getLicenseDetails(spdxId, opts = {}) {
         throw new Error(`Failed to fetch license details: ${err.message}`);
     }
 }
+function normalizePurlString(purl) {
+    const parsed = PackageURL.fromString(purl);
+    return new PackageURL(parsed.type, parsed.namespace, parsed.name, parsed.version, null, null).toString();
+}
 /**
  * Normalize the LicensesResponse shape (array of LicenseProviderResult) into a map of purl -> license info.
  * Each provider result has { status, summary, packages } where packages is { [purl]: { concluded, evidence } }.
@@ -53,6 +58,7 @@ export function normalizeLicensesResponse(data, purls = []) {
     if (!data || !Array.isArray(data)) {
         return map;
     }
+    const normalizedPurlsSet = purls.length > 0 ? new Set(purls.map(normalizePurlString)) : null;
     for (const providerResult of data) {
         const packages = providerResult?.packages;
         if (!packages || typeof packages !== 'object') {
@@ -64,8 +70,9 @@ export function normalizeLicensesResponse(data, purls = []) {
             const expression = concluded?.expression;
             const licenses = identifiers.length > 0 ? identifiers : (expression ? [expression] : []);
             const category = concluded?.category; // PERMISSIVE | WEAK_COPYLEFT | STRONG_COPYLEFT | UNKNOWN
-            if (purls.length === 0 || purls.includes(purl)) {
-                map.set(purl, { licenses: licenses.filter(Boolean), category });
+            const normalizedPurl = normalizePurlString(purl);
+            if (normalizedPurlsSet === null || normalizedPurlsSet.has(normalizedPurl)) {
+                map.set(normalizedPurl, { licenses: licenses.filter(Boolean), category });
             }
         }
         // Use first provider that has packages; backend may return multiple (e.g. deps.dev)

package/dist/src/license/project_license.d.ts

@@ -17,12 +17,4 @@ export function getProjectLicense(manifestPath: string): {
  * @returns {Promise<string|null>} - SPDX identifier or null
  */
 export function identifyLicense(licenseFilePath: string, opts?: {}): Promise<string | null>;
-/**
- * Get license for SBOM root component with fallback to LICENSE file.
- * Priority: manifest license > LICENSE file > null
- * This is used by providers to populate the license field in the SBOM.
- * @param {string} manifestPath - path to manifest
- * @returns {string|null} - SPDX identifier or null
- */
-export function getLicenseForSbom(manifestPath: string): string | null;
 export { findLicenseFilePath, readLicenseFile } from "./license_utils.js";

package/dist/src/license/project_license.js

@@ -60,14 +60,3 @@ export async function identifyLicense(licenseFilePath, opts = {}) {
         return null; // Fallback to local detection on error
     }
 }
-/**
- * Get license for SBOM root component with fallback to LICENSE file.
- * Priority: manifest license > LICENSE file > null
- * This is used by providers to populate the license field in the SBOM.
- * @param {string} manifestPath - path to manifest
- * @returns {string|null} - SPDX identifier or null
- */
-export function getLicenseForSbom(manifestPath) {
-    const { fromManifest, fromFile } = getProjectLicense(manifestPath);
-    return fromManifest || fromFile || null;
-}

package/dist/src/provider.d.ts

@@ -13,12 +13,15 @@ export function matchForLicense(manifestPath: string, providers: [Provider]): Pr
  * Each provider MUST export 'provideStack' taking manifest path returning a {@link Provided}.
  * @param {string} manifest - the name-type or path of the manifest
  * @param {[Provider]} providers - list of providers to iterate over
+ * @param {{TRUSTIFY_DA_WORKSPACE_DIR?: string}} [opts={}] - optional; TRUSTIFY_DA_WORKSPACE_DIR overrides lock file location for workspaces
  * @returns {Provider}
  * @throws {Error} when the manifest is not supported and no provider was matched
  */
-export function match(manifest: string, providers: [Provider]): Provider;
+export function match(manifest: string, providers: [Provider], opts?: {
+    TRUSTIFY_DA_WORKSPACE_DIR?: string;
+}): Provider;
 /** @typedef {{ecosystem: string, contentType: string, content: string}} Provided */
-/** @typedef {{isSupported: function(string): boolean, validateLockFile: function(string): void, provideComponent: function(string, {}): Provided | Promise<Provided>, provideStack: function(string, {}): Provided | Promise<Provided>, readLicenseFromManifest: function(string): string | null}} Provider */
+/** @typedef {{isSupported: function(string): boolean, validateLockFile: function(string, Object): void, provideComponent: function(string, {}): Provided | Promise<Provided>, provideStack: function(string, {}): Provided | Promise<Provided>, readLicenseFromManifest: function(string): string | null}} Provider */
 /**
  * MUST include all providers here.
  * @type {[Provider]}
@@ -31,7 +34,7 @@ export type Provided = {
 };
 export type Provider = {
     isSupported: (arg0: string) => boolean;
-    validateLockFile: (arg0: string) => void;
+    validateLockFile: (arg0: string, arg1: any) => void;
     provideComponent: (arg0: string, arg1: {}) => Provided | Promise<Provided>;
     provideStack: (arg0: string, arg1: {}) => Provided | Promise<Provided>;
     readLicenseFromManifest: (arg0: string) => string | null;

package/dist/src/provider.js

@@ -7,8 +7,9 @@ import Javascript_npm from './providers/javascript_npm.js';
 import Javascript_pnpm from './providers/javascript_pnpm.js';
 import Javascript_yarn from './providers/javascript_yarn.js';
 import pythonPipProvider from './providers/python_pip.js';
+import rustCargoProvider from './providers/rust_cargo.js';
 /** @typedef {{ecosystem: string, contentType: string, content: string}} Provided */
-/** @typedef {{isSupported: function(string): boolean, validateLockFile: function(string): void, provideComponent: function(string, {}): Provided | Promise<Provided>, provideStack: function(string, {}): Provided | Promise<Provided>, readLicenseFromManifest: function(string): string | null}} Provider */
+/** @typedef {{isSupported: function(string): boolean, validateLockFile: function(string, Object): void, provideComponent: function(string, {}): Provided | Promise<Provided>, provideStack: function(string, {}): Provided | Promise<Provided>, readLicenseFromManifest: function(string): string | null}} Provider */
 /**
  * MUST include all providers here.
  * @type {[Provider]}
@@ -17,11 +18,12 @@ export const availableProviders = [
     new Java_maven(),
     new Java_gradle_groovy(),
     new Java_gradle_kotlin(),
-    new Javascript_npm(),
     new Javascript_pnpm(),
     new Javascript_yarn(),
+    new Javascript_npm(),
     golangGomodulesProvider,
-    pythonPipProvider
+    pythonPipProvider,
+    rustCargoProvider
 ];
 /**
  * Match a provider by manifest type only (no lock file check). Used for license reading.
@@ -45,16 +47,17 @@ export function matchForLicense(manifestPath, providers) {
  * Each provider MUST export 'provideStack' taking manifest path returning a {@link Provided}.
  * @param {string} manifest - the name-type or path of the manifest
  * @param {[Provider]} providers - list of providers to iterate over
+ * @param {{TRUSTIFY_DA_WORKSPACE_DIR?: string}} [opts={}] - optional; TRUSTIFY_DA_WORKSPACE_DIR overrides lock file location for workspaces
  * @returns {Provider}
  * @throws {Error} when the manifest is not supported and no provider was matched
  */
-export function match(manifest, providers) {
+export function match(manifest, providers, opts = {}) {
     const manifestPath = path.parse(manifest);
     const supported = providers.filter(prov => prov.isSupported(manifestPath.base));
     if (supported.length === 0) {
         throw new Error(`${manifestPath.base} is not supported`);
     }
-    const provider = supported.find(prov => prov.validateLockFile(manifestPath.dir));
+    const provider = supported.find(prov => prov.validateLockFile(manifestPath.dir, opts));
     if (!provider) {
         throw new Error(`${manifestPath.base} requires a lock file. Use your preferred package manager to generate the lock file.`);
     }

package/dist/src/providers/base_javascript.d.ts

@@ -67,11 +67,16 @@ export default class Base_javascript {
    */
     isSupported(manifestName: string): boolean;
     /**
-   * Checks if a required lock file exists in the same path as the manifest
+   * Checks if a required lock file exists in the manifest directory or at the workspace root.
+   * When TRUSTIFY_DA_WORKSPACE_DIR is provided (via env var or opts),
+   * checks only that directory for the lock file.
    * @param {string} manifestDir - The base directory where the manifest is located
+   * @param {{TRUSTIFY_DA_WORKSPACE_DIR?: string}} [opts={}] - optional workspace root
    * @returns {boolean} True if the lock file exists
    */
-    validateLockFile(manifestDir: string): boolean;
+    validateLockFile(manifestDir: string, opts?: {
+        TRUSTIFY_DA_WORKSPACE_DIR?: string;
+    }): boolean;
     /**
    * Provides content and content type for stack analysis
    * @param {string} manifestPath - The manifest path or name
@@ -95,10 +100,11 @@ export default class Base_javascript {
     /**
    * Builds the dependency tree for the project
    * @param {boolean} includeTransitive - Whether to include transitive dependencies
+   * @param {Object} [opts={}] - Configuration options; when `TRUSTIFY_DA_WORKSPACE_DIR` is set, commands run from workspace root
    * @returns {Object} The dependency tree
    * @protected
    */
-    protected _buildDependencyTree(includeTransitive: boolean): any;
+    protected _buildDependencyTree(includeTransitive: boolean, opts?: any): any;
     /**
    * Recursively builds the Sbom from the JSON that npm listing returns
    * @param {Sbom} sbom - The SBOM object to add dependencies to

package/dist/src/providers/base_javascript.js

@@ -3,7 +3,7 @@ import os from "node:os";
 import path from 'node:path';
 import { getLicense } from '../license/license_utils.js';
 import Sbom from '../sbom.js';
-import { getCustom, getCustomPath, invokeCommand, toPurl, toPurlFromString } from "../tools.js";
+import { getCustom, getCustomPath, invokeCommand, toPurl, toPurlFromString } from '../tools.js';
 import Manifest from './manifest.js';
 /** @typedef {import('../provider').Provider} */
 /** @typedef {import('../provider').Provided} Provided */
@@ -97,12 +97,17 @@ export default class Base_javascript {
         return 'package.json' === manifestName;
     }
     /**
-   * Checks if a required lock file exists in the same path as the manifest
+   * Checks if a required lock file exists in the manifest directory or at the workspace root.
+   * When TRUSTIFY_DA_WORKSPACE_DIR is provided (via env var or opts),
+   * checks only that directory for the lock file.
    * @param {string} manifestDir - The base directory where the manifest is located
+   * @param {{TRUSTIFY_DA_WORKSPACE_DIR?: string}} [opts={}] - optional workspace root
    * @returns {boolean} True if the lock file exists
    */
-    validateLockFile(manifestDir) {
-        const lock = path.join(manifestDir, this._lockFileName());
+    validateLockFile(manifestDir, opts = {}) {
+        const workspaceDir = getCustom('TRUSTIFY_DA_WORKSPACE_DIR', null, opts);
+        const dirToCheck = workspaceDir ? path.resolve(workspaceDir) : manifestDir;
+        const lock = path.join(dirToCheck, this._lockFileName());
         return fs.existsSync(lock);
     }
     /**
@@ -159,14 +164,17 @@ export default class Base_javascript {
     /**
    * Builds the dependency tree for the project
    * @param {boolean} includeTransitive - Whether to include transitive dependencies
+   * @param {Object} [opts={}] - Configuration options; when `TRUSTIFY_DA_WORKSPACE_DIR` is set, commands run from workspace root
    * @returns {Object} The dependency tree
    * @protected
    */
-    _buildDependencyTree(includeTransitive) {
+    _buildDependencyTree(includeTransitive, opts = {}) {
         this._version();
-        let manifestDir = path.dirname(this.#manifest.manifestPath);
-        this.#createLockFile(manifestDir);
-        let output = this.#executeListCmd(includeTransitive, manifestDir);
+        const manifestDir = path.dirname(this.#manifest.manifestPath);
+        const workspaceDir = getCustom('TRUSTIFY_DA_WORKSPACE_DIR', null, opts);
+        const cmdDir = workspaceDir ? path.resolve(workspaceDir) : manifestDir;
+        this.#createLockFile(cmdDir);
+        let output = this.#executeListCmd(includeTransitive, cmdDir);
         output = this._parseDepTreeOutput(output);
         return JSON.parse(output);
     }
@@ -177,7 +185,7 @@ export default class Base_javascript {
    * @private
    */
     #getSBOM(opts = {}) {
-        const depsObject = this._buildDependencyTree(true);
+        const depsObject = this._buildDependencyTree(true, opts);
         let mainComponent = toPurl(purlType, this.#manifest.name, this.#manifest.version);
         const license = this.readLicenseFromManifest(this.#manifest.manifestPath);
         let sbom = new Sbom();
@@ -229,7 +237,7 @@ export default class Base_javascript {
    * @private
    */
     #getDirectDependencySbom(opts = {}) {
-        const depTree = this._buildDependencyTree(false);
+        const depTree = this._buildDependencyTree(false, opts);
         let mainComponent = toPurl(purlType, this.#manifest.name, this.#manifest.version);
         const license = this.readLicenseFromManifest(this.#manifest.manifestPath);
         let sbom = new Sbom();

package/dist/src/providers/javascript_pnpm.d.ts

@@ -1,5 +1,5 @@
 export default class Javascript_pnpm extends Base_javascript {
     _listCmdArgs(includeTransitive: any): string[];
-    _buildDependencyTree(includeTransitive: any, manifest: any): any;
+    _buildDependencyTree(includeTransitive: any, opts?: {}): any;
 }
 import Base_javascript from './base_javascript.js';

package/dist/src/providers/javascript_pnpm.js

@@ -12,8 +12,8 @@ export default class Javascript_pnpm extends Base_javascript {
     _updateLockFileCmdArgs() {
         return ['install', '--frozen-lockfile'];
     }
-    _buildDependencyTree(includeTransitive, manifest) {
-        const tree = super._buildDependencyTree(includeTransitive, manifest);
+    _buildDependencyTree(includeTransitive, opts = {}) {
+        const tree = super._buildDependencyTree(includeTransitive, opts);
         if (Array.isArray(tree) && tree.length > 0) {
             return tree[0];
         }

package/dist/src/providers/rust_cargo.d.ts

@@ -0,0 +1,52 @@
+declare namespace _default {
+    export { isSupported };
+    export { validateLockFile };
+    export { provideComponent };
+    export { provideStack };
+    export { readLicenseFromManifest };
+}
+export default _default;
+export type Provided = import("../provider").Provided;
+/**
+ * @param {string} manifestName - the subject manifest name-type
+ * @returns {boolean} - return true if `Cargo.toml` is the manifest name-type
+ */
+declare function isSupported(manifestName: string): boolean;
+/**
+ * Validates that Cargo.lock exists in the manifest directory or in a parent
+ * workspace root directory.  In Cargo workspaces the lock file always lives at
+ * the workspace root, so when a member crate's Cargo.toml is provided we walk
+ * up the directory tree looking for Cargo.lock (stopping when we find a
+ * Cargo.toml that contains a [workspace] section, or when we reach the
+ * filesystem root).
+ * When TRUSTIFY_DA_WORKSPACE_DIR is provided (via env var or opts),
+ * checks only that directory for Cargo.lock — no walk-up.
+ * @param {string} manifestDir - the directory where the manifest lies
+ * @param {{TRUSTIFY_DA_WORKSPACE_DIR?: string}} [opts={}] - optional workspace root
+ * @returns {boolean} true if Cargo.lock is found
+ */
+declare function validateLockFile(manifestDir: string, opts?: {
+    TRUSTIFY_DA_WORKSPACE_DIR?: string;
+}): boolean;
+/**
+ * Provide content and content type for Cargo component analysis.
+ * @param {string} manifest - path to Cargo.toml for component report
+ * @param {{}} [opts={}] - optional various options to pass along the application
+ * @returns {Provided}
+ */
+declare function provideComponent(manifest: string, opts?: {}): Provided;
+/**
+ * Provide content and content type for Cargo stack analysis.
+ * @param {string} manifest - the manifest path
+ * @param {{}} [opts={}] - optional various options to pass along the application
+ * @returns {Provided}
+ */
+declare function provideStack(manifest: string, opts?: {}): Provided;
+/**
+ * Read project license from Cargo.toml, with fallback to LICENSE file.
+ * Supports the `license` field under `[package]` (single crate / workspace
+ * with root) and under `[workspace.package]` (virtual workspaces).
+ * @param {string} manifestPath - path to Cargo.toml
+ * @returns {string|null} SPDX identifier or null
+ */
+declare function readLicenseFromManifest(manifestPath: string): string | null;