@trustify-da/trustify-da-javascript-client 0.3.0-ea.2ea1d77 → 0.3.0-ea.320ec49

package/dist/src/providers/base_javascript.js

@@ -97,18 +97,63 @@ export default class Base_javascript {
         return 'package.json' === manifestName;
     }
     /**
-   * Checks if a required lock file exists in the manifest directory or at the workspace root.
-   * When TRUSTIFY_DA_WORKSPACE_DIR is provided (via env var or opts),
-   * checks only that directory for the lock file.
+   * Walks up the directory tree from manifestDir looking for the lock file.
+   * Stops when the lock file is found, when a package.json with a "workspaces"
+   * field is encountered without a lock file (workspace root boundary), or
+   * when the filesystem root is reached.
+   *
+   * When TRUSTIFY_DA_WORKSPACE_DIR is set, checks only that directory (no walk-up).
+   *
+   * @param {string} manifestDir - The directory to start searching from
+   * @param {Object} [opts={}] - optional; may contain TRUSTIFY_DA_WORKSPACE_DIR
+   * @returns {string|null} The directory containing the lock file, or null
+   * @protected
+   */
+    _isWorkspaceRoot(dir) {
+        if (fs.existsSync(path.join(dir, 'pnpm-workspace.yaml'))) {
+            return true;
+        }
+        const pkgJsonPath = path.join(dir, 'package.json');
+        if (fs.existsSync(pkgJsonPath)) {
+            try {
+                const content = JSON.parse(fs.readFileSync(pkgJsonPath, 'utf-8'));
+                if (content.workspaces) {
+                    return true;
+                }
+            }
+            catch (_) {
+                // ignore parse errors
+            }
+        }
+        return false;
+    }
+    _findLockFileDir(manifestDir, opts = {}) {
+        const workspaceDir = getCustom('TRUSTIFY_DA_WORKSPACE_DIR', null, opts);
+        if (workspaceDir) {
+            const dir = path.resolve(workspaceDir);
+            return fs.existsSync(path.join(dir, this._lockFileName())) ? dir : null;
+        }
+        let dir = path.resolve(manifestDir);
+        let parent = dir;
+        do {
+            dir = parent;
+            if (fs.existsSync(path.join(dir, this._lockFileName()))) {
+                return dir;
+            }
+            if (this._isWorkspaceRoot(dir)) {
+                return null;
+            }
+            parent = path.dirname(dir);
+        } while (parent !== dir);
+        return null;
+    }
+    /**
    * @param {string} manifestDir - The base directory where the manifest is located
-   * @param {{TRUSTIFY_DA_WORKSPACE_DIR?: string}} [opts={}] - optional workspace root
+   * @param {Object} [opts={}] - optional; may contain TRUSTIFY_DA_WORKSPACE_DIR
    * @returns {boolean} True if the lock file exists
    */
     validateLockFile(manifestDir, opts = {}) {
-        const workspaceDir = getCustom('TRUSTIFY_DA_WORKSPACE_DIR', null, opts);
-        const dirToCheck = workspaceDir ? path.resolve(workspaceDir) : manifestDir;
-        const lock = path.join(dirToCheck, this._lockFileName());
-        return fs.existsSync(lock);
+        return this._findLockFileDir(manifestDir, opts) !== null;
     }
     /**
    * Provides content and content type for stack analysis
@@ -171,8 +216,7 @@ export default class Base_javascript {
     _buildDependencyTree(includeTransitive, opts = {}) {
         this._version();
         const manifestDir = path.dirname(this.#manifest.manifestPath);
-        const workspaceDir = getCustom('TRUSTIFY_DA_WORKSPACE_DIR', null, opts);
-        const cmdDir = workspaceDir ? path.resolve(workspaceDir) : manifestDir;
+        const cmdDir = this._findLockFileDir(manifestDir, opts) || manifestDir;
         this.#createLockFile(cmdDir);
         let output = this.#executeListCmd(includeTransitive, cmdDir);
         output = this._parseDepTreeOutput(output);
@@ -191,9 +235,32 @@ export default class Base_javascript {
         let sbom = new Sbom();
         sbom.addRoot(mainComponent, license);
         this._addDependenciesToSbom(sbom, depsObject);
+        this.#ensurePeerAndOptionalDeps(sbom);
         sbom.filterIgnoredDeps(this.#manifest.ignored);
         return sbom.getAsJsonString(opts);
     }
+    /**
+     * Ensures peer and optional dependencies declared in the manifest are
+     * present in the SBOM, even when the package manager does not resolve them
+     * (e.g. yarn does not include peer deps in its dependency listing).
+     * @param {Sbom} sbom - The SBOM to supplement
+     * @private
+     */
+    #ensurePeerAndOptionalDeps(sbom) {
+        const rootPurl = toPurl(purlType, this.#manifest.name, this.#manifest.version);
+        const depSources = [this.#manifest.peerDependencies, this.#manifest.optionalDependencies];
+        for (const source of depSources) {
+            for (const [name, version] of Object.entries(source)) {
+                // Build the purl prefix for exact matching (e.g. "pkg:npm/minimist@"
+                // or "pkg:npm/%40hapi/joi@") to avoid substring false positives
+                const probe = toPurl(purlType, name, version);
+                const purlPrefix = probe.toString().replace(/@[^@]*$/, '@');
+                if (!sbom.checkDependsOnByPurlPrefix(rootPurl, purlPrefix)) {
+                    sbom.addDependency(rootPurl, probe);
+                }
+            }
+        }
+    }
     /**
    * Recursively builds the Sbom from the JSON that npm listing returns
    * @param {Sbom} sbom - The SBOM object to add dependencies to
@@ -201,7 +268,10 @@ export default class Base_javascript {
    * @protected
    */
     _addDependenciesToSbom(sbom, depTree) {
-        const dependencies = depTree["dependencies"] || {};
+        const dependencies = {
+            ...depTree["dependencies"],
+            ...depTree["optionalDependencies"],
+        };
         Object.entries(dependencies)
             .forEach(entry => {
             const [name, artifact] = entry;
@@ -251,6 +321,7 @@ export default class Base_javascript {
             const rootPurl = toPurlFromString(sbom.getRoot().purl);
             sbom.addDependency(rootPurl, rootDeps.get(key));
         }
+        this.#ensurePeerAndOptionalDeps(sbom);
         sbom.filterIgnoredDeps(this.#manifest.ignored);
         return sbom.getAsJsonString(opts);
     }
@@ -261,10 +332,14 @@ export default class Base_javascript {
    * @protected
    */
     _getRootDependencies(depTree) {
-        if (!depTree.dependencies) {
+        const allDeps = {
+            ...depTree.dependencies,
+            ...depTree.optionalDependencies,
+        };
+        if (Object.keys(allDeps).length === 0) {
             return new Map();
         }
-        return new Map(Object.entries(depTree.dependencies).map(([key, value]) => [key, toPurl(purlType, key, value.version)]));
+        return new Map(Object.entries(allDeps).map(([key, value]) => [key, toPurl(purlType, key, value.version)]));
     }
     /**
    * Executes the list command to get dependencies
@@ -275,7 +350,7 @@ export default class Base_javascript {
    */
     #executeListCmd(includeTransitive, manifestDir) {
         const listArgs = this._listCmdArgs(includeTransitive, manifestDir);
-        return this.#invokeCommand(listArgs);
+        return this.#invokeCommand(listArgs, { cwd: manifestDir });
     }
     /**
    * Gets the version of the package manager
@@ -294,13 +369,11 @@ export default class Base_javascript {
         const originalDir = process.cwd();
         const isWindows = os.platform() === 'win32';
         if (isWindows) {
-            // On Windows, --prefix flag doesn't work as expected
-            // Instead of installing from the prefix folder, it installs from current working directory
             process.chdir(manifestDir);
         }
         try {
             const args = this._updateLockFileCmdArgs(manifestDir);
-            this.#invokeCommand(args);
+            this.#invokeCommand(args, { cwd: manifestDir });
         }
         finally {
             if (isWindows) {

package/dist/src/providers/base_pyproject.d.ts

@@ -0,0 +1,149 @@
+/** @typedef {{name: string, version: string, children: string[]}} GraphEntry */
+/** @typedef {{name: string, version: string, dependencies: DepTreeEntry[]}} DepTreeEntry */
+/** @typedef {{directDeps: string[], graph: Map<string, GraphEntry>}} DependencyData */
+/** @typedef {{ecosystem: string, content: string, contentType: string}} Provided */
+export default class Base_pyproject {
+    /**
+     * @param {string} manifestName
+     * @returns {boolean}
+     */
+    isSupported(manifestName: string): boolean;
+    /**
+     * @param {string} manifestDir
+     * @param {Object} [opts={}]
+     * @returns {boolean}
+     */
+    validateLockFile(manifestDir: string, opts?: any): boolean;
+    /**
+     * Walk up from manifestDir to find the directory containing the lock file.
+     * Follows the same pattern as Base_javascript._findLockFileDir().
+     * @param {string} manifestDir
+     * @param {Object} [opts={}]
+     * @returns {string|null}
+     * @protected
+     */
+    protected _findLockFileDir(manifestDir: string, opts?: any): string | null;
+    /**
+     * Detect workspace root boundaries.
+     * Currently only uv has native workspace support ([tool.uv.workspace] in pyproject.toml).
+     * Poetry has no workspace/monorepo support (python-poetry/poetry#2270), so each
+     * poetry project is treated independently — see Python_poetry._findLockFileDir().
+     * @param {string} dir
+     * @returns {boolean}
+     * @protected
+     */
+    protected _isWorkspaceRoot(dir: string): boolean;
+    /**
+     * Read project license from pyproject.toml, with fallback to LICENSE file.
+     * @param {string} manifestPath
+     * @returns {string|null}
+     */
+    readLicenseFromManifest(manifestPath: string): string | null;
+    /**
+     * @param {string} manifest - path to pyproject.toml
+     * @param {Object} [opts={}]
+     * @returns {Promise<Provided>}
+     */
+    provideStack(manifest: string, opts?: any): Promise<Provided>;
+    /**
+     * @param {string} manifest - path to pyproject.toml
+     * @param {Object} [opts={}]
+     * @returns {Promise<Provided>}
+     */
+    provideComponent(manifest: string, opts?: any): Promise<Provided>;
+    /**
+     * @returns {string}
+     * @protected
+     */
+    protected _lockFileName(): string;
+    /**
+     * @returns {string}
+     * @protected
+     */
+    protected _cmdName(): string;
+    /**
+     * Resolve dependencies using the tool-specific command and parser.
+     *
+     * @param {string} manifestDir - directory containing the target pyproject.toml
+     * @param {string} workspaceDir - workspace root (where the lock file lives);
+     *   only used by providers that need workspace-level resolution (e.g. uv)
+     * @param {object} parsed - parsed pyproject.toml
+     * @param {Object} opts
+     * @returns {Promise<DependencyData>}
+     * @protected
+     */
+    protected _getDependencyData(manifestDir: string, workspaceDir: string, parsed: object, opts: any): Promise<DependencyData>;
+    /**
+     * Canonicalize a Python package name per PEP 503.
+     * @param {string} name
+     * @returns {string}
+     * @protected
+     */
+    protected _canonicalize(name: string): string;
+    /**
+     * Get the project name from pyproject.toml.
+     * @param {object} parsed
+     * @returns {string|null}
+     * @protected
+     */
+    protected _getProjectName(parsed: object): string | null;
+    /**
+     * Get the project version from pyproject.toml.
+     * @param {object} parsed
+     * @returns {string|null}
+     * @protected
+     */
+    protected _getProjectVersion(parsed: object): string | null;
+    /**
+     * Scan raw pyproject.toml text for dependencies with ignore markers.
+     * @param {string} manifestPath
+     * @returns {Set<string>}
+     * @protected
+     */
+    protected _getIgnoredDeps(manifestPath: string): Set<string>;
+    /**
+     * Compute the set of graph nodes reachable from direct deps, excluding ignored.
+     * @param {Map<string, GraphEntry>} graph
+     * @param {string[]} directDeps
+     * @param {Set<string>} ignoredDeps
+     * @returns {Set<string>}
+     * @protected
+     */
+    protected _reachableNodes(graph: Map<string, GraphEntry>, directDeps: string[], ignoredDeps: Set<string>): Set<string>;
+    /**
+     * @param {string} name
+     * @param {string} version
+     * @returns {PackageURL}
+     * @protected
+     */
+    protected _toPurl(name: string, version: string): PackageURL;
+    /**
+     * Create SBOM json string for a pyproject.toml project.
+     * @param {string} manifest - path to pyproject.toml
+     * @param {Object} opts
+     * @param {boolean} includeTransitive
+     * @returns {Promise<string>}
+     * @private
+     */
+    private _createSbom;
+}
+export type GraphEntry = {
+    name: string;
+    version: string;
+    children: string[];
+};
+export type DepTreeEntry = {
+    name: string;
+    version: string;
+    dependencies: DepTreeEntry[];
+};
+export type DependencyData = {
+    directDeps: string[];
+    graph: Map<string, GraphEntry>;
+};
+export type Provided = {
+    ecosystem: string;
+    content: string;
+    contentType: string;
+};
+import { PackageURL } from 'packageurl-js';

package/dist/src/providers/base_pyproject.js

@@ -0,0 +1,314 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { PackageURL } from 'packageurl-js';
+import { parse as parseToml } from 'smol-toml';
+import { getLicense } from '../license/license_utils.js';
+import Sbom from '../sbom.js';
+import { getCustom } from '../tools.js';
+const ecosystem = 'pip';
+const IGNORE_MARKERS = ['exhortignore', 'trustify-da-ignore'];
+const DEFAULT_ROOT_NAME = 'default-pip-root';
+const DEFAULT_ROOT_VERSION = '0.0.0';
+/** @typedef {{name: string, version: string, children: string[]}} GraphEntry */
+/** @typedef {{name: string, version: string, dependencies: DepTreeEntry[]}} DepTreeEntry */
+/** @typedef {{directDeps: string[], graph: Map<string, GraphEntry>}} DependencyData */
+/** @typedef {{ecosystem: string, content: string, contentType: string}} Provided */
+export default class Base_pyproject {
+    /**
+     * @param {string} manifestName
+     * @returns {boolean}
+     */
+    isSupported(manifestName) {
+        return 'pyproject.toml' === manifestName;
+    }
+    /**
+     * @param {string} manifestDir
+     * @param {Object} [opts={}]
+     * @returns {boolean}
+     */
+    validateLockFile(manifestDir, opts = {}) {
+        return this._findLockFileDir(manifestDir, opts) != null;
+    }
+    /**
+     * Walk up from manifestDir to find the directory containing the lock file.
+     * Follows the same pattern as Base_javascript._findLockFileDir().
+     * @param {string} manifestDir
+     * @param {Object} [opts={}]
+     * @returns {string|null}
+     * @protected
+     */
+    _findLockFileDir(manifestDir, opts = {}) {
+        const workspaceDir = getCustom('TRUSTIFY_DA_WORKSPACE_DIR', null, opts);
+        if (workspaceDir) {
+            const dir = path.resolve(workspaceDir);
+            return fs.existsSync(path.join(dir, this._lockFileName())) ? dir : null;
+        }
+        let dir = path.resolve(manifestDir);
+        let parent = dir;
+        do {
+            dir = parent;
+            if (fs.existsSync(path.join(dir, this._lockFileName()))) {
+                return dir;
+            }
+            if (this._isWorkspaceRoot(dir)) {
+                return null;
+            }
+            parent = path.dirname(dir);
+        } while (parent !== dir);
+        return null;
+    }
+    /**
+     * Detect workspace root boundaries.
+     * Currently only uv has native workspace support ([tool.uv.workspace] in pyproject.toml).
+     * Poetry has no workspace/monorepo support (python-poetry/poetry#2270), so each
+     * poetry project is treated independently — see Python_poetry._findLockFileDir().
+     * @param {string} dir
+     * @returns {boolean}
+     * @protected
+     */
+    _isWorkspaceRoot(dir) {
+        const pyprojectPath = path.join(dir, 'pyproject.toml');
+        if (!fs.existsSync(pyprojectPath)) {
+            return false;
+        }
+        try {
+            const content = parseToml(fs.readFileSync(pyprojectPath, 'utf-8'));
+            if (content.tool?.uv?.workspace) {
+                return true;
+            }
+        }
+        catch (_) {
+            // ignore parse errors
+        }
+        return false;
+    }
+    /**
+     * Read project license from pyproject.toml, with fallback to LICENSE file.
+     * @param {string} manifestPath
+     * @returns {string|null}
+     */
+    readLicenseFromManifest(manifestPath) {
+        let fromManifest = null;
+        try {
+            let content = fs.readFileSync(manifestPath, 'utf-8');
+            let parsed = parseToml(content);
+            fromManifest = parsed.project?.license;
+            if (typeof fromManifest === 'object' && fromManifest != null) {
+                fromManifest = fromManifest.text || null;
+            }
+            if (!fromManifest) {
+                fromManifest = parsed.tool?.poetry?.license || null;
+            }
+        }
+        catch (_) {
+            // leave fromManifest as null
+        }
+        return getLicense(fromManifest, manifestPath);
+    }
+    /**
+     * @param {string} manifest - path to pyproject.toml
+     * @param {Object} [opts={}]
+     * @returns {Promise<Provided>}
+     */
+    async provideStack(manifest, opts = {}) {
+        return {
+            ecosystem,
+            content: await this._createSbom(manifest, opts, true),
+            contentType: 'application/vnd.cyclonedx+json'
+        };
+    }
+    /**
+     * @param {string} manifest - path to pyproject.toml
+     * @param {Object} [opts={}]
+     * @returns {Promise<Provided>}
+     */
+    async provideComponent(manifest, opts = {}) {
+        return {
+            ecosystem,
+            content: await this._createSbom(manifest, opts, false),
+            contentType: 'application/vnd.cyclonedx+json'
+        };
+    }
+    // --- abstract methods (subclasses must override) ---
+    /**
+     * @returns {string}
+     * @protected
+     */
+    _lockFileName() {
+        throw new TypeError('_lockFileName must be implemented');
+    }
+    /**
+     * @returns {string}
+     * @protected
+     */
+    _cmdName() {
+        throw new TypeError('_cmdName must be implemented');
+    }
+    /**
+     * Resolve dependencies using the tool-specific command and parser.
+     *
+     * @param {string} manifestDir - directory containing the target pyproject.toml
+     * @param {string} workspaceDir - workspace root (where the lock file lives);
+     *   only used by providers that need workspace-level resolution (e.g. uv)
+     * @param {object} parsed - parsed pyproject.toml
+     * @param {Object} opts
+     * @returns {Promise<DependencyData>}
+     * @protected
+     */
+    // eslint-disable-next-line no-unused-vars
+    async _getDependencyData(manifestDir, workspaceDir, parsed, opts) {
+        throw new TypeError('_getDependencyData must be implemented');
+    }
+    // --- shared helpers ---
+    /**
+     * Canonicalize a Python package name per PEP 503.
+     * @param {string} name
+     * @returns {string}
+     * @protected
+     */
+    _canonicalize(name) {
+        return name.toLowerCase().replace(/[-_.]+/g, '-');
+    }
+    /**
+     * Get the project name from pyproject.toml.
+     * @param {object} parsed
+     * @returns {string|null}
+     * @protected
+     */
+    _getProjectName(parsed) {
+        return parsed.project?.name || parsed.tool?.poetry?.name || null;
+    }
+    /**
+     * Get the project version from pyproject.toml.
+     * @param {object} parsed
+     * @returns {string|null}
+     * @protected
+     */
+    _getProjectVersion(parsed) {
+        return parsed.project?.version || parsed.tool?.poetry?.version || null;
+    }
+    /**
+     * Scan raw pyproject.toml text for dependencies with ignore markers.
+     * @param {string} manifestPath
+     * @returns {Set<string>}
+     * @protected
+     */
+    _getIgnoredDeps(manifestPath) {
+        let ignored = new Set();
+        let content = fs.readFileSync(manifestPath, 'utf-8');
+        let lines = content.split(/\r?\n/);
+        for (let line of lines) {
+            if (!IGNORE_MARKERS.some(m => line.includes(m))) {
+                continue;
+            }
+            // PEP 621 style: "requests>=2.25" #exhortignore
+            let pep621Match = line.match(/^\s*"([^"]+)"/);
+            if (pep621Match) {
+                let reqStr = pep621Match[1];
+                let nameMatch = reqStr.match(/^([A-Za-z0-9]([A-Za-z0-9._-]*[A-Za-z0-9])?)/);
+                if (nameMatch) {
+                    ignored.add(this._canonicalize(nameMatch[1]));
+                }
+                continue;
+            }
+            // Poetry style: requests = "^2.25" #exhortignore
+            let poetryMatch = line.match(/^\s*([A-Za-z0-9][A-Za-z0-9._-]*)\s*=/);
+            if (poetryMatch) {
+                ignored.add(this._canonicalize(poetryMatch[1]));
+            }
+        }
+        return ignored;
+    }
+    /**
+     * Compute the set of graph nodes reachable from direct deps, excluding ignored.
+     * @param {Map<string, GraphEntry>} graph
+     * @param {string[]} directDeps
+     * @param {Set<string>} ignoredDeps
+     * @returns {Set<string>}
+     * @protected
+     */
+    _reachableNodes(graph, directDeps, ignoredDeps) {
+        let reachable = new Set();
+        let queue = directDeps.filter(k => !ignoredDeps.has(k) && graph.has(k));
+        while (queue.length > 0) {
+            let key = queue.shift();
+            if (reachable.has(key)) {
+                continue;
+            }
+            reachable.add(key);
+            for (let child of graph.get(key).children) {
+                if (!ignoredDeps.has(child) && graph.has(child) && !reachable.has(child)) {
+                    queue.push(child);
+                }
+            }
+        }
+        return reachable;
+    }
+    /**
+     * @param {string} name
+     * @param {string} version
+     * @returns {PackageURL}
+     * @protected
+     */
+    _toPurl(name, version) {
+        return new PackageURL('pypi', undefined, name, version, undefined, undefined);
+    }
+    /**
+     * Create SBOM json string for a pyproject.toml project.
+     * @param {string} manifest - path to pyproject.toml
+     * @param {Object} opts
+     * @param {boolean} includeTransitive
+     * @returns {Promise<string>}
+     * @private
+     */
+    async _createSbom(manifest, opts, includeTransitive) {
+        let manifestDir = path.dirname(manifest);
+        let content = fs.readFileSync(manifest, 'utf-8');
+        let parsed = parseToml(content);
+        let workspaceDir = this._findLockFileDir(manifestDir, opts) || manifestDir;
+        let { directDeps, graph } = await this._getDependencyData(manifestDir, workspaceDir, parsed, opts);
+        let ignoredDeps = this._getIgnoredDeps(manifest);
+        let sbom = new Sbom();
+        let rootName = this._getProjectName(parsed) || DEFAULT_ROOT_NAME;
+        let rootVersion = this._getProjectVersion(parsed) || DEFAULT_ROOT_VERSION;
+        let rootPurl = this._toPurl(rootName, rootVersion);
+        let license = this.readLicenseFromManifest(manifest);
+        sbom.addRoot(rootPurl, license);
+        if (includeTransitive) {
+            let reachable = this._reachableNodes(graph, directDeps, ignoredDeps);
+            for (let key of directDeps) {
+                if (!reachable.has(key)) {
+                    continue;
+                }
+                let entry = graph.get(key);
+                sbom.addDependency(rootPurl, this._toPurl(entry.name, entry.version));
+            }
+            for (let [key, entry] of graph) {
+                if (!reachable.has(key)) {
+                    continue;
+                }
+                let parentPurl = this._toPurl(entry.name, entry.version);
+                for (let child of entry.children) {
+                    if (!reachable.has(child)) {
+                        continue;
+                    }
+                    let childEntry = graph.get(child);
+                    sbom.addDependency(parentPurl, this._toPurl(childEntry.name, childEntry.version));
+                }
+            }
+        }
+        else {
+            for (let key of directDeps) {
+                if (ignoredDeps.has(key)) {
+                    continue;
+                }
+                let entry = graph.get(key);
+                if (!entry) {
+                    continue;
+                }
+                sbom.addDependency(rootPurl, this._toPurl(entry.name, entry.version));
+            }
+        }
+        return sbom.getAsJsonString(opts);
+    }
+}

package/dist/src/providers/golang_gomodules.d.ts

@@ -19,31 +19,31 @@ export type Dependency = {
     ignore: boolean;
 };
 /**
- * @param {string} manifestName - the subject manifest name-type
- * @returns {boolean} - return true if `pom.xml` is the manifest name-type
+ * @param {string} manifestName the subject manifest name-type
+ * @returns {boolean} return true if `pom.xml` is the manifest name-type
 */
 declare function isSupported(manifestName: string): boolean;
 /**
- * @param {string} manifestDir - the directory where the manifest lies
+ * @param {string} manifestDir the directory where the manifest lies
  */
 declare function validateLockFile(): boolean;
 /**
  * Provide content and content type for maven-maven component analysis.
- * @param {string} manifest - path to go.mod for component report
- * @param {{}} [opts={}] - optional various options to pass along the application
- * @returns {Provided}
+ * @param {string} manifest path to go.mod for component report
+ * @param {{}} [opts={}] optional various options to pass along the application
+ * @returns {Promise<Provided>}
  */
-declare function provideComponent(manifest: string, opts?: {}): Provided;
+declare function provideComponent(manifest: string, opts?: {}): Promise<Provided>;
 /**
  * Provide content and content type for maven-maven stack analysis.
- * @param {string} manifest - the manifest path or name
- * @param {{}} [opts={}] - optional various options to pass along the application
- * @returns {Provided}
+ * @param {string} manifest the manifest path or name
+ * @param {{}} [opts={}] optional various options to pass along the application
+ * @returns {Promise<Provided>}
  */
-declare function provideStack(manifest: string, opts?: {}): Provided;
+declare function provideStack(manifest: string, opts?: {}): Promise<Provided>;
 /**
  * Go modules have no standard license field in go.mod
- * @param {string} manifestPath - path to go.mod
+ * @param {string} manifestPath path to go.mod
  * @returns {string|null}
 */
 declare function readLicenseFromManifest(manifestPath: string): string | null;