@trustify-da/trustify-da-javascript-client 0.3.0-ea.38515a7 → 0.3.0-ea.3aa2054

package/dist/src/cli.js

@@ -1,9 +1,10 @@
 #!/usr/bin/env node
+import fs from 'node:fs';
 import * as path from "path";
 import yargs from 'yargs';
 import { hideBin } from 'yargs/helpers';
 import { getProjectLicense, getLicenseDetails } from './license/index.js';
-import client, { selectTrustifyDABackend } from './index.js';
+import client, { selectTrustifyDABackend, generateSbom } from './index.js';
 // command for component analysis take manifest type and content
 const component = {
     command: 'component </path/to/manifest>',
@@ -325,15 +326,63 @@ const license = {
         console.log(JSON.stringify(output, null, 2));
     }
 };
+const sbom = {
+    command: 'sbom </path/to/manifest> [--output]',
+    desc: 'generate a CycloneDX SBOM from a manifest file',
+    builder: yargs => yargs.positional('/path/to/manifest', {
+        desc: 'manifest path for SBOM generation',
+        type: 'string',
+        normalize: true,
+    }).options({
+        output: {
+            alias: 'o',
+            desc: 'Write SBOM JSON to a file instead of stdout',
+            type: 'string',
+            normalize: true,
+        },
+        workspaceDir: {
+            alias: 'w',
+            desc: 'Workspace root directory (for monorepos; lock file is expected here)',
+            type: 'string',
+            normalize: true,
+        }
+    }),
+    handler: async (args) => {
+        let manifest = args['/path/to/manifest'];
+        const opts = args.workspaceDir ? { TRUSTIFY_DA_WORKSPACE_DIR: args.workspaceDir } : {};
+        let result;
+        try {
+            result = await generateSbom(manifest, opts);
+        }
+        catch (err) {
+            console.error(JSON.stringify({ error: `Failed to generate SBOM: ${err.message}` }, null, 2));
+            process.exit(1);
+        }
+        const json = JSON.stringify(result, null, 2);
+        if (args.output) {
+            try {
+                fs.writeFileSync(args.output, json);
+            }
+            catch (err) {
+                console.error(JSON.stringify({ error: `Failed to write output file: ${err.message}` }, null, 2));
+                process.exit(1);
+            }
+        }
+        else {
+            console.log(json);
+        }
+    }
+};
 // parse and invoke the command
 yargs(hideBin(process.argv))
-    .usage(`Usage: ${process.argv[0].includes("node") ? path.parse(process.argv[1]).base : path.parse(process.argv[0]).base} {component|stack|stack-batch|image|validate-token|license}`)
+    .usage(`Usage: ${process.argv[0].includes("node") ? path.parse(process.argv[1]).base : path.parse(process.argv[0]).base} {component|stack|stack-batch|image|validate-token|license|sbom}`)
     .command(stack)
     .command(stackBatch)
     .command(component)
     .command(image)
     .command(validateToken)
     .command(license)
+    .command(sbom)
     .scriptName('')
     .version(false)
     .demandCommand(1)

package/dist/src/index.d.ts

@@ -13,6 +13,15 @@ export function selectTrustifyDABackend(opts?: {
     TRUSTIFY_DA_DEBUG?: string | undefined;
     TRUSTIFY_DA_BACKEND_URL?: string | undefined;
 }): string;
+/**
+ * Generate a CycloneDX SBOM from a manifest file. No backend HTTP request is made.
+ *
+ * @param {string} manifestPath - path to the manifest file (e.g. pom.xml, package.json)
+ * @param {Options} [opts={}] - optional options (e.g. workspace dir, tool paths)
+ * @returns {Promise<object>} parsed CycloneDX SBOM JSON object
+ * @throws {Error} if the manifest is unsupported or SBOM generation fails
+ */
+export function generateSbom(manifestPath: string, opts?: Options): Promise<object>;
 export { parseImageRef } from "./oci_image/utils.js";
 export { ImageRef } from "./oci_image/images.js";
 declare namespace _default {
@@ -21,6 +30,7 @@ declare namespace _default {
     export { stackAnalysisBatch };
     export { imageAnalysis };
     export { validateToken };
+    export { generateSbom };
 }
 export default _default;
 export type Options = {

package/dist/src/index.js

@@ -12,7 +12,7 @@ import * as url from 'url';
 export { parseImageRef } from "./oci_image/utils.js";
 export { ImageRef } from "./oci_image/images.js";
 export { getProjectLicense, findLicenseFilePath, identifyLicense, getLicenseDetails, licensesFromReport, normalizeLicensesResponse, runLicenseCheck, getCompatibility } from "./license/index.js";
-export default { componentAnalysis, stackAnalysis, stackAnalysisBatch, imageAnalysis, validateToken };
+export default { componentAnalysis, stackAnalysis, stackAnalysisBatch, imageAnalysis, validateToken, generateSbom };
 export { discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson, resolveWorkspaceDiscoveryIgnore, filterManifestPathsByDiscoveryIgnore, resolveContinueOnError, resolveBatchMetadata, };
 /**
  * @typedef {{
@@ -237,6 +237,22 @@ function buildBatchAnalysisMetadata(root, ecosystem, totalSbomAttempts, successf
         errors: [...errors],
     };
 }
+/**
+ * Generate a CycloneDX SBOM from a manifest file. No backend HTTP request is made.
+ *
+ * @param {string} manifestPath - path to the manifest file (e.g. pom.xml, package.json)
+ * @param {Options} [opts={}] - optional options (e.g. workspace dir, tool paths)
+ * @returns {Promise<object>} parsed CycloneDX SBOM JSON object
+ * @throws {Error} if the manifest is unsupported or SBOM generation fails
+ */
+export async function generateSbom(manifestPath, opts = {}) {
+    fs.accessSync(manifestPath, fs.constants.R_OK);
+    const result = await generateOneSbom(manifestPath, opts);
+    if (!result.ok) {
+        throw new Error(`Failed to generate SBOM for ${result.manifestPath}: ${result.reason}`);
+    }
+    return result.sbom;
+}
 /**
  * @typedef {{ ok: true, purl: string, sbom: object } | { ok: false, manifestPath: string, reason: string }} SbomResult
  */

package/dist/src/providers/base_pyproject.d.ts

@@ -10,9 +10,29 @@ export default class Base_pyproject {
     isSupported(manifestName: string): boolean;
     /**
      * @param {string} manifestDir
+     * @param {Object} [opts={}]
+     * @returns {boolean}
+     */
+    validateLockFile(manifestDir: string, opts?: any): boolean;
+    /**
+     * Walk up from manifestDir to find the directory containing the lock file.
+     * Follows the same pattern as Base_javascript._findLockFileDir().
+     * @param {string} manifestDir
+     * @param {Object} [opts={}]
+     * @returns {string|null}
+     * @protected
+     */
+    protected _findLockFileDir(manifestDir: string, opts?: any): string | null;
+    /**
+     * Detect workspace root boundaries.
+     * Currently only uv has native workspace support ([tool.uv.workspace] in pyproject.toml).
+     * Poetry has no workspace/monorepo support (python-poetry/poetry#2270), so each
+     * poetry project is treated independently — see Python_poetry._findLockFileDir().
+     * @param {string} dir
      * @returns {boolean}
+     * @protected
      */
-    validateLockFile(manifestDir: string): boolean;
+    protected _isWorkspaceRoot(dir: string): boolean;
     /**
      * Read project license from pyproject.toml, with fallback to LICENSE file.
      * @param {string} manifestPath
@@ -43,13 +63,16 @@ export default class Base_pyproject {
     protected _cmdName(): string;
     /**
      * Resolve dependencies using the tool-specific command and parser.
-     * @param {string} manifestDir
+     *
+     * @param {string} manifestDir - directory containing the target pyproject.toml
+     * @param {string} workspaceDir - workspace root (where the lock file lives);
+     *   only used by providers that need workspace-level resolution (e.g. uv)
      * @param {object} parsed - parsed pyproject.toml
      * @param {Object} opts
      * @returns {Promise<DependencyData>}
      * @protected
      */
-    protected _getDependencyData(manifestDir: string, parsed: object, opts: any): Promise<DependencyData>;
+    protected _getDependencyData(manifestDir: string, workspaceDir: string, parsed: object, opts: any): Promise<DependencyData>;
     /**
      * Canonicalize a Python package name per PEP 503.
      * @param {string} name

package/dist/src/providers/base_pyproject.js

@@ -4,6 +4,7 @@ import { PackageURL } from 'packageurl-js';
 import { parse as parseToml } from 'smol-toml';
 import { getLicense } from '../license/license_utils.js';
 import Sbom from '../sbom.js';
+import { getCustom } from '../tools.js';
 const ecosystem = 'pip';
 const IGNORE_MARKERS = ['exhortignore', 'trustify-da-ignore'];
 const DEFAULT_ROOT_NAME = 'default-pip-root';
@@ -22,10 +23,64 @@ export default class Base_pyproject {
     }
     /**
      * @param {string} manifestDir
+     * @param {Object} [opts={}]
      * @returns {boolean}
      */
-    validateLockFile(manifestDir) {
-        return fs.existsSync(path.join(manifestDir, this._lockFileName()));
+    validateLockFile(manifestDir, opts = {}) {
+        return this._findLockFileDir(manifestDir, opts) != null;
+    }
+    /**
+     * Walk up from manifestDir to find the directory containing the lock file.
+     * Follows the same pattern as Base_javascript._findLockFileDir().
+     * @param {string} manifestDir
+     * @param {Object} [opts={}]
+     * @returns {string|null}
+     * @protected
+     */
+    _findLockFileDir(manifestDir, opts = {}) {
+        const workspaceDir = getCustom('TRUSTIFY_DA_WORKSPACE_DIR', null, opts);
+        if (workspaceDir) {
+            const dir = path.resolve(workspaceDir);
+            return fs.existsSync(path.join(dir, this._lockFileName())) ? dir : null;
+        }
+        let dir = path.resolve(manifestDir);
+        let parent = dir;
+        do {
+            dir = parent;
+            if (fs.existsSync(path.join(dir, this._lockFileName()))) {
+                return dir;
+            }
+            if (this._isWorkspaceRoot(dir)) {
+                return null;
+            }
+            parent = path.dirname(dir);
+        } while (parent !== dir);
+        return null;
+    }
+    /**
+     * Detect workspace root boundaries.
+     * Currently only uv has native workspace support ([tool.uv.workspace] in pyproject.toml).
+     * Poetry has no workspace/monorepo support (python-poetry/poetry#2270), so each
+     * poetry project is treated independently — see Python_poetry._findLockFileDir().
+     * @param {string} dir
+     * @returns {boolean}
+     * @protected
+     */
+    _isWorkspaceRoot(dir) {
+        const pyprojectPath = path.join(dir, 'pyproject.toml');
+        if (!fs.existsSync(pyprojectPath)) {
+            return false;
+        }
+        try {
+            const content = parseToml(fs.readFileSync(pyprojectPath, 'utf-8'));
+            if (content.tool?.uv?.workspace) {
+                return true;
+            }
+        }
+        catch (_) {
+            // ignore parse errors
+        }
+        return false;
     }
     /**
      * Read project license from pyproject.toml, with fallback to LICENSE file.
@@ -91,14 +146,17 @@ export default class Base_pyproject {
     }
     /**
      * Resolve dependencies using the tool-specific command and parser.
-     * @param {string} manifestDir
+     *
+     * @param {string} manifestDir - directory containing the target pyproject.toml
+     * @param {string} workspaceDir - workspace root (where the lock file lives);
+     *   only used by providers that need workspace-level resolution (e.g. uv)
      * @param {object} parsed - parsed pyproject.toml
      * @param {Object} opts
      * @returns {Promise<DependencyData>}
      * @protected
      */
     // eslint-disable-next-line no-unused-vars
-    async _getDependencyData(manifestDir, parsed, opts) {
+    async _getDependencyData(manifestDir, workspaceDir, parsed, opts) {
         throw new TypeError('_getDependencyData must be implemented');
     }
     // --- shared helpers ---
@@ -257,7 +315,8 @@ export default class Base_pyproject {
         let manifestDir = path.dirname(manifest);
         let content = fs.readFileSync(manifest, 'utf-8');
         let parsed = parseToml(content);
-        let { directDeps, graph } = await this._getDependencyData(manifestDir, parsed, opts);
+        let workspaceDir = this._findLockFileDir(manifestDir, opts) || manifestDir;
+        let { directDeps, graph } = await this._getDependencyData(manifestDir, workspaceDir, parsed, opts);
         let ignoredDeps = this._getIgnoredDeps(manifest);
         let dependencies = this._buildDependencyTree(graph, directDeps, ignoredDeps, includeTransitive);
         let sbom = new Sbom();

package/dist/src/providers/python_poetry.js

@@ -1,6 +1,27 @@
-import { environmentVariableIsPopulated, getCustomPath, invokeCommand } from '../tools.js';
+import fs from 'node:fs';
+import path from 'node:path';
+import { environmentVariableIsPopulated, getCustom, getCustomPath, invokeCommand } from '../tools.js';
 import Base_pyproject from './base_pyproject.js';
 export default class Python_poetry extends Base_pyproject {
+    /**
+     * Poetry has no native workspace/monorepo support (python-poetry/poetry#2270).
+     * Each poetry project is treated independently — no lock file walk-up.
+     * Running `poetry show` from a parent directory returns the parent's deps, not
+     * the sub-package's, so walk-up would produce incorrect SBOMs.
+     * @param {string} manifestDir
+     * @param {Object} [opts={}]
+     * @returns {string|null}
+     * @protected
+     */
+    _findLockFileDir(manifestDir, opts = {}) {
+        const workspaceDir = getCustom('TRUSTIFY_DA_WORKSPACE_DIR', null, opts);
+        if (workspaceDir) {
+            const dir = path.resolve(workspaceDir);
+            return fs.existsSync(path.join(dir, this._lockFileName())) ? dir : null;
+        }
+        const dir = path.resolve(manifestDir);
+        return fs.existsSync(path.join(dir, this._lockFileName())) ? dir : null;
+    }
     /** @returns {string} */
     _lockFileName() {
         return 'poetry.lock';
@@ -11,11 +32,13 @@ export default class Python_poetry extends Base_pyproject {
     }
     /**
      * @param {string} manifestDir
+     * @param {string} _workspaceDir - unused (poetry has no workspace support)
      * @param {object} parsed - parsed pyproject.toml
      * @param {Object} opts
      * @returns {Promise<{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}>}
      */
-    async _getDependencyData(manifestDir, parsed, opts) {
+    // eslint-disable-next-line no-unused-vars
+    async _getDependencyData(manifestDir, _workspaceDir, parsed, opts) {
         let treeOutput = this._getPoetryShowTreeOutput(manifestDir, opts);
         let showAllOutput = this._getPoetryShowAllOutput(manifestDir, opts);
         let versionMap = this._parsePoetryShowAll(showAllOutput);
@@ -89,7 +112,7 @@ export default class Python_poetry extends Base_pyproject {
                 continue;
             }
             // top-level line: "name version description..."
-            let topMatch = line.match(/^([A-Za-z0-9][A-Za-z0-9._-]*)\s+(\S+)\s/);
+            let topMatch = line.match(/^([A-Za-z0-9][A-Za-z0-9._-]*)\s+(\S+)(?:\s|$)/);
             if (topMatch) {
                 let name = topMatch[1];
                 let version = topMatch[2];

package/dist/src/providers/python_uv.d.ts

@@ -12,9 +12,10 @@ export default class Python_uv extends Base_pyproject {
      *
      * @param {string} output
      * @param {string} projectName - canonical project name to identify direct deps
+     * @param {string} workspaceDir - workspace root (for resolving editable install paths)
      * @returns {Promise<{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}>}
      */
-    _parseUvExport(output: string, projectName: string): Promise<{
+    _parseUvExport(output: string, projectName: string, workspaceDir: string): Promise<{
         directDeps: string[];
         graph: Map<string, {
             name: string;

package/dist/src/providers/python_uv.js

@@ -1,3 +1,6 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { parse as parseToml } from 'smol-toml';
 import { environmentVariableIsPopulated, getCustomPath, invokeCommand } from '../tools.js';
 import Base_pyproject from './base_pyproject.js';
 import { getParser, getPinnedVersionQuery } from './requirements_parser.js';
@@ -11,15 +14,16 @@ export default class Python_uv extends Base_pyproject {
         return 'uv';
     }
     /**
-     * @param {string} manifestDir
+     * @param {string} manifestDir - directory containing the target pyproject.toml
+     * @param {string} workspaceDir - workspace root (for resolving editable install paths)
      * @param {object} parsed - parsed pyproject.toml
      * @param {Object} opts
      * @returns {Promise<{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}>}
      */
-    async _getDependencyData(manifestDir, parsed, opts) {
+    async _getDependencyData(manifestDir, workspaceDir, parsed, opts) {
         let projectName = this._getProjectName(parsed);
         let uvOutput = this._getUvExportOutput(manifestDir, opts);
-        return this._parseUvExport(uvOutput, projectName);
+        return this._parseUvExport(uvOutput, projectName, workspaceDir);
     }
     /**
      * Get the uv export output, either from env var or by running the command.
@@ -40,9 +44,10 @@ export default class Python_uv extends Base_pyproject {
      *
      * @param {string} output
      * @param {string} projectName - canonical project name to identify direct deps
+     * @param {string} workspaceDir - workspace root (for resolving editable install paths)
      * @returns {Promise<{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}>}
      */
-    async _parseUvExport(output, projectName) {
+    async _parseUvExport(output, projectName, workspaceDir) {
         let [parser, pinnedVersionQuery] = await Promise.all([
             getParser(), getPinnedVersionQuery()
         ]);
@@ -53,6 +58,29 @@ export default class Python_uv extends Base_pyproject {
         let currentPkg = null;
         let collectingVia = false;
         for (let child of root.children) {
+            if (child.type === 'global_opt') {
+                let optNode = child.children.find(c => c.type === 'option');
+                let pathNode = child.children.find(c => c.type === 'path');
+                if (optNode?.text === '-e' && pathNode && workspaceDir) {
+                    let memberDir = path.resolve(workspaceDir, pathNode.text);
+                    let memberManifest = path.join(memberDir, 'pyproject.toml');
+                    if (fs.existsSync(memberManifest)) {
+                        let memberParsed = parseToml(fs.readFileSync(memberManifest, 'utf-8'));
+                        let name = memberParsed.project?.name || memberParsed.tool?.poetry?.name;
+                        let version = memberParsed.project?.version || memberParsed.tool?.poetry?.version;
+                        if (name && version) {
+                            let key = this._canonicalize(name);
+                            currentPkg = { name, version, parents: new Set() };
+                            packages.set(key, currentPkg);
+                            collectingVia = false;
+                            continue;
+                        }
+                    }
+                }
+                currentPkg = null;
+                collectingVia = false;
+                continue;
+            }
             if (child.type === 'requirement') {
                 let nameNode = child.children.find(c => c.type === 'package');
                 if (!nameNode) {

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@trustify-da/trustify-da-javascript-client",
-	"version": "0.3.0-ea.38515a7",
+	"version": "0.3.0-ea.3aa2054",
 	"description": "Code-Ready Dependency Analytics JavaScript API.",
 	"license": "Apache-2.0",
 	"homepage": "https://github.com/guacsec/trustify-da-javascript-client#README.md",