@trustify-da/trustify-da-javascript-client 0.3.0-ea.320ec49 → 0.3.0-ea.3621bb7

package/dist/src/provider.js

@@ -7,7 +7,6 @@ import Javascript_npm from './providers/javascript_npm.js';
 import Javascript_pnpm from './providers/javascript_pnpm.js';
 import Javascript_yarn from './providers/javascript_yarn.js';
 import pythonPipProvider from './providers/python_pip.js';
-import Python_pip_pyproject from './providers/python_pip_pyproject.js';
 import Python_poetry from './providers/python_poetry.js';
 import Python_uv from './providers/python_uv.js';
 import rustCargoProvider from './providers/rust_cargo.js';
@@ -28,7 +27,6 @@ export const availableProviders = [
     pythonPipProvider,
     new Python_poetry(),
     new Python_uv(),
-    new Python_pip_pyproject(),
     rustCargoProvider
 ];
 /**

package/dist/src/providers/base_pyproject.d.ts

@@ -102,14 +102,26 @@ export default class Base_pyproject {
      */
     protected _getIgnoredDeps(manifestPath: string): Set<string>;
     /**
-     * Compute the set of graph nodes reachable from direct deps, excluding ignored.
+     * Build dependency tree from graph, starting from direct deps.
      * @param {Map<string, GraphEntry>} graph
-     * @param {string[]} directDeps
+     * @param {string[]} directDeps - canonical names of direct deps
      * @param {Set<string>} ignoredDeps
-     * @returns {Set<string>}
+     * @param {boolean} includeTransitive
+     * @returns {DepTreeEntry[]}
+     * @protected
+     */
+    protected _buildDependencyTree(graph: Map<string, GraphEntry>, directDeps: string[], ignoredDeps: Set<string>, includeTransitive: boolean): DepTreeEntry[];
+    /**
+     * Recursively collect transitive dependencies.
+     * @param {Map<string, GraphEntry>} graph
+     * @param {string[]} childKeys
+     * @param {DepTreeEntry[]} result - mutated in place
+     * @param {Set<string>} ignoredDeps
+     * @param {Set<string>} visited
+     * @returns {void}
      * @protected
      */
-    protected _reachableNodes(graph: Map<string, GraphEntry>, directDeps: string[], ignoredDeps: Set<string>): Set<string>;
+    protected _collectTransitive(graph: Map<string, GraphEntry>, childKeys: string[], result: DepTreeEntry[], ignoredDeps: Set<string>, visited: Set<string>): void;
     /**
      * @param {string} name
      * @param {string} version
@@ -117,6 +129,15 @@ export default class Base_pyproject {
      * @protected
      */
     protected _toPurl(name: string, version: string): PackageURL;
+    /**
+     * Recursively add a dependency and its transitive deps to the SBOM.
+     * @param {PackageURL} source
+     * @param {DepTreeEntry} dep
+     * @param {Sbom} sbom
+     * @returns {void}
+     * @private
+     */
+    private _addAllDependencies;
     /**
      * Create SBOM json string for a pyproject.toml project.
      * @param {string} manifest - path to pyproject.toml

package/dist/src/providers/base_pyproject.js

@@ -220,29 +220,64 @@ export default class Base_pyproject {
         return ignored;
     }
     /**
-     * Compute the set of graph nodes reachable from direct deps, excluding ignored.
+     * Build dependency tree from graph, starting from direct deps.
      * @param {Map<string, GraphEntry>} graph
-     * @param {string[]} directDeps
+     * @param {string[]} directDeps - canonical names of direct deps
      * @param {Set<string>} ignoredDeps
-     * @returns {Set<string>}
+     * @param {boolean} includeTransitive
+     * @returns {DepTreeEntry[]}
      * @protected
      */
-    _reachableNodes(graph, directDeps, ignoredDeps) {
-        let reachable = new Set();
-        let queue = directDeps.filter(k => !ignoredDeps.has(k) && graph.has(k));
-        while (queue.length > 0) {
-            let key = queue.shift();
-            if (reachable.has(key)) {
+    _buildDependencyTree(graph, directDeps, ignoredDeps, includeTransitive) {
+        let result = [];
+        for (let key of directDeps) {
+            if (ignoredDeps.has(key)) {
                 continue;
             }
-            reachable.add(key);
-            for (let child of graph.get(key).children) {
-                if (!ignoredDeps.has(child) && graph.has(child) && !reachable.has(child)) {
-                    queue.push(child);
-                }
+            let entry = graph.get(key);
+            if (!entry) {
+                continue;
             }
+            let depTree = [];
+            if (includeTransitive) {
+                let visited = new Set();
+                visited.add(key);
+                this._collectTransitive(graph, entry.children, depTree, ignoredDeps, visited);
+            }
+            result.push({ name: entry.name, version: entry.version, dependencies: depTree });
         }
-        return reachable;
+        result.sort((a, b) => a.name.toLowerCase().localeCompare(b.name.toLowerCase()));
+        return result;
+    }
+    /**
+     * Recursively collect transitive dependencies.
+     * @param {Map<string, GraphEntry>} graph
+     * @param {string[]} childKeys
+     * @param {DepTreeEntry[]} result - mutated in place
+     * @param {Set<string>} ignoredDeps
+     * @param {Set<string>} visited
+     * @returns {void}
+     * @protected
+     */
+    _collectTransitive(graph, childKeys, result, ignoredDeps, visited) {
+        for (let childKey of childKeys) {
+            let canonKey = this._canonicalize(childKey);
+            if (ignoredDeps.has(canonKey)) {
+                continue;
+            }
+            if (visited.has(canonKey)) {
+                continue;
+            }
+            visited.add(canonKey);
+            let entry = graph.get(canonKey);
+            if (!entry) {
+                continue;
+            }
+            let childDeps = [];
+            this._collectTransitive(graph, entry.children, childDeps, ignoredDeps, visited);
+            result.push({ name: entry.name, version: entry.version, dependencies: childDeps });
+        }
+        result.sort((a, b) => a.name.toLowerCase().localeCompare(b.name.toLowerCase()));
     }
     /**
      * @param {string} name
@@ -253,6 +288,21 @@ export default class Base_pyproject {
     _toPurl(name, version) {
         return new PackageURL('pypi', undefined, name, version, undefined, undefined);
     }
+    /**
+     * Recursively add a dependency and its transitive deps to the SBOM.
+     * @param {PackageURL} source
+     * @param {DepTreeEntry} dep
+     * @param {Sbom} sbom
+     * @returns {void}
+     * @private
+     */
+    _addAllDependencies(source, dep, sbom) {
+        let targetPurl = this._toPurl(dep.name, dep.version);
+        sbom.addDependency(source, targetPurl);
+        if (dep.dependencies && dep.dependencies.length > 0) {
+            dep.dependencies.forEach(child => this._addAllDependencies(this._toPurl(dep.name, dep.version), child, sbom));
+        }
+    }
     /**
      * Create SBOM json string for a pyproject.toml project.
      * @param {string} manifest - path to pyproject.toml
@@ -268,47 +318,21 @@ export default class Base_pyproject {
         let workspaceDir = this._findLockFileDir(manifestDir, opts) || manifestDir;
         let { directDeps, graph } = await this._getDependencyData(manifestDir, workspaceDir, parsed, opts);
         let ignoredDeps = this._getIgnoredDeps(manifest);
+        let dependencies = this._buildDependencyTree(graph, directDeps, ignoredDeps, includeTransitive);
         let sbom = new Sbom();
         let rootName = this._getProjectName(parsed) || DEFAULT_ROOT_NAME;
         let rootVersion = this._getProjectVersion(parsed) || DEFAULT_ROOT_VERSION;
         let rootPurl = this._toPurl(rootName, rootVersion);
         let license = this.readLicenseFromManifest(manifest);
         sbom.addRoot(rootPurl, license);
-        if (includeTransitive) {
-            let reachable = this._reachableNodes(graph, directDeps, ignoredDeps);
-            for (let key of directDeps) {
-                if (!reachable.has(key)) {
-                    continue;
-                }
-                let entry = graph.get(key);
-                sbom.addDependency(rootPurl, this._toPurl(entry.name, entry.version));
+        dependencies.forEach(dep => {
+            if (includeTransitive) {
+                this._addAllDependencies(rootPurl, dep, sbom);
             }
-            for (let [key, entry] of graph) {
-                if (!reachable.has(key)) {
-                    continue;
-                }
-                let parentPurl = this._toPurl(entry.name, entry.version);
-                for (let child of entry.children) {
-                    if (!reachable.has(child)) {
-                        continue;
-                    }
-                    let childEntry = graph.get(child);
-                    sbom.addDependency(parentPurl, this._toPurl(childEntry.name, childEntry.version));
-                }
+            else {
+                sbom.addDependency(rootPurl, this._toPurl(dep.name, dep.version));
             }
-        }
-        else {
-            for (let key of directDeps) {
-                if (ignoredDeps.has(key)) {
-                    continue;
-                }
-                let entry = graph.get(key);
-                if (!entry) {
-                    continue;
-                }
-                sbom.addDependency(rootPurl, this._toPurl(entry.name, entry.version));
-            }
-        }
+        });
         return sbom.getAsJsonString(opts);
     }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@trustify-da/trustify-da-javascript-client",
-	"version": "0.3.0-ea.320ec49",
+	"version": "0.3.0-ea.3621bb7",
 	"description": "Code-Ready Dependency Analytics JavaScript API.",
 	"license": "Apache-2.0",
 	"homepage": "https://github.com/guacsec/trustify-da-javascript-client#README.md",

package/dist/src/providers/python_pip_pyproject.d.ts

@@ -1,61 +0,0 @@
-/**
- * Python provider for pyproject.toml files using PEP 621 format without a lock file.
- * Uses `pip install --dry-run --ignore-installed --report` to resolve the full dependency tree.
- * Acts as the fallback provider when no lock file (uv.lock/poetry.lock) is found.
- */
-export default class Python_pip_pyproject extends Base_pyproject {
-    /**
-     * Always returns true — pip provider is the fallback when no lock file is found.
-     * @param {string} manifestDir
-     * @param {{}} [opts={}]
-     * @returns {boolean}
-     */
-    validateLockFile(manifestDir: string, opts?: {}): boolean;
-    /**
-     * Get pip report output from env var override or by running pip.
-     * @param {string} manifestDir - directory containing pyproject.toml
-     * @param {{}} [opts={}]
-     * @returns {string} pip report JSON string
-     */
-    _getPipReportOutput(manifestDir: string, opts?: {}): string;
-    /**
-     * Parse pip report JSON and build dependency graph.
-     * @param {string} reportJson - pip report JSON string
-     * @returns {{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}}
-     */
-    _parsePipReport(reportJson: string): {
-        directDeps: string[];
-        graph: Map<string, {
-            name: string;
-            version: string;
-            children: string[];
-        }>;
-    };
-    /**
-     * Check if a requires_dist entry is an extras-only dependency.
-     * @param {string} req - e.g. "PySocks!=1.5.7,>=1.5.6; extra == \"socks\""
-     * @returns {boolean}
-     */
-    _hasExtraMarker(req: string): boolean;
-    /**
-     * Extract package name from a requires_dist entry.
-     * @param {string} req - e.g. "charset_normalizer<4,>=2"
-     * @returns {string|null}
-     */
-    _extractDepName(req: string): string | null;
-    /**
-     * Resolve dependencies using pip install --dry-run --report.
-     * @param {string} manifestDir
-     * @param {string} _workspaceDir - unused (pip resolves from manifest directory)
-     * @param {object} parsed - parsed pyproject.toml
-     * @param {{}} [opts={}]
-     * @returns {Promise<{directDeps: string[], graph: Map}>}
-     */
-    _getDependencyData(manifestDir: string, _workspaceDir: string, parsed: object, opts?: {}): Promise<{
-        directDeps: string[];
-        graph: Map<any, any>;
-    }>;
-    _findEggInfoDirs(dir: any): string[];
-    _cleanupEggInfo(dir: any, existing: any): void;
-}
-import Base_pyproject from './base_pyproject.js';

package/dist/src/providers/python_pip_pyproject.js

@@ -1,144 +0,0 @@
-import fs from 'node:fs';
-import path from 'node:path';
-import { environmentVariableIsPopulated, getCustomPath, invokeCommand } from '../tools.js';
-import Base_pyproject from './base_pyproject.js';
-/**
- * Python provider for pyproject.toml files using PEP 621 format without a lock file.
- * Uses `pip install --dry-run --ignore-installed --report` to resolve the full dependency tree.
- * Acts as the fallback provider when no lock file (uv.lock/poetry.lock) is found.
- */
-export default class Python_pip_pyproject extends Base_pyproject {
-    /** @returns {string} */
-    _lockFileName() {
-        return '.pip-lock-nonexistent';
-    }
-    /** @returns {string} */
-    _cmdName() {
-        return 'pip';
-    }
-    /**
-     * Always returns true — pip provider is the fallback when no lock file is found.
-     * @param {string} manifestDir
-     * @param {{}} [opts={}]
-     * @returns {boolean}
-     */
-    // eslint-disable-next-line no-unused-vars
-    validateLockFile(manifestDir, opts = {}) {
-        return true;
-    }
-    /**
-     * Get pip report output from env var override or by running pip.
-     * @param {string} manifestDir - directory containing pyproject.toml
-     * @param {{}} [opts={}]
-     * @returns {string} pip report JSON string
-     */
-    _getPipReportOutput(manifestDir, opts) {
-        if (environmentVariableIsPopulated('TRUSTIFY_DA_PIP_REPORT')) {
-            return Buffer.from(process.env['TRUSTIFY_DA_PIP_REPORT'], 'base64').toString('ascii');
-        }
-        let pipBin = getCustomPath('pip3', opts);
-        try {
-            invokeCommand(pipBin, ['--version']);
-        }
-        catch {
-            pipBin = getCustomPath('pip', opts);
-        }
-        let eggInfoDirs = this._findEggInfoDirs(manifestDir);
-        let result = invokeCommand(pipBin, [
-            'install', '--dry-run', '--ignore-installed', '--quiet', '--report', '-', '.'
-        ], { cwd: manifestDir }).toString();
-        this._cleanupEggInfo(manifestDir, eggInfoDirs);
-        return result;
-    }
-    /**
-     * Parse pip report JSON and build dependency graph.
-     * @param {string} reportJson - pip report JSON string
-     * @returns {{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}}
-     */
-    _parsePipReport(reportJson) {
-        let report = JSON.parse(reportJson);
-        let packages = report.install || [];
-        let rootEntry = packages.find(p => p.download_info?.dir_info !== undefined);
-        let rootRequires = rootEntry?.metadata?.requires_dist || [];
-        let directDepNames = new Set();
-        for (let req of rootRequires) {
-            if (this._hasExtraMarker(req)) {
-                continue;
-            }
-            let name = this._extractDepName(req);
-            if (name) {
-                directDepNames.add(this._canonicalize(name));
-            }
-        }
-        let graph = new Map();
-        let nonRootPackages = packages.filter(p => p !== rootEntry);
-        for (let pkg of nonRootPackages) {
-            let name = pkg.metadata.name;
-            let version = pkg.metadata.version;
-            let key = this._canonicalize(name);
-            graph.set(key, { name, version, children: [] });
-        }
-        for (let pkg of nonRootPackages) {
-            let key = this._canonicalize(pkg.metadata.name);
-            let entry = graph.get(key);
-            let requires = pkg.metadata.requires_dist || [];
-            for (let req of requires) {
-                let depName = this._extractDepName(req);
-                if (!depName) {
-                    continue;
-                }
-                let depKey = this._canonicalize(depName);
-                if (graph.has(depKey)) {
-                    entry.children.push(depKey);
-                }
-            }
-        }
-        let directDeps = [...directDepNames].filter(key => graph.has(key));
-        return { directDeps, graph };
-    }
-    /**
-     * Check if a requires_dist entry is an extras-only dependency.
-     * @param {string} req - e.g. "PySocks!=1.5.7,>=1.5.6; extra == \"socks\""
-     * @returns {boolean}
-     */
-    _hasExtraMarker(req) {
-        return /;\s*.*extra\s*==/.test(req);
-    }
-    /**
-     * Extract package name from a requires_dist entry.
-     * @param {string} req - e.g. "charset_normalizer<4,>=2"
-     * @returns {string|null}
-     */
-    _extractDepName(req) {
-        let match = req.match(/^([A-Za-z0-9]([A-Za-z0-9._-]*[A-Za-z0-9])?)/);
-        return match ? match[1] : null;
-    }
-    /**
-     * Resolve dependencies using pip install --dry-run --report.
-     * @param {string} manifestDir
-     * @param {string} _workspaceDir - unused (pip resolves from manifest directory)
-     * @param {object} parsed - parsed pyproject.toml
-     * @param {{}} [opts={}]
-     * @returns {Promise<{directDeps: string[], graph: Map}>}
-     */
-    // eslint-disable-next-line no-unused-vars
-    async _getDependencyData(manifestDir, _workspaceDir, parsed, opts) {
-        let reportOutput = this._getPipReportOutput(manifestDir, opts);
-        return this._parsePipReport(reportOutput);
-    }
-    _findEggInfoDirs(dir) {
-        try {
-            return fs.readdirSync(dir).filter(f => f.endsWith('.egg-info'));
-        }
-        catch {
-            return [];
-        }
-    }
-    _cleanupEggInfo(dir, existing) {
-        for (let entry of this._findEggInfoDirs(dir)) {
-            if (!existing.includes(entry)) {
-                fs.rmSync(path.join(dir, entry), { recursive: true, force: true });
-            }
-        }
-    }
-}