@trustify-da/trustify-da-javascript-client 0.3.0-ea.63ae5c2 → 0.3.0-ea.6549d2a

package/README.md

@@ -83,12 +83,13 @@ Use as CLI Script
 ```shell
 $ npx @trustify-da/trustify-da-javascript-client help
 
-Usage: trustify-da-javascript-client {component|stack|image|validate-token}
+Usage: trustify-da-javascript-client {component|stack|image|validate-token|license}
 
 Commands:
   trustify-da-javascript-client stack </path/to/manifest> [--html|--summary]               produce stack report for manifest path
   trustify-da-javascript-client component <path/to/manifest> [--summary]   produce component report for a manifest type and content
   trustify-da-javascript-client image <image-refs..> [--html|--summary]               produce image analysis report for OCI image references
+  trustify-da-javascript-client license </path/to/manifest>               display project license information from manifest and LICENSE file in JSON format
 
 Options:
   --help  Show help                                                    [boolean]
@@ -123,6 +124,9 @@ $ npx @trustify-da/trustify-da-javascript-client image docker.io/library/node:18
 
 # specify architecture using ^^ notation (e.g., httpd:2.4.49^^amd64)
 $ npx @trustify-da/trustify-da-javascript-client image httpd:2.4.49^^amd64
+
+# get project license information
+$ npx @trustify-da/trustify-da-javascript-client license /path/to/package.json
 ```
 </li>
 
@@ -161,6 +165,9 @@ $ trustify-da-javascript-client image docker.io/library/node:18 docker.io/librar
 
 # specify architecture using ^^ notation (e.g., httpd:2.4.49^^amd64)
 $ trustify-da-javascript-client image httpd:2.4.49^^amd64
+
+# get project license information
+$ trustify-da-javascript-client license /path/to/package.json
 ```
 </li>
 </ul>
@@ -372,6 +379,11 @@ const options = {
 The proxy URL should be in the format: `http://host:port` or `https://host:port`. The API will automatically use the appropriate protocol (HTTP or HTTPS) based on the proxy URL provided.
 </p>
 
+<h4>License resolution and dependency license compliance</h4>
+<p>
+The client can resolve the <strong>project license</strong> from the manifest (e.g. <code>package.json</code> <code>license</code>, <code>pom.xml</code> <code>&lt;licenses&gt;</code>) and from a <code>LICENSE</code> or <code>LICENSE.md</code> file in the project, and report when they differ. For <strong>component analysis</strong>, you can optionally run a license check: the client fetches dependency licenses from the backend (by purl) and reports dependencies whose licenses are incompatible with the project license. See <a href="docs/license-resolution-and-compliance.md">License resolution and compliance</a> for design and behavior. To disable the check on component analysis, set <code>TRUSTIFY_DA_LICENSE_CHECK=false</code> or pass <code>licenseCheck: false</code> in the options.
+</p>
+
 <h4>Customizing Executables</h4>
 <p>
 This project uses each ecosystem's executable for creating dependency trees. These executables are expected to be

package/dist/package.json

@@ -59,7 +59,7 @@
     },
     "devDependencies": {
         "@babel/core": "^7.23.2",
-        "@trustify-da/trustify-da-api-model": "^2.0.1",
+        "@trustify-da/trustify-da-api-model": "^2.0.7",
         "@types/node": "^20.17.30",
         "@types/which": "^3.0.4",
         "babel-plugin-rewire": "^1.2.0",

package/dist/src/analysis.d.ts

@@ -1,9 +1,3 @@
-/**
- * Utility function for fetching vendor tokens
- * @param {import("index.js").Options} [opts={}] - optional various options to pass along the application
- * @returns {{}}
- */
-export function getTokenHeaders(opts?: import("index.js").Options): {};
 declare namespace _default {
     export { requestComponent };
     export { requestStack };

package/dist/src/analysis.js

@@ -1,28 +1,10 @@
 import fs from "node:fs";
 import path from "node:path";
 import { EOL } from "os";
-import { HttpsProxyAgent } from "https-proxy-agent";
+import { runLicenseCheck } from "./license/index.js";
 import { generateImageSBOM, parseImageRef } from "./oci_image/utils.js";
-import { RegexNotToBeLogged, getCustom } from "./tools.js";
+import { addProxyAgent, getCustom, getTokenHeaders, TRUSTIFY_DA_OPERATION_TYPE_HEADER, TRUSTIFY_DA_PACKAGE_MANAGER_HEADER } from "./tools.js";
 export default { requestComponent, requestStack, requestImages, validateToken };
-const rhdaTokenHeader = "trust-da-token";
-const rhdaTelemetryId = "telemetry-anonymous-id";
-const rhdaSourceHeader = "trust-da-source";
-const rhdaOperationTypeHeader = "trust-da-operation-type";
-const rhdaPackageManagerHeader = "trust-da-pkg-manager";
-/**
- * Adds proxy agent configuration to fetch options if a proxy URL is specified
- * @param {RequestInit} options - The base fetch options
- * @param {import("index.js").Options} opts - The trustify DA options that may contain proxy configuration
- * @returns {RequestInit} The fetch options with proxy agent if applicable
- */
-function addProxyAgent(options, opts) {
-    const proxyUrl = getCustom('TRUSTIFY_DA_PROXY_URL', null, opts);
-    if (proxyUrl) {
-        options.agent = new HttpsProxyAgent(proxyUrl);
-    }
-    return options;
-}
 /**
  * Send a stack analysis request and get the report as 'text/html' or 'application/json'.
  * @param {import('./provider').Provider} provider - the provided data for constructing the request
@@ -37,13 +19,13 @@ async function requestStack(provider, manifest, url, html = false, opts = {}) {
     opts["manifest-type"] = path.parse(manifest).base;
     let provided = await provider.provideStack(manifest, opts); // throws error if content providing failed
     opts["source-manifest"] = "";
-    opts[rhdaOperationTypeHeader.toUpperCase().replaceAll("-", "_")] = "stack-analysis";
+    opts[TRUSTIFY_DA_OPERATION_TYPE_HEADER.toUpperCase().replaceAll("-", "_")] = "stack-analysis";
     let startTime = new Date();
     let endTime;
     if (process.env["TRUSTIFY_DA_DEBUG"] === "true") {
         console.log("Starting time of sending stack analysis request to the dependency analytics server= " + startTime);
     }
-    opts[rhdaPackageManagerHeader.toUpperCase().replaceAll("-", "_")] = provided.ecosystem;
+    opts[TRUSTIFY_DA_PACKAGE_MANAGER_HEADER.toUpperCase().replaceAll("-", "_")] = provided.ecosystem;
     const fetchOptions = addProxyAgent({
         method: 'POST',
         headers: {
@@ -53,7 +35,7 @@ async function requestStack(provider, manifest, url, html = false, opts = {}) {
         },
         body: provided.content
     }, opts);
-    const finalUrl = new URL(`${url}/api/v4/analysis`);
+    const finalUrl = new URL(`${url}/api/v5/analysis`);
     if (opts['TRUSTIFY_DA_RECOMMENDATIONS_ENABLED'] === 'false') {
         finalUrl.searchParams.append('recommend', 'false');
     }
@@ -96,11 +78,11 @@ async function requestComponent(provider, manifest, url, opts = {}) {
     opts["source-manifest"] = Buffer.from(fs.readFileSync(manifest).toString()).toString('base64');
     let provided = await provider.provideComponent(manifest, opts); // throws error if content providing failed
     opts["source-manifest"] = "";
-    opts[rhdaOperationTypeHeader.toUpperCase().replaceAll("-", "_")] = "component-analysis";
+    opts[TRUSTIFY_DA_OPERATION_TYPE_HEADER.toUpperCase().replaceAll("-", "_")] = "component-analysis";
     if (process.env["TRUSTIFY_DA_DEBUG"] === "true") {
         console.log("Starting time of sending component analysis request to Trustify DA backend server= " + new Date());
     }
-    opts[rhdaPackageManagerHeader.toUpperCase().replaceAll("-", "_")] = provided.ecosystem;
+    opts[TRUSTIFY_DA_PACKAGE_MANAGER_HEADER.toUpperCase().replaceAll("-", "_")] = provided.ecosystem;
     const fetchOptions = addProxyAgent({
         method: 'POST',
         headers: {
@@ -110,7 +92,7 @@ async function requestComponent(provider, manifest, url, opts = {}) {
         },
         body: provided.content
     }, opts);
-    const finalUrl = new URL(`${url}/api/v4/analysis`);
+    const finalUrl = new URL(`${url}/api/v5/analysis`);
     if (opts['TRUSTIFY_DA_RECOMMENDATIONS_ENABLED'] === 'false') {
         finalUrl.searchParams.append('recommend', 'false');
     }
@@ -127,6 +109,15 @@ async function requestComponent(provider, manifest, url, opts = {}) {
             console.log(JSON.stringify(result, null, 4));
             console.log("Ending time of sending component analysis request to Trustify DA backend server= " + new Date());
         }
+        const licenseCheckEnabled = getCustom('TRUSTIFY_DA_LICENSE_CHECK', 'true', opts) !== 'false' && opts.licenseCheck !== false;
+        if (licenseCheckEnabled) {
+            try {
+                result.licenseSummary = await runLicenseCheck(provided.content, manifest, url, opts, result);
+            }
+            catch (licenseErr) {
+                result.licenseSummary = { error: licenseErr.message };
+            }
+        }
     }
     else {
         throw new Error(`Got error response from Trustify DA backend - http return code : ${resp.status}, ex-request-id: ${resp.headers.get("ex-request-id")}  error message =>  ${await resp.text()}`);
@@ -146,7 +137,7 @@ async function requestImages(imageRefs, url, html = false, opts = {}) {
         const parsedImageRef = parseImageRef(image, opts);
         imageSboms[parsedImageRef.getPackageURL().toString()] = generateImageSBOM(parsedImageRef, opts);
     }
-    const finalUrl = new URL(`${url}/api/v4/batch-analysis`);
+    const finalUrl = new URL(`${url}/api/v5/batch-analysis`);
     if (opts['TRUSTIFY_DA_RECOMMENDATIONS_ENABLED'] === 'false') {
         finalUrl.searchParams.append('recommend', 'false');
     }
@@ -195,7 +186,7 @@ async function validateToken(url, opts = {}) {
             ...getTokenHeaders(opts),
         }
     }, opts);
-    let resp = await fetch(`${url}/api/v4/token`, fetchOptions);
+    let resp = await fetch(`${url}/api/v5/token`, fetchOptions);
     if (process.env["TRUSTIFY_DA_DEBUG"] === "true") {
         let exRequestId = resp.headers.get("ex-request-id");
         if (exRequestId) {
@@ -204,39 +195,3 @@ async function validateToken(url, opts = {}) {
     }
     return resp.status;
 }
-/**
- *
- * @param {string} headerName - the header name to populate in request
- * @param headers
- * @param {string} optsKey - key in the options object to use the value for
- * @param {import("index.js").Options} [opts={}] - options input object to fetch header values from
- * @private
- */
-function setRhdaHeader(headerName, headers, optsKey, opts) {
-    let rhdaHeaderValue = getCustom(optsKey, null, opts);
-    if (rhdaHeaderValue) {
-        headers[headerName] = rhdaHeaderValue;
-    }
-}
-/**
- * Utility function for fetching vendor tokens
- * @param {import("index.js").Options} [opts={}] - optional various options to pass along the application
- * @returns {{}}
- */
-export function getTokenHeaders(opts = {}) {
-    let headers = {};
-    setRhdaHeader(rhdaTokenHeader, headers, 'TRUSTIFY_DA_TOKEN', opts);
-    setRhdaHeader(rhdaSourceHeader, headers, 'TRUSTIFY_DA_SOURCE', opts);
-    setRhdaHeader(rhdaOperationTypeHeader, headers, rhdaOperationTypeHeader.toUpperCase().replaceAll("-", "_"), opts);
-    setRhdaHeader(rhdaPackageManagerHeader, headers, rhdaPackageManagerHeader.toUpperCase().replaceAll("-", "_"), opts);
-    setRhdaHeader(rhdaTelemetryId, headers, 'TRUSTIFY_DA_TELEMETRY_ID', opts);
-    if (getCustom("TRUSTIFY_DA_DEBUG", null, opts) === "true") {
-        console.log("Headers Values to be sent to Trustify DA backend:" + EOL);
-        for (const headerKey in headers) {
-            if (!headerKey.match(RegexNotToBeLogged)) {
-                console.log(`${headerKey}: ${headers[headerKey]}`);
-            }
-        }
-    }
-    return headers;
-}

package/dist/src/cli.js

@@ -2,7 +2,8 @@
 import * as path from "path";
 import yargs from 'yargs';
 import { hideBin } from 'yargs/helpers';
-import client from './index.js';
+import { getProjectLicense, getLicenseDetails } from './license/index.js';
+import client, { selectTrustifyDABackend } from './index.js';
 // command for component analysis take manifest type and content
 const component = {
     command: 'component </path/to/manifest>',
@@ -22,9 +23,8 @@ const validateToken = {
     command: 'validate-token <token-provider> [--token-value thevalue]',
     desc: 'Validates input token if authentic and authorized',
     builder: yargs => yargs.positional('token-provider', {
-        desc: 'the token provider',
-        type: 'string',
-        choices: ['snyk', 'oss-index'],
+        desc: 'the token provider name',
+        type: 'string'
     }).options({
         tokenValue: {
             alias: 'value',
@@ -37,7 +37,7 @@ const validateToken = {
         let opts = {};
         if (args['tokenValue'] !== undefined && args['tokenValue'].trim() !== "") {
             let tokenValue = args['tokenValue'].trim();
-            opts[`TRUSTIFY_DA_${tokenProvider}_TOKEN`] = tokenValue;
+            opts[`TRUSTIFY_DA_PROVIDER_${tokenProvider}_TOKEN`] = tokenValue;
         }
         let res = await client.validateToken(opts);
         console.log(res);
@@ -143,13 +143,79 @@ const stack = {
         console.log(html ? res : JSON.stringify(!html && summary ? theProvidersObject : res, null, 2));
     }
 };
+// command for license checking
+const license = {
+    command: 'license </path/to/manifest>',
+    desc: 'Display project license information from manifest and LICENSE file in JSON format',
+    builder: yargs => yargs.positional('/path/to/manifest', {
+        desc: 'manifest path for license analysis',
+        type: 'string',
+        normalize: true,
+    }),
+    handler: async (args) => {
+        let manifestPath = args['/path/to/manifest'];
+        const opts = {}; // CLI options can be extended in the future
+        try {
+            selectTrustifyDABackend(opts);
+        }
+        catch (err) {
+            console.error(JSON.stringify({ error: err.message }, null, 2));
+            process.exit(1);
+        }
+        let localResult;
+        try {
+            localResult = getProjectLicense(manifestPath);
+        }
+        catch (err) {
+            console.error(JSON.stringify({ error: `Failed to read manifest: ${err.message}` }, null, 2));
+            process.exit(1);
+        }
+        const errors = [];
+        // Build LicenseInfo objects
+        const buildLicenseInfo = async (spdxId) => {
+            if (!spdxId) {
+                return null;
+            }
+            const licenseInfo = { spdxId };
+            try {
+                const details = await getLicenseDetails(spdxId, opts);
+                if (details) {
+                    // Check if backend recognized the license as valid
+                    if (details.category === 'UNKNOWN') {
+                        errors.push(`"${spdxId}" is not a valid SPDX license identifier. Please use a valid SPDX expression (e.g., "Apache-2.0", "MIT"). See https://spdx.org/licenses/`);
+                    }
+                    else {
+                        Object.assign(licenseInfo, details);
+                    }
+                }
+                else {
+                    errors.push(`No license details found for ${spdxId}`);
+                }
+            }
+            catch (err) {
+                errors.push(`Failed to fetch details for ${spdxId}: ${err.message}`);
+            }
+            return licenseInfo;
+        };
+        const output = {
+            manifestLicense: await buildLicenseInfo(localResult.fromManifest),
+            fileLicense: await buildLicenseInfo(localResult.fromFile),
+            mismatch: localResult.mismatch
+        };
+        if (errors.length > 0) {
+            output.errors = errors;
+        }
+        console.log(JSON.stringify(output, null, 2));
+    }
+};
 // parse and invoke the command
 yargs(hideBin(process.argv))
-    .usage(`Usage: ${process.argv[0].includes("node") ? path.parse(process.argv[1]).base : path.parse(process.argv[0]).base} {component|stack|image|validate-token}`)
+    .usage(`Usage: ${process.argv[0].includes("node") ? path.parse(process.argv[1]).base : path.parse(process.argv[0]).base} {component|stack|image|validate-token|license}`)
     .command(stack)
     .command(component)
     .command(image)
     .command(validateToken)
+    .command(license)
     .scriptName('')
     .version(false)
     .demandCommand(1)

package/dist/src/cyclone_dx_sbom.d.ts

@@ -6,9 +6,10 @@ export default class CycloneDxSbom {
     sourceManifestForAuditTrail: any;
     /**
      * @param {PackageURL} root - add main/root component for sbom
+     * @param {string|Array} [licenses] - optional license(s) for the root component
      * @return {CycloneDxSbom} the CycloneDxSbom Sbom Object
      */
-    addRoot(root: PackageURL): CycloneDxSbom;
+    addRoot(root: PackageURL, licenses?: string | any[]): CycloneDxSbom;
     /**
      * @return {{{"bom-ref": string, name, purl: string, type, version}}} root component of sbom.
      */
@@ -48,6 +49,7 @@ export default class CycloneDxSbom {
         type: any;
         version: any;
         scope: any;
+        licenses?: any;
     };
     /**
      * This method gets an array of dependencies to be ignored, and remove all of them from CycloneDx Sbom

package/dist/src/cyclone_dx_sbom.js

@@ -5,10 +5,11 @@ import { PackageURL } from "packageurl-js";
  * @param component {PackageURL}
  * @param type type of package - application or library
  * @param scope scope of the component - runtime or compile
- * @return {{"bom-ref": string, name, purl: string, type, version, scope}}
+ * @param licenses optional license string or array of licenses for the component
+ * @return {{"bom-ref": string, name, purl: string, type, version, scope, licenses?}}
  * @private
  */
-function getComponent(component, type, scope) {
+function getComponent(component, type, scope, licenses) {
     let componentObject;
     if (component instanceof PackageURL) {
         if (component.namespace) {
@@ -36,6 +37,16 @@ function getComponent(component, type, scope) {
     else {
         componentObject = component;
     }
+    // Add licenses if provided (CycloneDX format). Callers must provide valid SPDX identifiers.
+    if (licenses) {
+        const licenseArray = Array.isArray(licenses) ? licenses : [licenses];
+        componentObject.licenses = licenseArray.map(lic => {
+            if (typeof lic === 'string') {
+                return { license: { id: lic } };
+            }
+            return lic;
+        });
+    }
     return componentObject;
 }
 function createDependency(dependency) {
@@ -56,11 +67,12 @@ export default class CycloneDxSbom {
     }
     /**
      * @param {PackageURL} root - add main/root component for sbom
+     * @param {string|Array} [licenses] - optional license(s) for the root component
      * @return {CycloneDxSbom} the CycloneDxSbom Sbom Object
      */
-    addRoot(root) {
+    addRoot(root, licenses) {
         this.rootComponent =
-            getComponent(root, "application");
+            getComponent(root, "application", undefined, licenses);
         this.components.push(this.rootComponent);
         return this;
     }

package/dist/src/index.d.ts

@@ -47,6 +47,7 @@ export type Options = {
     TRUSTIFY_DA_SYFT_CONFIG_PATH?: string | undefined;
     TRUSTIFY_DA_SYFT_PATH?: string | undefined;
     TRUSTIFY_DA_YARN_PATH?: string | undefined;
+    TRUSTIFY_DA_LICENSE_CHECK?: string | undefined;
     MATCH_MANIFEST_VERSIONS?: string | undefined;
     TRUSTIFY_DA_SOURCE?: string | undefined;
     TRUSTIFY_DA_TOKEN?: string | undefined;
@@ -130,3 +131,4 @@ declare function imageAnalysis(imageRefs: Array<string>, html?: boolean | undefi
  * @throws {Error} if the backend request failed.
  */
 declare function validateToken(opts?: Options): Promise<object>;
+export { getProjectLicense, findLicenseFilePath, identifyLicenseViaBackend, getLicenseDetails, licensesFromReport, normalizeLicensesResponse, runLicenseCheck, getCompatibility } from "./license/index.js";

package/dist/src/index.js

@@ -8,6 +8,7 @@ import.meta.dirname;
 import * as url from 'url';
 export { parseImageRef } from "./oci_image/utils.js";
 export { ImageRef } from "./oci_image/images.js";
+export { getProjectLicense, findLicenseFilePath, identifyLicenseViaBackend, getLicenseDetails, licensesFromReport, normalizeLicensesResponse, runLicenseCheck, getCompatibility } from "./license/index.js";
 export default { componentAnalysis, stackAnalysis, imageAnalysis, validateToken };
 /**
  * @typedef {{
@@ -35,6 +36,7 @@ export default { componentAnalysis, stackAnalysis, imageAnalysis, validateToken
  * TRUSTIFY_DA_SYFT_CONFIG_PATH?: string | undefined,
  * TRUSTIFY_DA_SYFT_PATH?: string | undefined,
  * TRUSTIFY_DA_YARN_PATH?: string | undefined,
+ * TRUSTIFY_DA_LICENSE_CHECK?: string | undefined,
  * MATCH_MANIFEST_VERSIONS?: string | undefined,
  * TRUSTIFY_DA_SOURCE?: string | undefined,
  * TRUSTIFY_DA_TOKEN?: string | undefined,

package/dist/src/license/compatibility.d.ts

@@ -0,0 +1,18 @@
+/**
+ * License compatibility: whether a dependency license is compatible with the project license.
+ * Relies on backend-provided license categories.
+ *
+ * Compatibility is based on restrictiveness hierarchy:
+ * PERMISSIVE < WEAK_COPYLEFT < STRONG_COPYLEFT
+ *
+ * A dependency is compatible if it's equal or less restrictive than the project license.
+ * A dependency is incompatible if it's more restrictive than the project license.
+ */
+/**
+ * Check if a dependency's license is compatible with the project license based on backend categories.
+ *
+ * @param {string} [projectCategory] - backend category for project license: PERMISSIVE | WEAK_COPYLEFT | STRONG_COPYLEFT | UNKNOWN
+ * @param {string} [dependencyCategory] - backend category for dependency license: PERMISSIVE | WEAK_COPYLEFT | STRONG_COPYLEFT | UNKNOWN
+ * @returns {'compatible'|'incompatible'|'unknown'}
+ */
+export function getCompatibility(projectCategory?: string, dependencyCategory?: string): "compatible" | "incompatible" | "unknown";

package/dist/src/license/compatibility.js

@@ -0,0 +1,45 @@
+/**
+ * License compatibility: whether a dependency license is compatible with the project license.
+ * Relies on backend-provided license categories.
+ *
+ * Compatibility is based on restrictiveness hierarchy:
+ * PERMISSIVE < WEAK_COPYLEFT < STRONG_COPYLEFT
+ *
+ * A dependency is compatible if it's equal or less restrictive than the project license.
+ * A dependency is incompatible if it's more restrictive than the project license.
+ */
+/**
+ * Check if a dependency's license is compatible with the project license based on backend categories.
+ *
+ * @param {string} [projectCategory] - backend category for project license: PERMISSIVE | WEAK_COPYLEFT | STRONG_COPYLEFT | UNKNOWN
+ * @param {string} [dependencyCategory] - backend category for dependency license: PERMISSIVE | WEAK_COPYLEFT | STRONG_COPYLEFT | UNKNOWN
+ * @returns {'compatible'|'incompatible'|'unknown'}
+ */
+export function getCompatibility(projectCategory, dependencyCategory) {
+    if (!projectCategory || !dependencyCategory) {
+        return 'unknown';
+    }
+    const proj = projectCategory.toUpperCase();
+    const dep = dependencyCategory.toUpperCase();
+    // Unknown categories
+    if (proj === 'UNKNOWN' || dep === 'UNKNOWN') {
+        return 'unknown';
+    }
+    // Define restrictiveness levels (higher number = more restrictive)
+    const restrictiveness = {
+        'PERMISSIVE': 1,
+        'WEAK_COPYLEFT': 2,
+        'STRONG_COPYLEFT': 3
+    };
+    const projLevel = restrictiveness[proj];
+    const depLevel = restrictiveness[dep];
+    if (projLevel === undefined || depLevel === undefined) {
+        return 'unknown';
+    }
+    // Dependency is more restrictive than project → incompatible
+    if (depLevel > projLevel) {
+        return 'incompatible';
+    }
+    // Dependency is equal or less restrictive → compatible
+    return 'compatible';
+}

package/dist/src/license/index.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Run full license check: resolve project license (with backend identification and details),
+ * get dependency licenses from analysis report, and compute incompatibilities.
+ *
+ * @param {string} sbomContent - CycloneDX SBOM JSON string (the one sent for component analysis)
+ * @param {string} manifestPath - path to manifest
+ * @param {string} url - the backend url to send the request to
+ * @param {import('../index.js').Options} [opts={}]
+ * @param {import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport} [analysisResult] - analysis result that includes licenses array from backend
+ * @returns {Promise<{ projectLicense: { manifest: Object|null, file: Object|null, mismatch: boolean }, incompatibleDependencies: Array<{ purl: string, licenses: string[], category?: string, reason: string }>, error?: string }>}
+ */
+export function runLicenseCheck(sbomContent: string, manifestPath: string, url: string, opts?: import("../index.js").Options, analysisResult?: import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport): Promise<{
+    projectLicense: {
+        manifest: any | null;
+        file: any | null;
+        mismatch: boolean;
+    };
+    incompatibleDependencies: Array<{
+        purl: string;
+        licenses: string[];
+        category?: string;
+        reason: string;
+    }>;
+    error?: string;
+}>;
+export { getCompatibility } from "./compatibility.js";
+export { getProjectLicense, findLicenseFilePath, identifyLicense as identifyLicenseViaBackend } from "./project_license.js";
+export { licensesFromReport, normalizeLicensesResponse, getLicenseDetails } from "./licenses_api.js";

package/dist/src/license/index.js

@@ -0,0 +1,100 @@
+/**
+ * License resolution and dependency license compatibility for component analysis.
+ */
+import { getProjectLicense, findLicenseFilePath, identifyLicense } from './project_license.js';
+import { licensesFromReport, getLicenseDetails } from './licenses_api.js';
+import { getCompatibility } from './compatibility.js';
+export { getProjectLicense, findLicenseFilePath, identifyLicense as identifyLicenseViaBackend } from './project_license.js';
+export { licensesFromReport, normalizeLicensesResponse, getLicenseDetails } from './licenses_api.js';
+export { getCompatibility } from './compatibility.js';
+/**
+ * Run full license check: resolve project license (with backend identification and details),
+ * get dependency licenses from analysis report, and compute incompatibilities.
+ *
+ * @param {string} sbomContent - CycloneDX SBOM JSON string (the one sent for component analysis)
+ * @param {string} manifestPath - path to manifest
+ * @param {string} url - the backend url to send the request to
+ * @param {import('../index.js').Options} [opts={}]
+ * @param {import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport} [analysisResult] - analysis result that includes licenses array from backend
+ * @returns {Promise<{ projectLicense: { manifest: Object|null, file: Object|null, mismatch: boolean }, incompatibleDependencies: Array<{ purl: string, licenses: string[], category?: string, reason: string }>, error?: string }>}
+ */
+export async function runLicenseCheck(sbomContent, manifestPath, url, opts = {}, analysisResult = null) {
+    // Resolve project license from manifest and LICENSE file
+    const projectLicense = getProjectLicense(manifestPath, opts);
+    // Try backend identification for LICENSE file (more accurate than local pattern matching)
+    const licenseFilePath = findLicenseFilePath(manifestPath);
+    let backendFileId = null;
+    if (licenseFilePath) {
+        try {
+            backendFileId = await identifyLicense(licenseFilePath, { ...opts, TRUSTIFY_DA_BACKEND_URL: url });
+        }
+        catch {
+            // Fall back to local detection
+        }
+    }
+    // Determine final license identifiers
+    const manifestSpdx = projectLicense.fromManifest;
+    const fileSpdx = backendFileId || projectLicense.fromFile;
+    const mismatch = Boolean(manifestSpdx && fileSpdx && manifestSpdx.toLowerCase() !== fileSpdx.toLowerCase());
+    // Fetch detailed license info from backend (avoid duplicate calls if same license)
+    const licenseDetailsCache = new Map();
+    async function getDetails(spdxId) {
+        if (!spdxId || !url)
+            return null;
+        if (licenseDetailsCache.has(spdxId))
+            return licenseDetailsCache.get(spdxId);
+        try {
+            const details = await getLicenseDetails(spdxId, { ...opts, TRUSTIFY_DA_BACKEND_URL: url });
+            licenseDetailsCache.set(spdxId, details);
+            return details;
+        }
+        catch {
+            return null;
+        }
+    }
+    const manifestLicenseInfo = await getDetails(manifestSpdx);
+    const fileLicenseInfo = await getDetails(fileSpdx);
+    // Extract dependency purls from SBOM (exclude root component)
+    const sbomObj = typeof sbomContent === 'string' ? JSON.parse(sbomContent) : sbomContent;
+    const rootRef = sbomObj?.metadata?.component?.["bom-ref"] || sbomObj?.metadata?.component?.purl;
+    const purls = (sbomObj?.components || [])
+        .map(c => c.purl || c["bom-ref"])
+        .filter(Boolean)
+        .filter(purl => !rootRef || purl !== rootRef);
+    if (purls.length === 0) {
+        return {
+            projectLicense: { manifest: manifestLicenseInfo, file: fileLicenseInfo, mismatch },
+            incompatibleDependencies: []
+        };
+    }
+    // Get dependency licenses from analysis report
+    const licenseByPurl = licensesFromReport(analysisResult, purls);
+    if (licenseByPurl.size === 0 && analysisResult) {
+        return {
+            projectLicense: { manifest: manifestLicenseInfo, file: fileLicenseInfo, mismatch },
+            incompatibleDependencies: [],
+            error: 'No license data available in analysis report'
+        };
+    }
+    // Check compatibility for each dependency
+    const projectCategory = manifestLicenseInfo?.category || fileLicenseInfo?.category;
+    const incompatibleDependencies = [];
+    for (const purl of purls) {
+        const entry = licenseByPurl.get(purl);
+        if (!entry)
+            continue;
+        const status = getCompatibility(projectCategory, entry.category);
+        if (status === 'incompatible') {
+            incompatibleDependencies.push({
+                purl,
+                licenses: entry.licenses,
+                category: entry.category,
+                reason: 'Dependency license(s) are incompatible with the project license.'
+            });
+        }
+    }
+    return {
+        projectLicense: { manifest: manifestLicenseInfo, file: fileLicenseInfo, mismatch },
+        incompatibleDependencies
+    };
+}

package/dist/src/license/licenses_api.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Fetch license details by SPDX identifier from the backend GET /api/v5/licenses/{spdx}.
+ * Returns detailed information about a specific license including category, name, and text.
+ *
+ * @param {string} spdxId - SPDX identifier (e.g., "Apache-2.0", "MIT")
+ * @param {import('../index.js').Options} [opts={}] - options (proxy, token, TRUSTIFY_DA_BACKEND_URL, etc.)
+ * @returns {Promise<Object|null>} License details or null if not found
+ */
+export function getLicenseDetails(spdxId: string, opts?: import("../index.js").Options): Promise<any | null>;
+/**
+ * Normalize the LicensesResponse shape (array of LicenseProviderResult) into a map of purl -> license info.
+ * Each provider result has { status, summary, packages } where packages is { [purl]: { concluded, evidence } }.
+ * We merge the first successful provider's packages; concluded has identifiers[], category (PERMISSIVE | WEAK_COPYLEFT | STRONG_COPYLEFT | UNKNOWN).
+ *
+ * @param {unknown} data - LicensesResponse (array) or analysis report's licenses field
+ * @param {string[]} [purls] - optional list of purls to restrict to (for consistency with getLicensesByPurl)
+ * @returns {Map<string, { licenses: string[], category?: string }>}
+ */
+export function normalizeLicensesResponse(data: unknown, purls?: string[]): Map<string, {
+    licenses: string[];
+    category?: string;
+}>;
+/**
+ * Build license map from an analysis report that already includes license data (result.licenses).
+ * Use this when the dependency analysis response already contains the licenses array to avoid a second request.
+ *
+ * @param {import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport} analysisReport - full analysis JSON
+ * @param {string[]} [purls] - optional list of purls to restrict to
+ * @returns {Map<string, { licenses: string[], category?: string }>}
+ */
+export function licensesFromReport(analysisReport: import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport, purls?: string[]): Map<string, {
+    licenses: string[];
+    category?: string;
+}>;