npm - @trustify-da/trustify-da-javascript-client - Versions diffs - 0.3.0-ea.3aa2054 → 0.3.0-ea.4558b63 - Mend

@trustify-da/trustify-da-javascript-client 0.3.0-ea.3aa2054 → 0.3.0-ea.4558b63

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (22) hide show

package/dist/src/index.d.ts +58 -2
package/dist/src/index.js +43 -2
package/dist/src/provider.js +2 -0
package/dist/src/providers/base_java.d.ts +0 -9
package/dist/src/providers/base_java.js +2 -38
package/dist/src/providers/base_pyproject.d.ts +4 -25
package/dist/src/providers/base_pyproject.js +48 -72
package/dist/src/providers/java_maven.d.ts +8 -0
package/dist/src/providers/java_maven.js +93 -1
package/dist/src/providers/javascript_npm.d.ts +1 -0
package/dist/src/providers/javascript_npm.js +21 -0
package/dist/src/providers/javascript_pnpm.js +6 -2
package/dist/src/providers/processors/yarn_berry_processor.js +6 -2
package/dist/src/providers/python_controller.js +7 -3
package/dist/src/providers/python_pip_pyproject.d.ts +61 -0
package/dist/src/providers/python_pip_pyproject.js +144 -0
package/dist/src/providers/python_poetry.d.ts +2 -1
package/dist/src/providers/python_poetry.js +9 -3
package/dist/src/providers/python_uv.js +4 -1
package/dist/src/tools.d.ts +16 -0
package/dist/src/tools.js +40 -0
package/package.json +1 -1

package/dist/src/index.d.ts CHANGED Viewed

@@ -136,19 +136,74 @@ declare function stackAnalysis(manifest: string, html: false, opts?: Options | u
  * 		or backend request failed
  */
 declare function stackAnalysis(manifest: string, html?: boolean | undefined, opts?: Options | undefined): Promise<string | import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport>;
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {true} html
+ * @param {Options & { batchMetadata: true }} opts
+ * @returns {Promise<{ analysis: string, metadata: BatchAnalysisMetadata }>}
+ * @throws {Error}
+ */
+declare function stackAnalysisBatch(workspaceRoot: string, html: true, opts: Options & {
+    batchMetadata: true;
+}): Promise<{
+    analysis: string;
+    metadata: BatchAnalysisMetadata;
+}>;
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {true} html
+ * @param {Options & { batchMetadata?: false }} [opts={}]
+ * @returns {Promise<string>}
+ * @throws {Error}
+ */
+declare function stackAnalysisBatch(workspaceRoot: string, html: true, opts?: (Options & {
+    batchMetadata?: false;
+}) | undefined): Promise<string>;
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {false} html
+ * @param {Options & { batchMetadata: true }} opts
+ * @returns {Promise<{ analysis: Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>, metadata: BatchAnalysisMetadata }>}
+ * @throws {Error}
+ */
+declare function stackAnalysisBatch(workspaceRoot: string, html: false, opts: Options & {
+    batchMetadata: true;
+}): Promise<{
+    analysis: {
+        [x: string]: import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport;
+    };
+    metadata: BatchAnalysisMetadata;
+}>;
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {false} html
+ * @param {Options & { batchMetadata?: false }} [opts={}]
+ * @returns {Promise<Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>>}
+ * @throws {Error}
+ */
+declare function stackAnalysisBatch(workspaceRoot: string, html: false, opts?: (Options & {
+    batchMetadata?: false;
+}) | undefined): Promise<{
+    [x: string]: import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport;
+}>;
 /**
  * Get stack analysis for all workspace packages/crates (batch).
  * Detects ecosystem from workspace root: Cargo (Cargo.toml + Cargo.lock) or JS/TS (package.json + lock file).
  * SBOMs are generated in parallel (see `batchConcurrency`) unless `continueOnError: false` (fail-fast sequential).
  * With `opts.batchMetadata` / `TRUSTIFY_DA_BATCH_METADATA`, returns `{ analysis, metadata }` including validation and SBOM errors.
  *
+ * @overload
  * @param {string} workspaceRoot - Path to workspace root (containing lock file and workspace config)
  * @param {boolean} [html=false] - true returns HTML, false returns JSON report
  * @param {Options} [opts={}] - `batchConcurrency`, discovery ignores, `continueOnError` (default true), `batchMetadata` (default false)
  * @returns {Promise<string|Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>|{ analysis: string|Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>, metadata: BatchAnalysisMetadata }>}
  * @throws {Error} if workspace root invalid, no manifests found, no packages pass validation, no SBOMs produced, or backend request failed. When `opts.batchMetadata` is set, `error.batchMetadata` may be set on thrown errors.
  */
-declare function stackAnalysisBatch(workspaceRoot: string, html?: boolean, opts?: Options): Promise<string | {
+declare function stackAnalysisBatch(workspaceRoot: string, html?: boolean | undefined, opts?: Options | undefined): Promise<string | {
     [x: string]: import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport;
 } | {
     analysis: string | {
@@ -196,6 +251,7 @@ declare function imageAnalysis(imageRefs: Array<string>, html?: boolean | undefi
  * @throws {Error} if the backend request failed.
  */
 declare function validateToken(opts?: Options): Promise<object>;
+import { discoverMavenModules } from './providers/java_maven.js';
 import { discoverWorkspacePackages } from './workspace.js';
 import { discoverWorkspaceCrates } from './workspace.js';
 import { validatePackageJson } from './workspace.js';
@@ -203,5 +259,5 @@ import { resolveWorkspaceDiscoveryIgnore } from './workspace.js';
 import { filterManifestPathsByDiscoveryIgnore } from './workspace.js';
 import { resolveContinueOnError } from './batch_opts.js';
 import { resolveBatchMetadata } from './batch_opts.js';
-export { discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson, resolveWorkspaceDiscoveryIgnore, filterManifestPathsByDiscoveryIgnore, resolveContinueOnError, resolveBatchMetadata };
+export { discoverMavenModules, discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson, resolveWorkspaceDiscoveryIgnore, filterManifestPathsByDiscoveryIgnore, resolveContinueOnError, resolveBatchMetadata };
 export { getProjectLicense, findLicenseFilePath, identifyLicense, getLicenseDetails, licensesFromReport, normalizeLicensesResponse, runLicenseCheck, getCompatibility } from "./license/index.js";

package/dist/src/index.js CHANGED Viewed

@@ -6,6 +6,7 @@ import analysis from './analysis.js';
 import fs from 'node:fs';
 import { getCustom } from "./tools.js";
 import { resolveBatchMetadata, resolveContinueOnError } from './batch_opts.js';
+import { discoverMavenModules } from './providers/java_maven.js';
 import { discoverWorkspaceCrates, discoverWorkspacePackages, filterManifestPathsByDiscoveryIgnore, resolveWorkspaceDiscoveryIgnore, validatePackageJson, } from './workspace.js';
 import.meta.dirname;
 import * as url from 'url';
@@ -13,7 +14,7 @@ export { parseImageRef } from "./oci_image/utils.js";
 export { ImageRef } from "./oci_image/images.js";
 export { getProjectLicense, findLicenseFilePath, identifyLicense, getLicenseDetails, licensesFromReport, normalizeLicensesResponse, runLicenseCheck, getCompatibility } from "./license/index.js";
 export default { componentAnalysis, stackAnalysis, stackAnalysisBatch, imageAnalysis, validateToken, generateSbom };
-export { discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson, resolveWorkspaceDiscoveryIgnore, filterManifestPathsByDiscoveryIgnore, resolveContinueOnError, resolveBatchMetadata, };
+export { discoverMavenModules, discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson, resolveWorkspaceDiscoveryIgnore, filterManifestPathsByDiscoveryIgnore, resolveContinueOnError, resolveBatchMetadata, };
 /**
  * @typedef {{
  * TRUSTIFY_DA_CARGO_PATH?: string | undefined,
@@ -279,16 +280,23 @@ async function generateOneSbom(manifestPath, workspaceOpts) {
  *
  * @param {string} root - Resolved workspace root
  * @param {Options} opts
- * @returns {Promise<{ ecosystem: 'javascript' | 'cargo' | 'unknown', manifestPaths: string[] }>}
+ * @returns {Promise<{ ecosystem: 'javascript' | 'cargo' | 'maven' | 'unknown', manifestPaths: string[] }>}
  * @private
  */
 async function detectWorkspaceManifests(root, opts) {
     const cargoToml = path.join(root, 'Cargo.toml');
     const cargoLock = path.join(root, 'Cargo.lock');
     const packageJson = path.join(root, 'package.json');
+    const pomXml = path.join(root, 'pom.xml');
     if (fs.existsSync(cargoToml) && fs.existsSync(cargoLock)) {
         return { ecosystem: 'cargo', manifestPaths: await discoverWorkspaceCrates(root, opts) };
     }
+    if (fs.existsSync(pomXml)) {
+        const manifestPaths = await discoverMavenModules(root, opts);
+        if (manifestPaths.length > 0) {
+            return { ecosystem: 'maven', manifestPaths };
+        }
+    }
     const hasJsLock = fs.existsSync(path.join(root, 'pnpm-lock.yaml'))
         || fs.existsSync(path.join(root, 'yarn.lock'))
         || fs.existsSync(path.join(root, 'package-lock.json'));
@@ -398,12 +406,45 @@ function batchError(message, wantMetadata, metadata) {
     }
     return err;
 }
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {true} html
+ * @param {Options & { batchMetadata: true }} opts
+ * @returns {Promise<{ analysis: string, metadata: BatchAnalysisMetadata }>}
+ * @throws {Error}
+ */
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {true} html
+ * @param {Options & { batchMetadata?: false }} [opts={}]
+ * @returns {Promise<string>}
+ * @throws {Error}
+ */
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {false} html
+ * @param {Options & { batchMetadata: true }} opts
+ * @returns {Promise<{ analysis: Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>, metadata: BatchAnalysisMetadata }>}
+ * @throws {Error}
+ */
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {false} html
+ * @param {Options & { batchMetadata?: false }} [opts={}]
+ * @returns {Promise<Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>>}
+ * @throws {Error}
+ */
 /**
  * Get stack analysis for all workspace packages/crates (batch).
  * Detects ecosystem from workspace root: Cargo (Cargo.toml + Cargo.lock) or JS/TS (package.json + lock file).
  * SBOMs are generated in parallel (see `batchConcurrency`) unless `continueOnError: false` (fail-fast sequential).
  * With `opts.batchMetadata` / `TRUSTIFY_DA_BATCH_METADATA`, returns `{ analysis, metadata }` including validation and SBOM errors.
  *
+ * @overload
  * @param {string} workspaceRoot - Path to workspace root (containing lock file and workspace config)
  * @param {boolean} [html=false] - true returns HTML, false returns JSON report
  * @param {Options} [opts={}] - `batchConcurrency`, discovery ignores, `continueOnError` (default true), `batchMetadata` (default false)

package/dist/src/provider.js CHANGED Viewed

@@ -7,6 +7,7 @@ import Javascript_npm from './providers/javascript_npm.js';
 import Javascript_pnpm from './providers/javascript_pnpm.js';
 import Javascript_yarn from './providers/javascript_yarn.js';
 import pythonPipProvider from './providers/python_pip.js';
+import Python_pip_pyproject from './providers/python_pip_pyproject.js';
 import Python_poetry from './providers/python_poetry.js';
 import Python_uv from './providers/python_uv.js';
 import rustCargoProvider from './providers/rust_cargo.js';
@@ -27,6 +28,7 @@ export const availableProviders = [
     pythonPipProvider,
     new Python_poetry(),
     new Python_uv(),
+    new Python_pip_pyproject(),
     rustCargoProvider
 ];
 /**

package/dist/src/providers/base_java.d.ts CHANGED Viewed

@@ -57,15 +57,6 @@ export default class Base_Java {
      * @returns string
      */
     selectToolBinary(manifestPath: string, opts: {}): string | null;
-    /**
-     *
-     * @param {string} startingManifest - the path of the manifest from which to start searching for the wrapper
-     * @param {string} repoRoot - the root of the repository at which point to stop searching for mvnw, derived via git if unset and then fallsback
-     * to the root of the drive the manifest is on (assumes absolute path is given)
-     * @returns {string|undefined}
-     */
-    traverseForWrapper(startingManifest: string, repoRoot?: string): string | undefined;
-    normalizePath(thePath: any): string;
     #private;
 }
 export type Provided = import("../provider").Provided;

package/dist/src/providers/base_java.js CHANGED Viewed

@@ -1,7 +1,6 @@
-import fs from 'node:fs';
 import path from 'node:path';
 import { PackageURL } from 'packageurl-js';
-import { getCustomPath, getGitRootDir, getWrapperPreference, invokeCommand } from "../tools.js";
+import { getCustomPath, getWrapperPreference, invokeCommand, traverseForWrapper } from "../tools.js";
 /** @typedef {import('../provider').Provider} */
 /** @typedef {import('../provider').Provided} Provided */
 /** @typedef {{name: string, version: string}} Package */
@@ -131,7 +130,7 @@ export default class Base_Java {
         const toolPath = getCustomPath(this.globalBinary, opts);
         const useWrapper = getWrapperPreference(this.globalBinary, opts);
         if (useWrapper) {
-            const wrapper = this.traverseForWrapper(manifestPath);
+            const wrapper = traverseForWrapper(manifestDir, this.localWrapper);
             if (wrapper !== undefined) {
                 try {
                     this._invokeCommand(wrapper, ['--version'], { cwd: manifestDir });
@@ -156,39 +155,4 @@ export default class Base_Java {
         }
         return toolPath;
     }
-    /**
-     *
-     * @param {string} startingManifest - the path of the manifest from which to start searching for the wrapper
-     * @param {string} repoRoot - the root of the repository at which point to stop searching for mvnw, derived via git if unset and then fallsback
-     * to the root of the drive the manifest is on (assumes absolute path is given)
-     * @returns {string|undefined}
-     */
-    traverseForWrapper(startingManifest, repoRoot = undefined) {
-        const normalizedManifest = this.normalizePath(startingManifest);
-        const currentDir = this.normalizePath(path.dirname(normalizedManifest));
-        repoRoot = repoRoot || getGitRootDir(currentDir) || path.parse(normalizedManifest).root;
-        const wrapperPath = path.join(currentDir, this.localWrapper);
-        try {
-            fs.accessSync(wrapperPath, fs.constants.X_OK);
-            return wrapperPath;
-        }
-        catch (error) {
-            if (error.code === 'ENOENT') {
-                const rootDir = path.parse(currentDir).root;
-                if (currentDir === repoRoot || currentDir === rootDir) {
-                    return undefined;
-                }
-                const parentDir = path.dirname(currentDir);
-                if (parentDir === currentDir || parentDir === rootDir) {
-                    return undefined;
-                }
-                return this.traverseForWrapper(path.join(parentDir, path.basename(normalizedManifest)), repoRoot);
-            }
-            throw new Error(`failure searching for ${this.localWrapper}`, { cause: error });
-        }
-    }
-    normalizePath(thePath) {
-        const normalized = path.resolve(thePath).normalize();
-        return process.platform === 'win32' ? normalized.toLowerCase() : normalized;
-    }
 }

package/dist/src/providers/base_pyproject.d.ts CHANGED Viewed

@@ -102,26 +102,14 @@ export default class Base_pyproject {
      */
     protected _getIgnoredDeps(manifestPath: string): Set<string>;
     /**
-     * Build dependency tree from graph, starting from direct deps.
+     * Compute the set of graph nodes reachable from direct deps, excluding ignored.
      * @param {Map<string, GraphEntry>} graph
-     * @param {string[]} directDeps - canonical names of direct deps
+     * @param {string[]} directDeps
      * @param {Set<string>} ignoredDeps
-     * @param {boolean} includeTransitive
-     * @returns {DepTreeEntry[]}
-     * @protected
-     */
-    protected _buildDependencyTree(graph: Map<string, GraphEntry>, directDeps: string[], ignoredDeps: Set<string>, includeTransitive: boolean): DepTreeEntry[];
-    /**
-     * Recursively collect transitive dependencies.
-     * @param {Map<string, GraphEntry>} graph
-     * @param {string[]} childKeys
-     * @param {DepTreeEntry[]} result - mutated in place
-     * @param {Set<string>} ignoredDeps
-     * @param {Set<string>} visited
-     * @returns {void}
+     * @returns {Set<string>}
      * @protected
      */
-    protected _collectTransitive(graph: Map<string, GraphEntry>, childKeys: string[], result: DepTreeEntry[], ignoredDeps: Set<string>, visited: Set<string>): void;
+    protected _reachableNodes(graph: Map<string, GraphEntry>, directDeps: string[], ignoredDeps: Set<string>): Set<string>;
     /**
      * @param {string} name
      * @param {string} version
@@ -129,15 +117,6 @@ export default class Base_pyproject {
      * @protected
      */
     protected _toPurl(name: string, version: string): PackageURL;
-    /**
-     * Recursively add a dependency and its transitive deps to the SBOM.
-     * @param {PackageURL} source
-     * @param {DepTreeEntry} dep
-     * @param {Sbom} sbom
-     * @returns {void}
-     * @private
-     */
-    private _addAllDependencies;
     /**
      * Create SBOM json string for a pyproject.toml project.
      * @param {string} manifest - path to pyproject.toml

package/dist/src/providers/base_pyproject.js CHANGED Viewed

@@ -220,64 +220,29 @@ export default class Base_pyproject {
         return ignored;
     }
     /**
-     * Build dependency tree from graph, starting from direct deps.
+     * Compute the set of graph nodes reachable from direct deps, excluding ignored.
      * @param {Map<string, GraphEntry>} graph
-     * @param {string[]} directDeps - canonical names of direct deps
+     * @param {string[]} directDeps
      * @param {Set<string>} ignoredDeps
-     * @param {boolean} includeTransitive
-     * @returns {DepTreeEntry[]}
-     * @protected
-     */
-    _buildDependencyTree(graph, directDeps, ignoredDeps, includeTransitive) {
-        let result = [];
-        for (let key of directDeps) {
-            if (ignoredDeps.has(key)) {
-                continue;
-            }
-            let entry = graph.get(key);
-            if (!entry) {
-                continue;
-            }
-            let depTree = [];
-            if (includeTransitive) {
-                let visited = new Set();
-                visited.add(key);
-                this._collectTransitive(graph, entry.children, depTree, ignoredDeps, visited);
-            }
-            result.push({ name: entry.name, version: entry.version, dependencies: depTree });
-        }
-        result.sort((a, b) => a.name.toLowerCase().localeCompare(b.name.toLowerCase()));
-        return result;
-    }
-    /**
-     * Recursively collect transitive dependencies.
-     * @param {Map<string, GraphEntry>} graph
-     * @param {string[]} childKeys
-     * @param {DepTreeEntry[]} result - mutated in place
-     * @param {Set<string>} ignoredDeps
-     * @param {Set<string>} visited
-     * @returns {void}
+     * @returns {Set<string>}
      * @protected
      */
-    _collectTransitive(graph, childKeys, result, ignoredDeps, visited) {
-        for (let childKey of childKeys) {
-            let canonKey = this._canonicalize(childKey);
-            if (ignoredDeps.has(canonKey)) {
-                continue;
-            }
-            if (visited.has(canonKey)) {
+    _reachableNodes(graph, directDeps, ignoredDeps) {
+        let reachable = new Set();
+        let queue = directDeps.filter(k => !ignoredDeps.has(k) && graph.has(k));
+        while (queue.length > 0) {
+            let key = queue.shift();
+            if (reachable.has(key)) {
                 continue;
             }
-            visited.add(canonKey);
-            let entry = graph.get(canonKey);
-            if (!entry) {
-                continue;
+            reachable.add(key);
+            for (let child of graph.get(key).children) {
+                if (!ignoredDeps.has(child) && graph.has(child) && !reachable.has(child)) {
+                    queue.push(child);
+                }
             }
-            let childDeps = [];
-            this._collectTransitive(graph, entry.children, childDeps, ignoredDeps, visited);
-            result.push({ name: entry.name, version: entry.version, dependencies: childDeps });
         }
-        result.sort((a, b) => a.name.toLowerCase().localeCompare(b.name.toLowerCase()));
+        return reachable;
     }
     /**
      * @param {string} name
@@ -288,21 +253,6 @@ export default class Base_pyproject {
     _toPurl(name, version) {
         return new PackageURL('pypi', undefined, name, version, undefined, undefined);
     }
-    /**
-     * Recursively add a dependency and its transitive deps to the SBOM.
-     * @param {PackageURL} source
-     * @param {DepTreeEntry} dep
-     * @param {Sbom} sbom
-     * @returns {void}
-     * @private
-     */
-    _addAllDependencies(source, dep, sbom) {
-        let targetPurl = this._toPurl(dep.name, dep.version);
-        sbom.addDependency(source, targetPurl);
-        if (dep.dependencies && dep.dependencies.length > 0) {
-            dep.dependencies.forEach(child => this._addAllDependencies(this._toPurl(dep.name, dep.version), child, sbom));
-        }
-    }
     /**
      * Create SBOM json string for a pyproject.toml project.
      * @param {string} manifest - path to pyproject.toml
@@ -318,21 +268,47 @@ export default class Base_pyproject {
         let workspaceDir = this._findLockFileDir(manifestDir, opts) || manifestDir;
         let { directDeps, graph } = await this._getDependencyData(manifestDir, workspaceDir, parsed, opts);
         let ignoredDeps = this._getIgnoredDeps(manifest);
-        let dependencies = this._buildDependencyTree(graph, directDeps, ignoredDeps, includeTransitive);
         let sbom = new Sbom();
         let rootName = this._getProjectName(parsed) || DEFAULT_ROOT_NAME;
         let rootVersion = this._getProjectVersion(parsed) || DEFAULT_ROOT_VERSION;
         let rootPurl = this._toPurl(rootName, rootVersion);
         let license = this.readLicenseFromManifest(manifest);
         sbom.addRoot(rootPurl, license);
-        dependencies.forEach(dep => {
-            if (includeTransitive) {
-                this._addAllDependencies(rootPurl, dep, sbom);
+        if (includeTransitive) {
+            let reachable = this._reachableNodes(graph, directDeps, ignoredDeps);
+            for (let key of directDeps) {
+                if (!reachable.has(key)) {
+                    continue;
+                }
+                let entry = graph.get(key);
+                sbom.addDependency(rootPurl, this._toPurl(entry.name, entry.version));
             }
-            else {
-                sbom.addDependency(rootPurl, this._toPurl(dep.name, dep.version));
+            for (let [key, entry] of graph) {
+                if (!reachable.has(key)) {
+                    continue;
+                }
+                let parentPurl = this._toPurl(entry.name, entry.version);
+                for (let child of entry.children) {
+                    if (!reachable.has(child)) {
+                        continue;
+                    }
+                    let childEntry = graph.get(child);
+                    sbom.addDependency(parentPurl, this._toPurl(childEntry.name, childEntry.version));
+                }
             }
-        });
+        }
+        else {
+            for (let key of directDeps) {
+                if (ignoredDeps.has(key)) {
+                    continue;
+                }
+                let entry = graph.get(key);
+                if (!entry) {
+                    continue;
+                }
+                sbom.addDependency(rootPurl, this._toPurl(entry.name, entry.version));
+            }
+        }
         return sbom.getAsJsonString(opts);
     }
 }

package/dist/src/providers/java_maven.d.ts CHANGED Viewed

@@ -1,3 +1,11 @@
+/**
+ * Discover all pom.xml manifest paths in a Maven multi-module project.
+ *
+ * @param {string} workspaceRoot - Absolute or relative path to workspace root (must contain pom.xml)
+ * @param {object} [opts={}]
+ * @returns {Promise<string[]>} Paths to pom.xml files (absolute)
+ */
+export function discoverMavenModules(workspaceRoot: string, opts?: object): Promise<string[]>;
 /** @typedef {import('../provider').Provider} */
 /** @typedef {import('../provider').Provided} Provided */
 /** @typedef {{name: string, version: string}} Package */

package/dist/src/providers/java_maven.js CHANGED Viewed

@@ -5,7 +5,8 @@ import { EOL } from 'os';
 import { XMLParser } from 'fast-xml-parser';
 import { getLicense } from '../license/license_utils.js';
 import Sbom from '../sbom.js';
-import { getCustom } from '../tools.js';
+import { getCustom, invokeCommand } from '../tools.js';
+import { filterManifestPathsByDiscoveryIgnore, resolveWorkspaceDiscoveryIgnore } from '../workspace.js';
 import Base_java, { ecosystem_maven } from "./base_java.js";
 /** @typedef {import('../provider').Provider} */
 /** @typedef {import('../provider').Provided} Provided */
@@ -289,3 +290,94 @@ export default class Java_maven extends Base_java {
         return deps.filter(d => dep.artifactId === d.artifactId && dep.groupId === d.groupId && dep.scope === d.scope).length > 0;
     }
 }
+const DEFAULT_MAVEN_DISCOVERY_IGNORE = [
+    '**/target/**',
+];
+/**
+ * Discover all pom.xml manifest paths in a Maven multi-module project.
+ *
+ * @param {string} workspaceRoot - Absolute or relative path to workspace root (must contain pom.xml)
+ * @param {object} [opts={}]
+ * @returns {Promise<string[]>} Paths to pom.xml files (absolute)
+ */
+export async function discoverMavenModules(workspaceRoot, opts = {}) {
+    const root = path.resolve(workspaceRoot);
+    const rootPom = path.join(root, 'pom.xml');
+    if (!fs.existsSync(rootPom)) {
+        return [];
+    }
+    let mvnBin;
+    try {
+        mvnBin = new Java_maven().selectToolBinary(rootPom, opts);
+    }
+    catch {
+        return [rootPom];
+    }
+    const visited = new Set();
+    const manifestPaths = [rootPom];
+    collectMavenModules(root, mvnBin, visited, manifestPaths);
+    const ignorePatterns = [...resolveWorkspaceDiscoveryIgnore(opts), ...DEFAULT_MAVEN_DISCOVERY_IGNORE];
+    return filterManifestPathsByDiscoveryIgnore(manifestPaths, root, ignorePatterns);
+}
+/**
+ * @param {string} dir - Absolute path to directory containing pom.xml
+ * @param {string} mvnBin - Maven binary path
+ * @param {Set<string>} visited - Already-visited directories (cycle guard)
+ * @param {string[]} manifestPaths - Accumulator for discovered pom.xml paths
+ */
+function collectMavenModules(dir, mvnBin, visited, manifestPaths) {
+    const resolvedDir = path.resolve(dir);
+    if (visited.has(resolvedDir)) {
+        return;
+    }
+    visited.add(resolvedDir);
+    const modules = listMavenModules(resolvedDir, mvnBin);
+    for (const mod of modules) {
+        const moduleDir = path.resolve(resolvedDir, mod);
+        const modulePom = path.join(moduleDir, 'pom.xml');
+        if (fs.existsSync(modulePom)) {
+            manifestPaths.push(modulePom);
+            collectMavenModules(moduleDir, mvnBin, visited, manifestPaths);
+        }
+    }
+}
+/**
+ * @param {string} dir - Directory containing pom.xml
+ * @param {string} mvnBin - Maven binary path
+ * @returns {string[]} Module directory names (relative to `dir`)
+ */
+function listMavenModules(dir, mvnBin) {
+    let output;
+    try {
+        output = invokeCommand(mvnBin, [
+            'help:evaluate',
+            '-Dexpression=project.modules',
+            '-q',
+            '-DforceStdout',
+            '-f', path.join(dir, 'pom.xml'),
+            '--batch-mode',
+        ], { cwd: dir });
+    }
+    catch {
+        return [];
+    }
+    const raw = output.toString().trim();
+    if (!raw || raw.startsWith('<modules')) {
+        return [];
+    }
+    return parseMavenModuleList(raw);
+}
+/**
+ * @param {string} raw - Raw stdout from mvn help:evaluate -DforceStdout
+ * @returns {string[]}
+ */
+function parseMavenModuleList(raw) {
+    const parser = new XMLParser();
+    const parsed = parser.parse(raw);
+    const entries = parsed?.strings?.string;
+    if (!entries) {
+        return [];
+    }
+    const list = Array.isArray(entries) ? entries : [entries];
+    return list.map(s => String(s).trim()).filter(Boolean);
+}

package/dist/src/providers/javascript_npm.d.ts CHANGED Viewed

@@ -1,4 +1,5 @@
 export default class Javascript_npm extends Base_javascript {
     _listCmdArgs(includeTransitive: any): string[];
+    _buildDependencyTree(includeTransitive: any, opts?: {}): any;
 }
 import Base_javascript from './base_javascript.js';

package/dist/src/providers/javascript_npm.js CHANGED Viewed

@@ -12,4 +12,25 @@ export default class Javascript_npm extends Base_javascript {
     _updateLockFileCmdArgs() {
         return ['install', '--package-lock-only'];
     }
+    _buildDependencyTree(includeTransitive, opts = {}) {
+        // npm ls --json returns a single tree rooted at the workspace root.
+        // When analyzing a workspace member, its deps are nested under the
+        // root's dependencies keyed by the member name — extract that subtree
+        // so downstream analysis sees only the member's dependencies.
+        const tree = super._buildDependencyTree(includeTransitive, opts);
+        const memberName = this._getManifest().name;
+        if (tree.name === memberName) {
+            return tree;
+        }
+        const memberEntry = tree.dependencies?.[memberName];
+        if (memberEntry) {
+            return {
+                name: memberName,
+                version: memberEntry.version || this._getManifest().version,
+                dependencies: memberEntry.dependencies,
+                optionalDependencies: memberEntry.optionalDependencies,
+            };
+        }
+        return tree;
+    }
 }

package/dist/src/providers/javascript_pnpm.js CHANGED Viewed

@@ -7,15 +7,19 @@ export default class Javascript_pnpm extends Base_javascript {
         return "pnpm";
     }
     _listCmdArgs(includeTransitive) {
-        return ['ls', includeTransitive ? '--depth=Infinity' : '--depth=0', '--prod', '--json'];
+        return ['ls', includeTransitive ? '--depth=Infinity' : '--depth=0', '--prod', '--json', '-r'];
     }
     _updateLockFileCmdArgs() {
         return ['install', '--frozen-lockfile'];
     }
     _buildDependencyTree(includeTransitive, opts = {}) {
+        // pnpm ls --json returns an array with one entry per workspace package.
+        // When analyzing a workspace member, find its entry by name instead of
+        // blindly taking the first element (which is the workspace root).
         const tree = super._buildDependencyTree(includeTransitive, opts);
         if (Array.isArray(tree) && tree.length > 0) {
-            return tree[0];
+            const memberName = this._getManifest().name;
+            return tree.find(pkg => pkg.name === memberName) || tree[0];
         }
         return {};
     }

package/dist/src/providers/processors/yarn_berry_processor.js CHANGED Viewed

@@ -15,7 +15,10 @@ export default class Yarn_berry_processor extends Yarn_processor {
      * @returns {string[]} Command arguments for listing dependencies
      */
     listCmdArgs(includeTransitive) {
-        return ['info', includeTransitive ? '--recursive' : '--all', '--json'];
+        // --all is needed to include workspace members in the output
+        return includeTransitive
+            ? ['info', '--recursive', '--all', '--json']
+            : ['info', '--all', '--json'];
     }
     /**
      * Returns the command arguments for updating the lock file
@@ -68,7 +71,8 @@ export default class Yarn_berry_processor extends Yarn_processor {
         if (!name) {
             return false;
         }
-        return name.endsWith("@workspace:.");
+        // Workspace members use paths like "member-a@workspace:packages/member-a", not just "@workspace:."
+        return name.startsWith(`${this._manifest.name}@workspace:`);
     }
     /**
    * Adds dependencies to the SBOM

package/dist/src/providers/python_controller.js CHANGED Viewed

@@ -95,7 +95,7 @@ export default class Python_controller {
     }
     /**
      * Parse the requirements.txt file using tree-sitter and return structured requirement data.
-     * @return {Promise<{name: string, version: string|null}[]>}
+     * @return {Promise<{name: string, version: string|null, hasMarker: boolean}[]>}
      */
     async #parseRequirements() {
         const content = fs.readFileSync(this.pathToRequirements).toString();
@@ -107,7 +107,8 @@ export default class Python_controller {
             const version = versionMatches.length > 0
                 ? versionMatches[0].captures.find(c => c.name === 'version').node.text
                 : null;
-            return { name, version };
+            const hasMarker = reqNode.children.some(c => c.type === 'marker_spec');
+            return { name, version, hasMarker };
         }));
     }
     #decideIfWindowsOrLinuxPath(fileName) {
@@ -224,7 +225,10 @@ export default class Python_controller {
                 CachedEnvironmentDeps[packageName.replace("_", "-")] = pipDepTreeEntryForCache;
             });
         }
-        parsedRequirements.forEach(({ name: depName, version: manifestVersion }) => {
+        parsedRequirements.forEach(({ name: depName, version: manifestVersion, hasMarker }) => {
+            if (hasMarker && CachedEnvironmentDeps[depName.toLowerCase()] === undefined) {
+                return;
+            }
             if (matchManifestVersions === "true" && manifestVersion != null) {
                 let installedVersion;
                 if (CachedEnvironmentDeps[depName.toLowerCase()] !== undefined) {

package/dist/src/providers/python_pip_pyproject.d.ts ADDED Viewed

@@ -0,0 +1,61 @@
+/**
+ * Python provider for pyproject.toml files using PEP 621 format without a lock file.
+ * Uses `pip install --dry-run --ignore-installed --report` to resolve the full dependency tree.
+ * Acts as the fallback provider when no lock file (uv.lock/poetry.lock) is found.
+ */
+export default class Python_pip_pyproject extends Base_pyproject {
+    /**
+     * Always returns true — pip provider is the fallback when no lock file is found.
+     * @param {string} manifestDir
+     * @param {{}} [opts={}]
+     * @returns {boolean}
+     */
+    validateLockFile(manifestDir: string, opts?: {}): boolean;
+    /**
+     * Get pip report output from env var override or by running pip.
+     * @param {string} manifestDir - directory containing pyproject.toml
+     * @param {{}} [opts={}]
+     * @returns {string} pip report JSON string
+     */
+    _getPipReportOutput(manifestDir: string, opts?: {}): string;
+    /**
+     * Parse pip report JSON and build dependency graph.
+     * @param {string} reportJson - pip report JSON string
+     * @returns {{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}}
+     */
+    _parsePipReport(reportJson: string): {
+        directDeps: string[];
+        graph: Map<string, {
+            name: string;
+            version: string;
+            children: string[];
+        }>;
+    };
+    /**
+     * Check if a requires_dist entry is an extras-only dependency.
+     * @param {string} req - e.g. "PySocks!=1.5.7,>=1.5.6; extra == \"socks\""
+     * @returns {boolean}
+     */
+    _hasExtraMarker(req: string): boolean;
+    /**
+     * Extract package name from a requires_dist entry.
+     * @param {string} req - e.g. "charset_normalizer<4,>=2"
+     * @returns {string|null}
+     */
+    _extractDepName(req: string): string | null;
+    /**
+     * Resolve dependencies using pip install --dry-run --report.
+     * @param {string} manifestDir
+     * @param {string} _workspaceDir - unused (pip resolves from manifest directory)
+     * @param {object} parsed - parsed pyproject.toml
+     * @param {{}} [opts={}]
+     * @returns {Promise<{directDeps: string[], graph: Map}>}
+     */
+    _getDependencyData(manifestDir: string, _workspaceDir: string, parsed: object, opts?: {}): Promise<{
+        directDeps: string[];
+        graph: Map<any, any>;
+    }>;
+    _findEggInfoDirs(dir: any): string[];
+    _cleanupEggInfo(dir: any, existing: any): void;
+}
+import Base_pyproject from './base_pyproject.js';

package/dist/src/providers/python_pip_pyproject.js ADDED Viewed

@@ -0,0 +1,144 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { environmentVariableIsPopulated, getCustomPath, invokeCommand } from '../tools.js';
+import Base_pyproject from './base_pyproject.js';
+/**
+ * Python provider for pyproject.toml files using PEP 621 format without a lock file.
+ * Uses `pip install --dry-run --ignore-installed --report` to resolve the full dependency tree.
+ * Acts as the fallback provider when no lock file (uv.lock/poetry.lock) is found.
+ */
+export default class Python_pip_pyproject extends Base_pyproject {
+    /** @returns {string} */
+    _lockFileName() {
+        return '.pip-lock-nonexistent';
+    }
+    /** @returns {string} */
+    _cmdName() {
+        return 'pip';
+    }
+    /**
+     * Always returns true — pip provider is the fallback when no lock file is found.
+     * @param {string} manifestDir
+     * @param {{}} [opts={}]
+     * @returns {boolean}
+     */
+    // eslint-disable-next-line no-unused-vars
+    validateLockFile(manifestDir, opts = {}) {
+        return true;
+    }
+    /**
+     * Get pip report output from env var override or by running pip.
+     * @param {string} manifestDir - directory containing pyproject.toml
+     * @param {{}} [opts={}]
+     * @returns {string} pip report JSON string
+     */
+    _getPipReportOutput(manifestDir, opts) {
+        if (environmentVariableIsPopulated('TRUSTIFY_DA_PIP_REPORT')) {
+            return Buffer.from(process.env['TRUSTIFY_DA_PIP_REPORT'], 'base64').toString('ascii');
+        }
+        let pipBin = getCustomPath('pip3', opts);
+        try {
+            invokeCommand(pipBin, ['--version']);
+        }
+        catch {
+            pipBin = getCustomPath('pip', opts);
+        }
+        let eggInfoDirs = this._findEggInfoDirs(manifestDir);
+        let result = invokeCommand(pipBin, [
+            'install', '--dry-run', '--ignore-installed', '--quiet', '--report', '-', '.'
+        ], { cwd: manifestDir }).toString();
+        this._cleanupEggInfo(manifestDir, eggInfoDirs);
+        return result;
+    }
+    /**
+     * Parse pip report JSON and build dependency graph.
+     * @param {string} reportJson - pip report JSON string
+     * @returns {{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}}
+     */
+    _parsePipReport(reportJson) {
+        let report = JSON.parse(reportJson);
+        let packages = report.install || [];
+        let rootEntry = packages.find(p => p.download_info?.dir_info !== undefined);
+        let rootRequires = rootEntry?.metadata?.requires_dist || [];
+        let directDepNames = new Set();
+        for (let req of rootRequires) {
+            if (this._hasExtraMarker(req)) {
+                continue;
+            }
+            let name = this._extractDepName(req);
+            if (name) {
+                directDepNames.add(this._canonicalize(name));
+            }
+        }
+        let graph = new Map();
+        let nonRootPackages = packages.filter(p => p !== rootEntry);
+        for (let pkg of nonRootPackages) {
+            let name = pkg.metadata.name;
+            let version = pkg.metadata.version;
+            let key = this._canonicalize(name);
+            graph.set(key, { name, version, children: [] });
+        }
+        for (let pkg of nonRootPackages) {
+            let key = this._canonicalize(pkg.metadata.name);
+            let entry = graph.get(key);
+            let requires = pkg.metadata.requires_dist || [];
+            for (let req of requires) {
+                let depName = this._extractDepName(req);
+                if (!depName) {
+                    continue;
+                }
+                let depKey = this._canonicalize(depName);
+                if (graph.has(depKey)) {
+                    entry.children.push(depKey);
+                }
+            }
+        }
+        let directDeps = [...directDepNames].filter(key => graph.has(key));
+        return { directDeps, graph };
+    }
+    /**
+     * Check if a requires_dist entry is an extras-only dependency.
+     * @param {string} req - e.g. "PySocks!=1.5.7,>=1.5.6; extra == \"socks\""
+     * @returns {boolean}
+     */
+    _hasExtraMarker(req) {
+        return /;\s*.*extra\s*==/.test(req);
+    }
+    /**
+     * Extract package name from a requires_dist entry.
+     * @param {string} req - e.g. "charset_normalizer<4,>=2"
+     * @returns {string|null}
+     */
+    _extractDepName(req) {
+        let match = req.match(/^([A-Za-z0-9]([A-Za-z0-9._-]*[A-Za-z0-9])?)/);
+        return match ? match[1] : null;
+    }
+    /**
+     * Resolve dependencies using pip install --dry-run --report.
+     * @param {string} manifestDir
+     * @param {string} _workspaceDir - unused (pip resolves from manifest directory)
+     * @param {object} parsed - parsed pyproject.toml
+     * @param {{}} [opts={}]
+     * @returns {Promise<{directDeps: string[], graph: Map}>}
+     */
+    // eslint-disable-next-line no-unused-vars
+    async _getDependencyData(manifestDir, _workspaceDir, parsed, opts) {
+        let reportOutput = this._getPipReportOutput(manifestDir, opts);
+        return this._parsePipReport(reportOutput);
+    }
+    _findEggInfoDirs(dir) {
+        try {
+            return fs.readdirSync(dir).filter(f => f.endsWith('.egg-info'));
+        }
+        catch {
+            return [];
+        }
+    }
+    _cleanupEggInfo(dir, existing) {
+        for (let entry of this._findEggInfoDirs(dir)) {
+            if (!existing.includes(entry)) {
+                fs.rmSync(path.join(dir, entry), { recursive: true, force: true });
+            }
+        }
+    }
+}

package/dist/src/providers/python_poetry.d.ts CHANGED Viewed

@@ -2,10 +2,11 @@ export default class Python_poetry extends Base_pyproject {
     /**
      * Get poetry show --tree output.
      * @param {string} manifestDir
+     * @param {boolean} hasDevGroup
      * @param {Object} opts
      * @returns {string}
      */
-    _getPoetryShowTreeOutput(manifestDir: string, opts: any): string;
+    _getPoetryShowTreeOutput(manifestDir: string, hasDevGroup: boolean, opts: any): string;
     /**
      * Get poetry show --all output (flat list with resolved versions).
      * @param {string} manifestDir

package/dist/src/providers/python_poetry.js CHANGED Viewed

@@ -39,7 +39,8 @@ export default class Python_poetry extends Base_pyproject {
      */
     // eslint-disable-next-line no-unused-vars
     async _getDependencyData(manifestDir, _workspaceDir, parsed, opts) {
-        let treeOutput = this._getPoetryShowTreeOutput(manifestDir, opts);
+        let hasDevGroup = !!(parsed.tool?.poetry?.group?.dev || parsed.tool?.poetry?.['dev-dependencies']);
+        let treeOutput = this._getPoetryShowTreeOutput(manifestDir, hasDevGroup, opts);
         let showAllOutput = this._getPoetryShowAllOutput(manifestDir, opts);
         let versionMap = this._parsePoetryShowAll(showAllOutput);
         return this._parsePoetryTree(treeOutput, versionMap);
@@ -47,15 +48,20 @@ export default class Python_poetry extends Base_pyproject {
     /**
      * Get poetry show --tree output.
      * @param {string} manifestDir
+     * @param {boolean} hasDevGroup
      * @param {Object} opts
      * @returns {string}
      */
-    _getPoetryShowTreeOutput(manifestDir, opts) {
+    _getPoetryShowTreeOutput(manifestDir, hasDevGroup, opts) {
         if (environmentVariableIsPopulated('TRUSTIFY_DA_POETRY_SHOW_TREE')) {
             return Buffer.from(process.env['TRUSTIFY_DA_POETRY_SHOW_TREE'], 'base64').toString('utf-8');
         }
         let poetryBin = getCustomPath('poetry', opts);
-        return invokeCommand(poetryBin, ['show', '--tree', '--no-ansi'], { cwd: manifestDir }).toString();
+        let args = ['show', '--tree', '--no-ansi'];
+        if (hasDevGroup) {
+            args.push('--without', 'dev');
+        }
+        return invokeCommand(poetryBin, args, { cwd: manifestDir }).toString();
     }
     /**
      * Get poetry show --all output (flat list with resolved versions).

package/dist/src/providers/python_uv.js CHANGED Viewed

@@ -36,7 +36,7 @@ export default class Python_uv extends Base_pyproject {
             return Buffer.from(process.env['TRUSTIFY_DA_UV_EXPORT'], 'base64').toString('ascii');
         }
         let uvBin = getCustomPath('uv', opts);
-        return invokeCommand(uvBin, ['export', '--format', 'requirements.txt', '--frozen', '--no-hashes'], { cwd: manifestDir }).toString();
+        return invokeCommand(uvBin, ['export', '--format', 'requirements.txt', '--frozen', '--no-hashes', '--no-dev', '--no-emit-project'], { cwd: manifestDir }).toString();
     }
     /**
      * Parse uv export output into a dependency graph using tree-sitter-requirements
@@ -70,6 +70,9 @@ export default class Python_uv extends Base_pyproject {
                         let version = memberParsed.project?.version || memberParsed.tool?.poetry?.version;
                         if (name && version) {
                             let key = this._canonicalize(name);
+                            if (key === canonProjectName) {
+                                continue;
+                            }
                             currentPkg = { name, version, parents: new Set() };
                             packages.set(key, currentPkg);
                             collectingVia = false;

package/dist/src/tools.d.ts CHANGED Viewed

@@ -61,6 +61,22 @@ export function toPurlFromString(strPurl: any): PackageURL | null;
  * @param {string} cwd - directory for which to find the root of the git repository.
  */
 export function getGitRootDir(cwd: string): string | undefined;
+/**
+ * Normalize a filesystem path, lowercasing on Windows for case-insensitive comparison.
+ *
+ * @param {string} thePath
+ * @returns {string}
+ */
+export function normalizePath(thePath: string): string;
+/**
+ * Walk up from `startDir` to `repoRoot` looking for an executable wrapper script.
+ *
+ * @param {string} startDir - Absolute directory to start from
+ * @param {string} wrapperName - Wrapper filename (e.g. `mvnw`, `gradlew`)
+ * @param {string} [repoRoot] - Stop boundary (defaults to git root or filesystem root)
+ * @returns {string | undefined}
+ */
+export function traverseForWrapper(startDir: string, wrapperName: string, repoRoot?: string): string | undefined;
 /** this method invokes command string in a process in a synchronous way.
  * @param {string} bin - the command to be invoked
  * @param {Array<string>} args - the args to pass to the binary

package/dist/src/tools.js CHANGED Viewed

@@ -1,4 +1,6 @@
 import { execFileSync } from "child_process";
+import fs from 'node:fs';
+import path from 'node:path';
 import { EOL } from "os";
 import { HttpsProxyAgent } from "https-proxy-agent";
 import { PackageURL } from "packageurl-js";
@@ -128,6 +130,44 @@ export function getGitRootDir(cwd) {
         return undefined;
     }
 }
+/**
+ * Normalize a filesystem path, lowercasing on Windows for case-insensitive comparison.
+ *
+ * @param {string} thePath
+ * @returns {string}
+ */
+export function normalizePath(thePath) {
+    const normalized = path.resolve(thePath).normalize();
+    return process.platform === 'win32' ? normalized.toLowerCase() : normalized;
+}
+/**
+ * Walk up from `startDir` to `repoRoot` looking for an executable wrapper script.
+ *
+ * @param {string} startDir - Absolute directory to start from
+ * @param {string} wrapperName - Wrapper filename (e.g. `mvnw`, `gradlew`)
+ * @param {string} [repoRoot] - Stop boundary (defaults to git root or filesystem root)
+ * @returns {string | undefined}
+ */
+export function traverseForWrapper(startDir, wrapperName, repoRoot = undefined) {
+    const currentDir = normalizePath(startDir);
+    repoRoot = repoRoot || getGitRootDir(currentDir) || path.parse(currentDir).root;
+    const wrapperPath = path.join(currentDir, wrapperName);
+    try {
+        fs.accessSync(wrapperPath, fs.constants.X_OK);
+        return wrapperPath;
+    }
+    catch {
+        const rootDir = path.parse(currentDir).root;
+        if (currentDir === repoRoot || currentDir === rootDir) {
+            return undefined;
+        }
+        const parentDir = path.dirname(currentDir);
+        if (parentDir === currentDir || parentDir === rootDir) {
+            return undefined;
+        }
+        return traverseForWrapper(parentDir, wrapperName, repoRoot);
+    }
+}
 /** this method invokes command string in a process in a synchronous way.
  * @param {string} bin - the command to be invoked
  * @param {Array<string>} args - the args to pass to the binary

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
 	"name": "@trustify-da/trustify-da-javascript-client",
-	"version": "0.3.0-ea.3aa2054",
+	"version": "0.3.0-ea.4558b63",
 	"description": "Code-Ready Dependency Analytics JavaScript API.",
 	"license": "Apache-2.0",
 	"homepage": "https://github.com/guacsec/trustify-da-javascript-client#README.md",