@trustify-da/trustify-da-javascript-client 0.3.0-ea.5047f15 → 0.3.0-ea.5348b9e

package/dist/src/cyclone_dx_sbom.d.ts

@@ -18,9 +18,14 @@ export default class CycloneDxSbom {
      * Adds a dependency relationship between two components in the SBOM
      * @param {PackageURL} sourceRef - The source component (parent)
      * @param {PackageURL} targetRef - The target component (dependency)
+     * @param {string} [scope] - Scope of the dependency
+     * @param {Array<{alg: string, content: string}>} [targetHashes] - Optional hashes for the target component
      * @return {CycloneDxSbom} The updated SBOM
      */
-    addDependency(sourceRef: PackageURL, targetRef: PackageURL, scope: any): CycloneDxSbom;
+    addDependency(sourceRef: PackageURL, targetRef: PackageURL, scope?: string, targetHashes?: Array<{
+        alg: string;
+        content: string;
+    }>): CycloneDxSbom;
     /** @param {{}} opts - various options, settings and configuration of application.
      * @return String CycloneDx Sbom json object in a string format
      */
@@ -50,6 +55,7 @@ export default class CycloneDxSbom {
         version: any;
         scope: any;
         licenses?: any;
+        hashes?: any;
     };
     /**
      * This method gets an array of dependencies to be ignored, and remove all of them from CycloneDx Sbom

package/dist/src/cyclone_dx_sbom.js

@@ -6,10 +6,11 @@ import { PackageURL } from "packageurl-js";
  * @param type type of package - application or library
  * @param scope scope of the component - runtime or compile
  * @param licenses optional license string or array of licenses for the component
- * @return {{"bom-ref": string, name, purl: string, type, version, scope, licenses?}}
+ * @param hashes optional array of hash objects for the component, e.g. [{alg: "SHA-256", content: "..."}]
+ * @return {{"bom-ref": string, name, purl: string, type, version, scope, licenses?, hashes?}}
  * @private
  */
-function getComponent(component, type, scope, licenses) {
+function getComponent(component, type, scope, licenses, hashes) {
     let componentObject;
     if (component instanceof PackageURL) {
         if (component.namespace) {
@@ -47,6 +48,10 @@ function getComponent(component, type, scope, licenses) {
             return lic;
         });
     }
+    // Add hashes if provided (CycloneDX 1.4 format).
+    if (hashes && hashes.length > 0) {
+        componentObject.hashes = hashes;
+    }
     return componentObject;
 }
 function createDependency(dependency) {
@@ -86,16 +91,24 @@ export default class CycloneDxSbom {
      * Adds a dependency relationship between two components in the SBOM
      * @param {PackageURL} sourceRef - The source component (parent)
      * @param {PackageURL} targetRef - The target component (dependency)
+     * @param {string} [scope] - Scope of the dependency
+     * @param {Array<{alg: string, content: string}>} [targetHashes] - Optional hashes for the target component
      * @return {CycloneDxSbom} The updated SBOM
      */
-    addDependency(sourceRef, targetRef, scope) {
+    addDependency(sourceRef, targetRef, scope, targetHashes) {
         const sourcePurl = sourceRef.toString();
         const targetPurl = targetRef.toString();
         // Ensure both components exist in the components list
         [sourceRef, targetRef].forEach((ref, index) => {
             const purl = index === 0 ? sourcePurl : targetPurl;
-            if (this.getComponentIndex(purl) < 0) {
-                this.components.push(getComponent(ref, "library", scope));
+            const existingIndex = this.getComponentIndex(purl);
+            if (existingIndex < 0) {
+                const hashes = index === 1 ? targetHashes : undefined;
+                this.components.push(getComponent(ref, "library", scope, undefined, hashes));
+            }
+            else if (index === 1 && targetHashes && targetHashes.length > 0 && !this.components[existingIndex].hashes) {
+                // Update hashes if the component was first seen without them (e.g. as a source)
+                this.components[existingIndex].hashes = targetHashes;
             }
         });
         // Ensure source dependency exists

package/dist/src/index.d.ts

@@ -136,19 +136,74 @@ declare function stackAnalysis(manifest: string, html: false, opts?: Options | u
  * 		or backend request failed
  */
 declare function stackAnalysis(manifest: string, html?: boolean | undefined, opts?: Options | undefined): Promise<string | import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport>;
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {true} html
+ * @param {Options & { batchMetadata: true }} opts
+ * @returns {Promise<{ analysis: string, metadata: BatchAnalysisMetadata }>}
+ * @throws {Error}
+ */
+declare function stackAnalysisBatch(workspaceRoot: string, html: true, opts: Options & {
+    batchMetadata: true;
+}): Promise<{
+    analysis: string;
+    metadata: BatchAnalysisMetadata;
+}>;
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {true} html
+ * @param {Options & { batchMetadata?: false }} [opts={}]
+ * @returns {Promise<string>}
+ * @throws {Error}
+ */
+declare function stackAnalysisBatch(workspaceRoot: string, html: true, opts?: (Options & {
+    batchMetadata?: false;
+}) | undefined): Promise<string>;
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {false} html
+ * @param {Options & { batchMetadata: true }} opts
+ * @returns {Promise<{ analysis: Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>, metadata: BatchAnalysisMetadata }>}
+ * @throws {Error}
+ */
+declare function stackAnalysisBatch(workspaceRoot: string, html: false, opts: Options & {
+    batchMetadata: true;
+}): Promise<{
+    analysis: {
+        [x: string]: import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport;
+    };
+    metadata: BatchAnalysisMetadata;
+}>;
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {false} html
+ * @param {Options & { batchMetadata?: false }} [opts={}]
+ * @returns {Promise<Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>>}
+ * @throws {Error}
+ */
+declare function stackAnalysisBatch(workspaceRoot: string, html: false, opts?: (Options & {
+    batchMetadata?: false;
+}) | undefined): Promise<{
+    [x: string]: import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport;
+}>;
 /**
  * Get stack analysis for all workspace packages/crates (batch).
  * Detects ecosystem from workspace root: Cargo (Cargo.toml + Cargo.lock) or JS/TS (package.json + lock file).
  * SBOMs are generated in parallel (see `batchConcurrency`) unless `continueOnError: false` (fail-fast sequential).
  * With `opts.batchMetadata` / `TRUSTIFY_DA_BATCH_METADATA`, returns `{ analysis, metadata }` including validation and SBOM errors.
  *
+ * @overload
  * @param {string} workspaceRoot - Path to workspace root (containing lock file and workspace config)
  * @param {boolean} [html=false] - true returns HTML, false returns JSON report
  * @param {Options} [opts={}] - `batchConcurrency`, discovery ignores, `continueOnError` (default true), `batchMetadata` (default false)
  * @returns {Promise<string|Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>|{ analysis: string|Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>, metadata: BatchAnalysisMetadata }>}
  * @throws {Error} if workspace root invalid, no manifests found, no packages pass validation, no SBOMs produced, or backend request failed. When `opts.batchMetadata` is set, `error.batchMetadata` may be set on thrown errors.
  */
-declare function stackAnalysisBatch(workspaceRoot: string, html?: boolean, opts?: Options): Promise<string | {
+declare function stackAnalysisBatch(workspaceRoot: string, html?: boolean | undefined, opts?: Options | undefined): Promise<string | {
     [x: string]: import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport;
 } | {
     analysis: string | {
@@ -196,6 +251,7 @@ declare function imageAnalysis(imageRefs: Array<string>, html?: boolean | undefi
  * @throws {Error} if the backend request failed.
  */
 declare function validateToken(opts?: Options): Promise<object>;
+import { discoverMavenModules } from './providers/java_maven.js';
 import { discoverWorkspacePackages } from './workspace.js';
 import { discoverWorkspaceCrates } from './workspace.js';
 import { validatePackageJson } from './workspace.js';
@@ -203,5 +259,5 @@ import { resolveWorkspaceDiscoveryIgnore } from './workspace.js';
 import { filterManifestPathsByDiscoveryIgnore } from './workspace.js';
 import { resolveContinueOnError } from './batch_opts.js';
 import { resolveBatchMetadata } from './batch_opts.js';
-export { discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson, resolveWorkspaceDiscoveryIgnore, filterManifestPathsByDiscoveryIgnore, resolveContinueOnError, resolveBatchMetadata };
+export { discoverMavenModules, discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson, resolveWorkspaceDiscoveryIgnore, filterManifestPathsByDiscoveryIgnore, resolveContinueOnError, resolveBatchMetadata };
 export { getProjectLicense, findLicenseFilePath, identifyLicense, getLicenseDetails, licensesFromReport, normalizeLicensesResponse, runLicenseCheck, getCompatibility } from "./license/index.js";

package/dist/src/index.js

@@ -6,6 +6,7 @@ import analysis from './analysis.js';
 import fs from 'node:fs';
 import { getCustom } from "./tools.js";
 import { resolveBatchMetadata, resolveContinueOnError } from './batch_opts.js';
+import { discoverMavenModules } from './providers/java_maven.js';
 import { discoverWorkspaceCrates, discoverWorkspacePackages, filterManifestPathsByDiscoveryIgnore, resolveWorkspaceDiscoveryIgnore, validatePackageJson, } from './workspace.js';
 import.meta.dirname;
 import * as url from 'url';
@@ -13,7 +14,7 @@ export { parseImageRef } from "./oci_image/utils.js";
 export { ImageRef } from "./oci_image/images.js";
 export { getProjectLicense, findLicenseFilePath, identifyLicense, getLicenseDetails, licensesFromReport, normalizeLicensesResponse, runLicenseCheck, getCompatibility } from "./license/index.js";
 export default { componentAnalysis, stackAnalysis, stackAnalysisBatch, imageAnalysis, validateToken, generateSbom };
-export { discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson, resolveWorkspaceDiscoveryIgnore, filterManifestPathsByDiscoveryIgnore, resolveContinueOnError, resolveBatchMetadata, };
+export { discoverMavenModules, discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson, resolveWorkspaceDiscoveryIgnore, filterManifestPathsByDiscoveryIgnore, resolveContinueOnError, resolveBatchMetadata, };
 /**
  * @typedef {{
  * TRUSTIFY_DA_CARGO_PATH?: string | undefined,
@@ -279,16 +280,23 @@ async function generateOneSbom(manifestPath, workspaceOpts) {
  *
  * @param {string} root - Resolved workspace root
  * @param {Options} opts
- * @returns {Promise<{ ecosystem: 'javascript' | 'cargo' | 'unknown', manifestPaths: string[] }>}
+ * @returns {Promise<{ ecosystem: 'javascript' | 'cargo' | 'maven' | 'unknown', manifestPaths: string[] }>}
  * @private
  */
 async function detectWorkspaceManifests(root, opts) {
     const cargoToml = path.join(root, 'Cargo.toml');
     const cargoLock = path.join(root, 'Cargo.lock');
     const packageJson = path.join(root, 'package.json');
+    const pomXml = path.join(root, 'pom.xml');
     if (fs.existsSync(cargoToml) && fs.existsSync(cargoLock)) {
         return { ecosystem: 'cargo', manifestPaths: await discoverWorkspaceCrates(root, opts) };
     }
+    if (fs.existsSync(pomXml)) {
+        const manifestPaths = await discoverMavenModules(root, opts);
+        if (manifestPaths.length > 0) {
+            return { ecosystem: 'maven', manifestPaths };
+        }
+    }
     const hasJsLock = fs.existsSync(path.join(root, 'pnpm-lock.yaml'))
         || fs.existsSync(path.join(root, 'yarn.lock'))
         || fs.existsSync(path.join(root, 'package-lock.json'));
@@ -398,12 +406,45 @@ function batchError(message, wantMetadata, metadata) {
     }
     return err;
 }
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {true} html
+ * @param {Options & { batchMetadata: true }} opts
+ * @returns {Promise<{ analysis: string, metadata: BatchAnalysisMetadata }>}
+ * @throws {Error}
+ */
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {true} html
+ * @param {Options & { batchMetadata?: false }} [opts={}]
+ * @returns {Promise<string>}
+ * @throws {Error}
+ */
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {false} html
+ * @param {Options & { batchMetadata: true }} opts
+ * @returns {Promise<{ analysis: Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>, metadata: BatchAnalysisMetadata }>}
+ * @throws {Error}
+ */
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {false} html
+ * @param {Options & { batchMetadata?: false }} [opts={}]
+ * @returns {Promise<Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>>}
+ * @throws {Error}
+ */
 /**
  * Get stack analysis for all workspace packages/crates (batch).
  * Detects ecosystem from workspace root: Cargo (Cargo.toml + Cargo.lock) or JS/TS (package.json + lock file).
  * SBOMs are generated in parallel (see `batchConcurrency`) unless `continueOnError: false` (fail-fast sequential).
  * With `opts.batchMetadata` / `TRUSTIFY_DA_BATCH_METADATA`, returns `{ analysis, metadata }` including validation and SBOM errors.
  *
+ * @overload
  * @param {string} workspaceRoot - Path to workspace root (containing lock file and workspace config)
  * @param {boolean} [html=false] - true returns HTML, false returns JSON report
  * @param {Options} [opts={}] - `batchConcurrency`, discovery ignores, `continueOnError` (default true), `batchMetadata` (default false)

package/dist/src/providers/base_java.d.ts

@@ -57,15 +57,6 @@ export default class Base_Java {
      * @returns string
      */
     selectToolBinary(manifestPath: string, opts: {}): string | null;
-    /**
-     *
-     * @param {string} startingManifest - the path of the manifest from which to start searching for the wrapper
-     * @param {string} repoRoot - the root of the repository at which point to stop searching for mvnw, derived via git if unset and then fallsback
-     * to the root of the drive the manifest is on (assumes absolute path is given)
-     * @returns {string|undefined}
-     */
-    traverseForWrapper(startingManifest: string, repoRoot?: string): string | undefined;
-    normalizePath(thePath: any): string;
     #private;
 }
 export type Provided = import("../provider").Provided;

package/dist/src/providers/base_java.js

@@ -1,7 +1,6 @@
-import fs from 'node:fs';
 import path from 'node:path';
 import { PackageURL } from 'packageurl-js';
-import { getCustomPath, getGitRootDir, getWrapperPreference, invokeCommand } from "../tools.js";
+import { getCustomPath, getWrapperPreference, invokeCommand, traverseForWrapper } from "../tools.js";
 /** @typedef {import('../provider').Provider} */
 /** @typedef {import('../provider').Provided} Provided */
 /** @typedef {{name: string, version: string}} Package */
@@ -131,7 +130,7 @@ export default class Base_Java {
         const toolPath = getCustomPath(this.globalBinary, opts);
         const useWrapper = getWrapperPreference(this.globalBinary, opts);
         if (useWrapper) {
-            const wrapper = this.traverseForWrapper(manifestPath);
+            const wrapper = traverseForWrapper(manifestDir, this.localWrapper);
             if (wrapper !== undefined) {
                 try {
                     this._invokeCommand(wrapper, ['--version'], { cwd: manifestDir });
@@ -156,39 +155,4 @@ export default class Base_Java {
         }
         return toolPath;
     }
-    /**
-     *
-     * @param {string} startingManifest - the path of the manifest from which to start searching for the wrapper
-     * @param {string} repoRoot - the root of the repository at which point to stop searching for mvnw, derived via git if unset and then fallsback
-     * to the root of the drive the manifest is on (assumes absolute path is given)
-     * @returns {string|undefined}
-     */
-    traverseForWrapper(startingManifest, repoRoot = undefined) {
-        const normalizedManifest = this.normalizePath(startingManifest);
-        const currentDir = this.normalizePath(path.dirname(normalizedManifest));
-        repoRoot = repoRoot || getGitRootDir(currentDir) || path.parse(normalizedManifest).root;
-        const wrapperPath = path.join(currentDir, this.localWrapper);
-        try {
-            fs.accessSync(wrapperPath, fs.constants.X_OK);
-            return wrapperPath;
-        }
-        catch (error) {
-            if (error.code === 'ENOENT') {
-                const rootDir = path.parse(currentDir).root;
-                if (currentDir === repoRoot || currentDir === rootDir) {
-                    return undefined;
-                }
-                const parentDir = path.dirname(currentDir);
-                if (parentDir === currentDir || parentDir === rootDir) {
-                    return undefined;
-                }
-                return this.traverseForWrapper(path.join(parentDir, path.basename(normalizedManifest)), repoRoot);
-            }
-            throw new Error(`failure searching for ${this.localWrapper}`, { cause: error });
-        }
-    }
-    normalizePath(thePath) {
-        const normalized = path.resolve(thePath).normalize();
-        return process.platform === 'win32' ? normalized.toLowerCase() : normalized;
-    }
 }

package/dist/src/providers/base_pyproject.d.ts

@@ -1,4 +1,4 @@
-/** @typedef {{name: string, version: string, children: string[]}} GraphEntry */
+/** @typedef {{name: string, version: string, children: string[], hashes?: Array<{alg: string, content: string}>}} GraphEntry */
 /** @typedef {{name: string, version: string, dependencies: DepTreeEntry[]}} DepTreeEntry */
 /** @typedef {{directDeps: string[], graph: Map<string, GraphEntry>}} DependencyData */
 /** @typedef {{ecosystem: string, content: string, contentType: string}} Provided */
@@ -131,6 +131,10 @@ export type GraphEntry = {
     name: string;
     version: string;
     children: string[];
+    hashes?: Array<{
+        alg: string;
+        content: string;
+    }>;
 };
 export type DepTreeEntry = {
     name: string;

package/dist/src/providers/base_pyproject.js

@@ -7,9 +7,10 @@ import Sbom from '../sbom.js';
 import { getCustom } from '../tools.js';
 const ecosystem = 'pip';
 const IGNORE_MARKERS = ['exhortignore', 'trustify-da-ignore'];
+const NO_SCOPE = undefined;
 const DEFAULT_ROOT_NAME = 'default-pip-root';
 const DEFAULT_ROOT_VERSION = '0.0.0';
-/** @typedef {{name: string, version: string, children: string[]}} GraphEntry */
+/** @typedef {{name: string, version: string, children: string[], hashes?: Array<{alg: string, content: string}>}} GraphEntry */
 /** @typedef {{name: string, version: string, dependencies: DepTreeEntry[]}} DepTreeEntry */
 /** @typedef {{directDeps: string[], graph: Map<string, GraphEntry>}} DependencyData */
 /** @typedef {{ecosystem: string, content: string, contentType: string}} Provided */
@@ -281,7 +282,7 @@ export default class Base_pyproject {
                     continue;
                 }
                 let entry = graph.get(key);
-                sbom.addDependency(rootPurl, this._toPurl(entry.name, entry.version));
+                sbom.addDependency(rootPurl, this._toPurl(entry.name, entry.version), NO_SCOPE, entry.hashes);
             }
             for (let [key, entry] of graph) {
                 if (!reachable.has(key)) {
@@ -293,7 +294,7 @@ export default class Base_pyproject {
                         continue;
                     }
                     let childEntry = graph.get(child);
-                    sbom.addDependency(parentPurl, this._toPurl(childEntry.name, childEntry.version));
+                    sbom.addDependency(parentPurl, this._toPurl(childEntry.name, childEntry.version), NO_SCOPE, childEntry.hashes);
                 }
             }
         }
@@ -306,7 +307,7 @@ export default class Base_pyproject {
                 if (!entry) {
                     continue;
                 }
-                sbom.addDependency(rootPurl, this._toPurl(entry.name, entry.version));
+                sbom.addDependency(rootPurl, this._toPurl(entry.name, entry.version), NO_SCOPE, entry.hashes);
             }
         }
         return sbom.getAsJsonString(opts);

package/dist/src/providers/java_maven.d.ts

@@ -1,3 +1,11 @@
+/**
+ * Discover all pom.xml manifest paths in a Maven multi-module project.
+ *
+ * @param {string} workspaceRoot - Absolute or relative path to workspace root (must contain pom.xml)
+ * @param {object} [opts={}]
+ * @returns {Promise<string[]>} Paths to pom.xml files (absolute)
+ */
+export function discoverMavenModules(workspaceRoot: string, opts?: object): Promise<string[]>;
 /** @typedef {import('../provider').Provider} */
 /** @typedef {import('../provider').Provided} Provided */
 /** @typedef {{name: string, version: string}} Package */

package/dist/src/providers/java_maven.js

@@ -5,7 +5,8 @@ import { EOL } from 'os';
 import { XMLParser } from 'fast-xml-parser';
 import { getLicense } from '../license/license_utils.js';
 import Sbom from '../sbom.js';
-import { getCustom } from '../tools.js';
+import { getCustom, invokeCommand } from '../tools.js';
+import { filterManifestPathsByDiscoveryIgnore, resolveWorkspaceDiscoveryIgnore } from '../workspace.js';
 import Base_java, { ecosystem_maven } from "./base_java.js";
 /** @typedef {import('../provider').Provider} */
 /** @typedef {import('../provider').Provided} Provided */
@@ -289,3 +290,94 @@ export default class Java_maven extends Base_java {
         return deps.filter(d => dep.artifactId === d.artifactId && dep.groupId === d.groupId && dep.scope === d.scope).length > 0;
     }
 }
+const DEFAULT_MAVEN_DISCOVERY_IGNORE = [
+    '**/target/**',
+];
+/**
+ * Discover all pom.xml manifest paths in a Maven multi-module project.
+ *
+ * @param {string} workspaceRoot - Absolute or relative path to workspace root (must contain pom.xml)
+ * @param {object} [opts={}]
+ * @returns {Promise<string[]>} Paths to pom.xml files (absolute)
+ */
+export async function discoverMavenModules(workspaceRoot, opts = {}) {
+    const root = path.resolve(workspaceRoot);
+    const rootPom = path.join(root, 'pom.xml');
+    if (!fs.existsSync(rootPom)) {
+        return [];
+    }
+    let mvnBin;
+    try {
+        mvnBin = new Java_maven().selectToolBinary(rootPom, opts);
+    }
+    catch {
+        return [rootPom];
+    }
+    const visited = new Set();
+    const manifestPaths = [rootPom];
+    collectMavenModules(root, mvnBin, visited, manifestPaths);
+    const ignorePatterns = [...resolveWorkspaceDiscoveryIgnore(opts), ...DEFAULT_MAVEN_DISCOVERY_IGNORE];
+    return filterManifestPathsByDiscoveryIgnore(manifestPaths, root, ignorePatterns);
+}
+/**
+ * @param {string} dir - Absolute path to directory containing pom.xml
+ * @param {string} mvnBin - Maven binary path
+ * @param {Set<string>} visited - Already-visited directories (cycle guard)
+ * @param {string[]} manifestPaths - Accumulator for discovered pom.xml paths
+ */
+function collectMavenModules(dir, mvnBin, visited, manifestPaths) {
+    const resolvedDir = path.resolve(dir);
+    if (visited.has(resolvedDir)) {
+        return;
+    }
+    visited.add(resolvedDir);
+    const modules = listMavenModules(resolvedDir, mvnBin);
+    for (const mod of modules) {
+        const moduleDir = path.resolve(resolvedDir, mod);
+        const modulePom = path.join(moduleDir, 'pom.xml');
+        if (fs.existsSync(modulePom)) {
+            manifestPaths.push(modulePom);
+            collectMavenModules(moduleDir, mvnBin, visited, manifestPaths);
+        }
+    }
+}
+/**
+ * @param {string} dir - Directory containing pom.xml
+ * @param {string} mvnBin - Maven binary path
+ * @returns {string[]} Module directory names (relative to `dir`)
+ */
+function listMavenModules(dir, mvnBin) {
+    let output;
+    try {
+        output = invokeCommand(mvnBin, [
+            'help:evaluate',
+            '-Dexpression=project.modules',
+            '-q',
+            '-DforceStdout',
+            '-f', path.join(dir, 'pom.xml'),
+            '--batch-mode',
+        ], { cwd: dir });
+    }
+    catch {
+        return [];
+    }
+    const raw = output.toString().trim();
+    if (!raw || raw.startsWith('<modules')) {
+        return [];
+    }
+    return parseMavenModuleList(raw);
+}
+/**
+ * @param {string} raw - Raw stdout from mvn help:evaluate -DforceStdout
+ * @returns {string[]}
+ */
+function parseMavenModuleList(raw) {
+    const parser = new XMLParser();
+    const parsed = parser.parse(raw);
+    const entries = parsed?.strings?.string;
+    if (!entries) {
+        return [];
+    }
+    const list = Array.isArray(entries) ? entries : [entries];
+    return list.map(s => String(s).trim()).filter(Boolean);
+}

package/dist/src/providers/javascript_npm.d.ts

@@ -1,4 +1,5 @@
 export default class Javascript_npm extends Base_javascript {
     _listCmdArgs(includeTransitive: any): string[];
+    _buildDependencyTree(includeTransitive: any, opts?: {}): any;
 }
 import Base_javascript from './base_javascript.js';

package/dist/src/providers/javascript_npm.js

@@ -12,4 +12,25 @@ export default class Javascript_npm extends Base_javascript {
     _updateLockFileCmdArgs() {
         return ['install', '--package-lock-only'];
     }
+    _buildDependencyTree(includeTransitive, opts = {}) {
+        // npm ls --json returns a single tree rooted at the workspace root.
+        // When analyzing a workspace member, its deps are nested under the
+        // root's dependencies keyed by the member name — extract that subtree
+        // so downstream analysis sees only the member's dependencies.
+        const tree = super._buildDependencyTree(includeTransitive, opts);
+        const memberName = this._getManifest().name;
+        if (tree.name === memberName) {
+            return tree;
+        }
+        const memberEntry = tree.dependencies?.[memberName];
+        if (memberEntry) {
+            return {
+                name: memberName,
+                version: memberEntry.version || this._getManifest().version,
+                dependencies: memberEntry.dependencies,
+                optionalDependencies: memberEntry.optionalDependencies,
+            };
+        }
+        return tree;
+    }
 }

package/dist/src/providers/javascript_pnpm.js

@@ -7,15 +7,19 @@ export default class Javascript_pnpm extends Base_javascript {
         return "pnpm";
     }
     _listCmdArgs(includeTransitive) {
-        return ['ls', includeTransitive ? '--depth=Infinity' : '--depth=0', '--prod', '--json'];
+        return ['ls', includeTransitive ? '--depth=Infinity' : '--depth=0', '--prod', '--json', '-r'];
     }
     _updateLockFileCmdArgs() {
         return ['install', '--frozen-lockfile'];
     }
     _buildDependencyTree(includeTransitive, opts = {}) {
+        // pnpm ls --json returns an array with one entry per workspace package.
+        // When analyzing a workspace member, find its entry by name instead of
+        // blindly taking the first element (which is the workspace root).
         const tree = super._buildDependencyTree(includeTransitive, opts);
         if (Array.isArray(tree) && tree.length > 0) {
-            return tree[0];
+            const memberName = this._getManifest().name;
+            return tree.find(pkg => pkg.name === memberName) || tree[0];
         }
         return {};
     }

package/dist/src/providers/processors/yarn_berry_processor.js

@@ -15,7 +15,10 @@ export default class Yarn_berry_processor extends Yarn_processor {
      * @returns {string[]} Command arguments for listing dependencies
      */
     listCmdArgs(includeTransitive) {
-        return ['info', includeTransitive ? '--recursive' : '--all', '--json'];
+        // --all is needed to include workspace members in the output
+        return includeTransitive
+            ? ['info', '--recursive', '--all', '--json']
+            : ['info', '--all', '--json'];
     }
     /**
      * Returns the command arguments for updating the lock file
@@ -68,7 +71,8 @@ export default class Yarn_berry_processor extends Yarn_processor {
         if (!name) {
             return false;
         }
-        return name.endsWith("@workspace:.");
+        // Workspace members use paths like "member-a@workspace:packages/member-a", not just "@workspace:."
+        return name.startsWith(`${this._manifest.name}@workspace:`);
     }
     /**
    * Adds dependencies to the SBOM

package/dist/src/providers/python_controller.d.ts

@@ -1,4 +1,4 @@
-/** @typedef {{name: string, version: string, dependencies: DependencyEntry[]}} DependencyEntry */
+/** @typedef {{name: string, version: string, dependencies: DependencyEntry[], hashes?: Array<{alg: string, content: string}>}} DependencyEntry */
 export default class Python_controller {
     /**
      * Constructor to create new python controller instance to interact with pip package manager
@@ -31,4 +31,8 @@ export type DependencyEntry = {
     name: string;
     version: string;
     dependencies: DependencyEntry[];
+    hashes?: Array<{
+        alg: string;
+        content: string;
+    }>;
 };

package/dist/src/providers/python_controller.js

@@ -19,7 +19,7 @@ function getPipShowOutput(depNames) {
         throw new Error('fail invoking \'pip show\' to fetch metadata for all installed packages in environment', { cause: error });
     }
 }
-/** @typedef {{name: string, version: string, dependencies: DependencyEntry[]}} DependencyEntry */
+/** @typedef {{name: string, version: string, dependencies: DependencyEntry[], hashes?: Array<{alg: string, content: string}>}} DependencyEntry */
 export default class Python_controller {
     pythonEnvDir;
     pathToPipBin;

package/dist/src/providers/python_pip.d.ts

@@ -10,6 +10,10 @@ export type DependencyEntry = {
     name: string;
     version: string;
     dependencies: DependencyEntry[];
+    hashes?: Array<{
+        alg: string;
+        content: string;
+    }>;
 };
 /**
  * @param {string} manifestName - the subject manifest name-type

package/dist/src/providers/python_pip.js

@@ -6,12 +6,13 @@ import { environmentVariableIsPopulated, getCustom, getCustomPath, invokeCommand
 import Python_controller from './python_controller.js';
 import { getParser, getIgnoreQuery, getPinnedVersionQuery } from './requirements_parser.js';
 export default { isSupported, validateLockFile, provideComponent, provideStack, readLicenseFromManifest };
-/** @typedef {{name: string, version: string, dependencies: DependencyEntry[]}} DependencyEntry */
+/** @typedef {{name: string, version: string, dependencies: DependencyEntry[], hashes?: Array<{alg: string, content: string}>}} DependencyEntry */
 /**
  * @type {string} ecosystem for python-pip is 'pip'
  * @private
  */
 const ecosystem = 'pip';
+const NO_SCOPE = undefined;
 /**
  * @param {string} manifestName - the subject manifest name-type
  * @returns {boolean} - return true if `requirements.txt` is the manifest name-type
@@ -56,7 +57,6 @@ async function provideComponent(manifest, opts = {}) {
         contentType: 'application/vnd.cyclonedx+json'
     };
 }
-/** @typedef {{name: string, , version: string, dependencies: DependencyEntry[]}} DependencyEntry */
 /**
  *
  * @param {PackageURL}source
@@ -66,7 +66,7 @@ async function provideComponent(manifest, opts = {}) {
  */
 function addAllDependencies(source, dep, sbom) {
     let targetPurl = toPurl(dep["name"], dep["version"]);
-    sbom.addDependency(source, targetPurl);
+    sbom.addDependency(source, targetPurl, NO_SCOPE, dep["hashes"]);
     let directDeps = dep["dependencies"];
     if (directDeps !== undefined && directDeps.length > 0) {
         directDeps.forEach((dependency) => { addAllDependencies(toPurl(dep["name"], dep["version"]), dependency, sbom); });
@@ -202,7 +202,7 @@ async function getSbomForComponentAnalysis(manifest, opts = {}) {
     const license = readLicenseFromManifest(manifest);
     sbom.addRoot(rootPurl, license);
     dependencies.forEach(dep => {
-        sbom.addDependency(rootPurl, toPurl(dep.name, dep.version));
+        sbom.addDependency(rootPurl, toPurl(dep.name, dep.version), NO_SCOPE, dep.hashes);
     });
     await handleIgnoredDependencies(manifest, sbom, opts);
     // In python there is no root component, then we must remove the dummy root we added, so the sbom json will be accepted by the DA backend

package/dist/src/providers/python_poetry.d.ts

@@ -1,4 +1,19 @@
 export default class Python_poetry extends Base_pyproject {
+    /**
+     * @param {string} manifestDir
+     * @param {string} _workspaceDir - unused (poetry has no workspace support)
+     * @param {object} parsed - parsed pyproject.toml
+     * @param {Object} opts
+     * @returns {Promise<{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}>}
+     */
+    _getDependencyData(manifestDir: string, _workspaceDir: string, parsed: object, opts: any): Promise<{
+        directDeps: string[];
+        graph: Map<string, {
+            name: string;
+            version: string;
+            children: string[];
+        }>;
+    }>;
     /**
      * Get poetry show --tree output.
      * @param {string} manifestDir

package/dist/src/providers/python_uv.d.ts

@@ -1,4 +1,19 @@
 export default class Python_uv extends Base_pyproject {
+    /**
+     * @param {string} manifestDir - directory containing the target pyproject.toml
+     * @param {string} workspaceDir - workspace root (for resolving editable install paths)
+     * @param {object} parsed - parsed pyproject.toml
+     * @param {Object} opts
+     * @returns {Promise<{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}>}
+     */
+    _getDependencyData(manifestDir: string, workspaceDir: string, parsed: object, opts: any): Promise<{
+        directDeps: string[];
+        graph: Map<string, {
+            name: string;
+            version: string;
+            children: string[];
+        }>;
+    }>;
     /**
      * Get the uv export output, either from env var or by running the command.
      * @param {string} manifestDir

package/dist/src/sbom.d.ts

@@ -25,9 +25,14 @@ export default class Sbom {
     /**
      * @param {component} sourceRef current source Component ( Starting from root component by clients)
      * @param {PackageURL} targetRef current dependency to add to Dependencies list of component sourceRef
+     * @param {string} [scope] - Scope of the dependency
+     * @param {Array<{alg: string, content: string}>} [targetHashes] - Optional hashes for the target component
      * @return Sbom
      */
-    addDependency(sourceRef: component, targetRef: PackageURL, scope: any): CycloneDxSbom;
+    addDependency(sourceRef: component, targetRef: PackageURL, scope?: string, targetHashes?: Array<{
+        alg: string;
+        content: string;
+    }>): CycloneDxSbom;
     /**
      * @return String sbom json in a string format
      */
@@ -45,6 +50,7 @@ export default class Sbom {
         version: any;
         scope: any;
         licenses?: any;
+        hashes?: any;
     };
     /** This method gets a component object, and a string name, and checks if the name is a substring of the component' purl.
      * @param {} component to search in its dependencies

package/dist/src/sbom.js

@@ -43,10 +43,12 @@ export default class Sbom {
     /**
      * @param {component} sourceRef current source Component ( Starting from root component by clients)
      * @param {PackageURL} targetRef current dependency to add to Dependencies list of component sourceRef
+     * @param {string} [scope] - Scope of the dependency
+     * @param {Array<{alg: string, content: string}>} [targetHashes] - Optional hashes for the target component
      * @return Sbom
      */
-    addDependency(sourceRef, targetRef, scope) {
-        return this.sbomModel.addDependency(sourceRef, targetRef, scope);
+    addDependency(sourceRef, targetRef, scope, targetHashes) {
+        return this.sbomModel.addDependency(sourceRef, targetRef, scope, targetHashes);
     }
     /**
      * @return String sbom json in a string format

package/dist/src/tools.d.ts

@@ -61,6 +61,22 @@ export function toPurlFromString(strPurl: any): PackageURL | null;
  * @param {string} cwd - directory for which to find the root of the git repository.
  */
 export function getGitRootDir(cwd: string): string | undefined;
+/**
+ * Normalize a filesystem path, lowercasing on Windows for case-insensitive comparison.
+ *
+ * @param {string} thePath
+ * @returns {string}
+ */
+export function normalizePath(thePath: string): string;
+/**
+ * Walk up from `startDir` to `repoRoot` looking for an executable wrapper script.
+ *
+ * @param {string} startDir - Absolute directory to start from
+ * @param {string} wrapperName - Wrapper filename (e.g. `mvnw`, `gradlew`)
+ * @param {string} [repoRoot] - Stop boundary (defaults to git root or filesystem root)
+ * @returns {string | undefined}
+ */
+export function traverseForWrapper(startDir: string, wrapperName: string, repoRoot?: string): string | undefined;
 /** this method invokes command string in a process in a synchronous way.
  * @param {string} bin - the command to be invoked
  * @param {Array<string>} args - the args to pass to the binary

package/dist/src/tools.js

@@ -1,4 +1,6 @@
 import { execFileSync } from "child_process";
+import fs from 'node:fs';
+import path from 'node:path';
 import { EOL } from "os";
 import { HttpsProxyAgent } from "https-proxy-agent";
 import { PackageURL } from "packageurl-js";
@@ -128,6 +130,44 @@ export function getGitRootDir(cwd) {
         return undefined;
     }
 }
+/**
+ * Normalize a filesystem path, lowercasing on Windows for case-insensitive comparison.
+ *
+ * @param {string} thePath
+ * @returns {string}
+ */
+export function normalizePath(thePath) {
+    const normalized = path.resolve(thePath).normalize();
+    return process.platform === 'win32' ? normalized.toLowerCase() : normalized;
+}
+/**
+ * Walk up from `startDir` to `repoRoot` looking for an executable wrapper script.
+ *
+ * @param {string} startDir - Absolute directory to start from
+ * @param {string} wrapperName - Wrapper filename (e.g. `mvnw`, `gradlew`)
+ * @param {string} [repoRoot] - Stop boundary (defaults to git root or filesystem root)
+ * @returns {string | undefined}
+ */
+export function traverseForWrapper(startDir, wrapperName, repoRoot = undefined) {
+    const currentDir = normalizePath(startDir);
+    repoRoot = repoRoot || getGitRootDir(currentDir) || path.parse(currentDir).root;
+    const wrapperPath = path.join(currentDir, wrapperName);
+    try {
+        fs.accessSync(wrapperPath, fs.constants.X_OK);
+        return wrapperPath;
+    }
+    catch {
+        const rootDir = path.parse(currentDir).root;
+        if (currentDir === repoRoot || currentDir === rootDir) {
+            return undefined;
+        }
+        const parentDir = path.dirname(currentDir);
+        if (parentDir === currentDir || parentDir === rootDir) {
+            return undefined;
+        }
+        return traverseForWrapper(parentDir, wrapperName, repoRoot);
+    }
+}
 /** this method invokes command string in a process in a synchronous way.
  * @param {string} bin - the command to be invoked
  * @param {Array<string>} args - the args to pass to the binary

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@trustify-da/trustify-da-javascript-client",
-	"version": "0.3.0-ea.5047f15",
+	"version": "0.3.0-ea.5348b9e",
 	"description": "Code-Ready Dependency Analytics JavaScript API.",
 	"license": "Apache-2.0",
 	"homepage": "https://github.com/guacsec/trustify-da-javascript-client#README.md",