@trustify-da/trustify-da-javascript-client 0.3.0-ea.63ae5c2 → 0.3.0-ea.7144952

package/dist/src/license/licenses_api.js

@@ -0,0 +1,98 @@
+/**
+ * Client for the Trustify DA backend License Analysis API (POST /api/v5/licenses).
+ * The same license data shape is returned in the dependency analysis JSON report (result.licenses).
+ * @see https://github.com/guacsec/trustify-dependency-analytics#license-analysis-apiv5licenses
+ * @see https://github.com/guacsec/trustify-da-api-spec/blob/main/api/v5/openapi.yaml
+ */
+import { PackageURL } from 'packageurl-js';
+import { selectTrustifyDABackend } from '../index.js';
+import { addProxyAgent, getTokenHeaders } from '../tools.js';
+/**
+ * Fetch license details by SPDX identifier from the backend GET /api/v5/licenses/{spdx}.
+ * Returns detailed information about a specific license including category, name, and text.
+ *
+ * @param {string} spdxId - SPDX identifier (e.g., "Apache-2.0", "MIT")
+ * @param {import('../index.js').Options} [opts={}] - options (proxy, token, TRUSTIFY_DA_BACKEND_URL, etc.)
+ * @returns {Promise<Object|null>} License details or null if not found
+ */
+export async function getLicenseDetails(spdxId, opts = {}) {
+    if (!spdxId) {
+        return null;
+    }
+    const url = selectTrustifyDABackend(opts);
+    const finalUrl = new URL(`${url}/api/v5/licenses/${encodeURIComponent(spdxId)}`);
+    const fetchOptions = addProxyAgent({
+        method: 'GET',
+        headers: {
+            'Accept': 'application/json',
+            ...getTokenHeaders(opts)
+        },
+    }, opts);
+    try {
+        const resp = await fetch(finalUrl, fetchOptions);
+        if (!resp.ok) {
+            const errorText = await resp.text().catch(() => '');
+            throw new Error(`HTTP ${resp.status}: ${errorText || resp.statusText}`);
+        }
+        return await resp.json();
+    }
+    catch (err) {
+        throw new Error(`Failed to fetch license details: ${err.message}`);
+    }
+}
+function normalizePurlString(purl) {
+    const parsed = PackageURL.fromString(purl);
+    return new PackageURL(parsed.type, parsed.namespace, parsed.name, parsed.version, null, null).toString();
+}
+/**
+ * Normalize the LicensesResponse shape (array of LicenseProviderResult) into a map of purl -> license info.
+ * Each provider result has { status, summary, packages } where packages is { [purl]: { concluded, evidence } }.
+ * We merge the first successful provider's packages; concluded has identifiers[], category (PERMISSIVE | WEAK_COPYLEFT | STRONG_COPYLEFT | UNKNOWN).
+ *
+ * @param {unknown} data - LicensesResponse (array) or analysis report's licenses field
+ * @param {string[]} [purls] - optional list of purls to restrict to (for consistency with getLicensesByPurl)
+ * @returns {Map<string, { licenses: string[], category?: string }>}
+ */
+export function normalizeLicensesResponse(data, purls = []) {
+    const map = new Map();
+    if (!data || !Array.isArray(data)) {
+        return map;
+    }
+    const normalizedPurlsSet = purls.length > 0 ? new Set(purls.map(normalizePurlString)) : null;
+    for (const providerResult of data) {
+        const packages = providerResult?.packages;
+        if (!packages || typeof packages !== 'object') {
+            continue;
+        }
+        for (const [purl, pkgLicense] of Object.entries(packages)) {
+            const concluded = pkgLicense?.concluded;
+            const identifiers = Array.isArray(concluded?.identifiers) ? concluded.identifiers : [];
+            const expression = concluded?.expression;
+            const licenses = identifiers.length > 0 ? identifiers : (expression ? [expression] : []);
+            const category = concluded?.category; // PERMISSIVE | WEAK_COPYLEFT | STRONG_COPYLEFT | UNKNOWN
+            const normalizedPurl = normalizePurlString(purl);
+            if (normalizedPurlsSet === null || normalizedPurlsSet.has(normalizedPurl)) {
+                map.set(normalizedPurl, { licenses: licenses.filter(Boolean), category });
+            }
+        }
+        // Use first provider that has packages; backend may return multiple (e.g. deps.dev)
+        if (map.size > 0) {
+            break;
+        }
+    }
+    return map;
+}
+/**
+ * Build license map from an analysis report that already includes license data (result.licenses).
+ * Use this when the dependency analysis response already contains the licenses array to avoid a second request.
+ *
+ * @param {import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport} analysisReport - full analysis JSON
+ * @param {string[]} [purls] - optional list of purls to restrict to
+ * @returns {Map<string, { licenses: string[], category?: string }>}
+ */
+export function licensesFromReport(analysisReport, purls = []) {
+    if (!analysisReport?.licenses) {
+        return new Map();
+    }
+    return normalizeLicensesResponse(analysisReport.licenses, purls);
+}

package/dist/src/license/project_license.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Resolve project license from manifest and from LICENSE / LICENSE.md in manifest dir or git root.
+ * Uses local pattern matching for LICENSE file identification (synchronous).
+ * For more accurate backend-based identification, use identifyLicense() separately.
+ * @param {string} manifestPath - path to manifest
+ * @returns {{ fromManifest: string|null, fromFile: string|null, mismatch: boolean }}
+ */
+export function getProjectLicense(manifestPath: string): {
+    fromManifest: string | null;
+    fromFile: string | null;
+    mismatch: boolean;
+};
+/**
+ * Call backend /licenses/identify endpoint to identify license from file.
+ * @param {string} licenseFilePath - path to LICENSE file
+ * @param {{}} [opts={}] - options (proxy, token, etc.)
+ * @returns {Promise<string|null>} - SPDX identifier or null
+ */
+export function identifyLicense(licenseFilePath: string, opts?: {}): Promise<string | null>;
+export { findLicenseFilePath, readLicenseFile } from "./license_utils.js";

package/dist/src/license/project_license.js

@@ -0,0 +1,62 @@
+/**
+ * Resolves the project license from the manifest and from a LICENSE / LICENSE.md file.
+ * Used to report manifest-vs-file mismatch and as the baseline for dependency license compatibility.
+ */
+import fs from 'node:fs';
+import path from 'node:path';
+import { selectTrustifyDABackend } from '../index.js';
+import { matchForLicense, availableProviders } from '../provider.js';
+import { addProxyAgent, getTokenHeaders } from '../tools.js';
+import { normalizeSpdx, readLicenseFile } from './license_utils.js';
+/**
+ * Resolve project license from manifest and from LICENSE / LICENSE.md in manifest dir or git root.
+ * Uses local pattern matching for LICENSE file identification (synchronous).
+ * For more accurate backend-based identification, use identifyLicense() separately.
+ * @param {string} manifestPath - path to manifest
+ * @returns {{ fromManifest: string|null, fromFile: string|null, mismatch: boolean }}
+ */
+export function getProjectLicense(manifestPath) {
+    const resolved = path.resolve(manifestPath);
+    const provider = matchForLicense(resolved, availableProviders);
+    const fromManifest = provider.readLicenseFromManifest(resolved);
+    const fromFile = readLicenseFile(resolved);
+    const mismatch = Boolean(fromManifest && fromFile && normalizeSpdx(fromManifest) !== normalizeSpdx(fromFile));
+    return {
+        fromManifest: fromManifest || null,
+        fromFile: fromFile || null,
+        mismatch
+    };
+}
+export { findLicenseFilePath, readLicenseFile } from './license_utils.js';
+/**
+ * Call backend /licenses/identify endpoint to identify license from file.
+ * @param {string} licenseFilePath - path to LICENSE file
+ * @param {{}} [opts={}] - options (proxy, token, etc.)
+ * @returns {Promise<string|null>} - SPDX identifier or null
+ */
+export async function identifyLicense(licenseFilePath, opts = {}) {
+    try {
+        const fileContent = fs.readFileSync(licenseFilePath);
+        const backendUrl = selectTrustifyDABackend(opts);
+        const url = new URL(`${backendUrl}/api/v5/licenses/identify`);
+        const tokenHeaders = getTokenHeaders(opts);
+        const fetchOptions = addProxyAgent({
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/octet-stream',
+                ...tokenHeaders,
+            },
+            body: fileContent,
+        }, opts);
+        const resp = await fetch(url, fetchOptions);
+        if (!resp.ok) {
+            return null; // Fallback to local detection on error
+        }
+        const data = await resp.json();
+        // Extract SPDX identifier from backend response
+        return data?.license?.id || data?.spdx_id || data?.identifier || null;
+    }
+    catch {
+        return null; // Fallback to local detection on error
+    }
+}

package/dist/src/provider.d.ts

@@ -1,3 +1,11 @@
+/**
+ * Match a provider by manifest type only (no lock file check). Used for license reading.
+ * @param {string} manifestPath - path or name of the manifest
+ * @param {[Provider]} providers - list of providers to iterate over
+ * @returns {Provider}
+ * @throws {Error} when the manifest is not supported and no provider was matched
+ */
+export function matchForLicense(manifestPath: string, providers: [Provider]): Provider;
 /**
  * Match a provider from a list or providers based on file type.
  * Each provider MUST export 'isSupported' taking a file name-type and returning true if supported.
@@ -5,12 +13,15 @@
  * Each provider MUST export 'provideStack' taking manifest path returning a {@link Provided}.
  * @param {string} manifest - the name-type or path of the manifest
  * @param {[Provider]} providers - list of providers to iterate over
+ * @param {{TRUSTIFY_DA_WORKSPACE_DIR?: string}} [opts={}] - optional; TRUSTIFY_DA_WORKSPACE_DIR overrides lock file location for workspaces
  * @returns {Provider}
  * @throws {Error} when the manifest is not supported and no provider was matched
  */
-export function match(manifest: string, providers: [Provider]): Provider;
+export function match(manifest: string, providers: [Provider], opts?: {
+    TRUSTIFY_DA_WORKSPACE_DIR?: string;
+}): Provider;
 /** @typedef {{ecosystem: string, contentType: string, content: string}} Provided */
-/** @typedef {{isSupported: function(string): boolean, validateLockFile: function(string): void, provideComponent: function(string, {}): Provided | Promise<Provided>, provideStack: function(string, {}): Provided | Promise<Provided>}} Provider */
+/** @typedef {{isSupported: function(string): boolean, validateLockFile: function(string, Object): void, provideComponent: function(string, {}): Provided | Promise<Provided>, provideStack: function(string, {}): Provided | Promise<Provided>, readLicenseFromManifest: function(string): string | null}} Provider */
 /**
  * MUST include all providers here.
  * @type {[Provider]}
@@ -23,7 +34,8 @@ export type Provided = {
 };
 export type Provider = {
     isSupported: (arg0: string) => boolean;
-    validateLockFile: (arg0: string) => void;
+    validateLockFile: (arg0: string, arg1: any) => void;
     provideComponent: (arg0: string, arg1: {}) => Provided | Promise<Provided>;
     provideStack: (arg0: string, arg1: {}) => Provided | Promise<Provided>;
+    readLicenseFromManifest: (arg0: string) => string | null;
 };

package/dist/src/provider.js

@@ -7,8 +7,9 @@ import Javascript_npm from './providers/javascript_npm.js';
 import Javascript_pnpm from './providers/javascript_pnpm.js';
 import Javascript_yarn from './providers/javascript_yarn.js';
 import pythonPipProvider from './providers/python_pip.js';
+import rustCargoProvider from './providers/rust_cargo.js';
 /** @typedef {{ecosystem: string, contentType: string, content: string}} Provided */
-/** @typedef {{isSupported: function(string): boolean, validateLockFile: function(string): void, provideComponent: function(string, {}): Provided | Promise<Provided>, provideStack: function(string, {}): Provided | Promise<Provided>}} Provider */
+/** @typedef {{isSupported: function(string): boolean, validateLockFile: function(string, Object): void, provideComponent: function(string, {}): Provided | Promise<Provided>, provideStack: function(string, {}): Provided | Promise<Provided>, readLicenseFromManifest: function(string): string | null}} Provider */
 /**
  * MUST include all providers here.
  * @type {[Provider]}
@@ -17,12 +18,28 @@ export const availableProviders = [
     new Java_maven(),
     new Java_gradle_groovy(),
     new Java_gradle_kotlin(),
-    new Javascript_npm(),
     new Javascript_pnpm(),
     new Javascript_yarn(),
+    new Javascript_npm(),
     golangGomodulesProvider,
-    pythonPipProvider
+    pythonPipProvider,
+    rustCargoProvider
 ];
+/**
+ * Match a provider by manifest type only (no lock file check). Used for license reading.
+ * @param {string} manifestPath - path or name of the manifest
+ * @param {[Provider]} providers - list of providers to iterate over
+ * @returns {Provider}
+ * @throws {Error} when the manifest is not supported and no provider was matched
+ */
+export function matchForLicense(manifestPath, providers) {
+    const base = path.parse(manifestPath).base;
+    const provider = providers.find(prov => prov.isSupported(base));
+    if (!provider) {
+        throw new Error(`${base} is not supported`);
+    }
+    return provider;
+}
 /**
  * Match a provider from a list or providers based on file type.
  * Each provider MUST export 'isSupported' taking a file name-type and returning true if supported.
@@ -30,16 +47,17 @@ export const availableProviders = [
  * Each provider MUST export 'provideStack' taking manifest path returning a {@link Provided}.
  * @param {string} manifest - the name-type or path of the manifest
  * @param {[Provider]} providers - list of providers to iterate over
+ * @param {{TRUSTIFY_DA_WORKSPACE_DIR?: string}} [opts={}] - optional; TRUSTIFY_DA_WORKSPACE_DIR overrides lock file location for workspaces
  * @returns {Provider}
  * @throws {Error} when the manifest is not supported and no provider was matched
  */
-export function match(manifest, providers) {
+export function match(manifest, providers, opts = {}) {
     const manifestPath = path.parse(manifest);
     const supported = providers.filter(prov => prov.isSupported(manifestPath.base));
     if (supported.length === 0) {
         throw new Error(`${manifestPath.base} is not supported`);
     }
-    const provider = supported.find(prov => prov.validateLockFile(manifestPath.dir));
+    const provider = supported.find(prov => prov.validateLockFile(manifestPath.dir, opts));
     if (!provider) {
         throw new Error(`${manifestPath.base} requires a lock file. Use your preferred package manager to generate the lock file.`);
     }

package/dist/src/providers/base_javascript.d.ts

@@ -1,5 +1,6 @@
-/** @typedef {import('../provider.js').Provider} Provider */
-/** @typedef {import('../provider.js').Provided} Provided */
+export type purlType = import("../provider").Provider;
+/** @typedef {import('../provider').Provider} */
+/** @typedef {import('../provider').Provided} Provided */
 /**
  * The ecosystem identifier for JavaScript/npm packages
  * @type {string}
@@ -66,11 +67,16 @@ export default class Base_javascript {
    */
     isSupported(manifestName: string): boolean;
     /**
-   * Checks if a required lock file exists in the same path as the manifest
+   * Checks if a required lock file exists in the manifest directory or at the workspace root.
+   * When TRUSTIFY_DA_WORKSPACE_DIR is provided (via env var or opts),
+   * checks only that directory for the lock file.
    * @param {string} manifestDir - The base directory where the manifest is located
+   * @param {{TRUSTIFY_DA_WORKSPACE_DIR?: string}} [opts={}] - optional workspace root
    * @returns {boolean} True if the lock file exists
    */
-    validateLockFile(manifestDir: string): boolean;
+    validateLockFile(manifestDir: string, opts?: {
+        TRUSTIFY_DA_WORKSPACE_DIR?: string;
+    }): boolean;
     /**
    * Provides content and content type for stack analysis
    * @param {string} manifestPath - The manifest path or name
@@ -85,13 +91,20 @@ export default class Base_javascript {
    * @returns {Provided} The provided data for component analysis
    */
     provideComponent(manifestPath: string, opts?: any): Provided;
+    /**
+     * Read license from manifest (package.json). Reused by npm, pnpm, yarn.
+     * @param {string} manifestPath - path to package.json
+     * @returns {string|null}
+     */
+    readLicenseFromManifest(manifestPath: string): string | null;
     /**
    * Builds the dependency tree for the project
    * @param {boolean} includeTransitive - Whether to include transitive dependencies
+   * @param {Object} [opts={}] - Configuration options; when `TRUSTIFY_DA_WORKSPACE_DIR` is set, commands run from workspace root
    * @returns {Object} The dependency tree
    * @protected
    */
-    protected _buildDependencyTree(includeTransitive: boolean): any;
+    protected _buildDependencyTree(includeTransitive: boolean, opts?: any): any;
     /**
    * Recursively builds the Sbom from the JSON that npm listing returns
    * @param {Sbom} sbom - The SBOM object to add dependencies to
@@ -121,7 +134,6 @@ export default class Base_javascript {
     protected _parseDepTreeOutput(output: string): string;
     #private;
 }
-export type Provider = import("../provider.js").Provider;
-export type Provided = import("../provider.js").Provided;
+export type Provided = import("../provider").Provided;
 import Manifest from './manifest.js';
 import Sbom from '../sbom.js';

package/dist/src/providers/base_javascript.js

@@ -1,11 +1,12 @@
 import fs from 'node:fs';
 import os from "node:os";
 import path from 'node:path';
+import { getLicense } from '../license/license_utils.js';
 import Sbom from '../sbom.js';
-import { getCustom, getCustomPath, invokeCommand, toPurl, toPurlFromString } from "../tools.js";
+import { getCustom, getCustomPath, invokeCommand, toPurl, toPurlFromString } from '../tools.js';
 import Manifest from './manifest.js';
-/** @typedef {import('../provider.js').Provider} Provider */
-/** @typedef {import('../provider.js').Provided} Provided */
+/** @typedef {import('../provider').Provider} */
+/** @typedef {import('../provider').Provided} Provided */
 /**
  * The ecosystem identifier for JavaScript/npm packages
  * @type {string}
@@ -96,12 +97,17 @@ export default class Base_javascript {
         return 'package.json' === manifestName;
     }
     /**
-   * Checks if a required lock file exists in the same path as the manifest
+   * Checks if a required lock file exists in the manifest directory or at the workspace root.
+   * When TRUSTIFY_DA_WORKSPACE_DIR is provided (via env var or opts),
+   * checks only that directory for the lock file.
    * @param {string} manifestDir - The base directory where the manifest is located
+   * @param {{TRUSTIFY_DA_WORKSPACE_DIR?: string}} [opts={}] - optional workspace root
    * @returns {boolean} True if the lock file exists
    */
-    validateLockFile(manifestDir) {
-        const lock = path.join(manifestDir, this._lockFileName());
+    validateLockFile(manifestDir, opts = {}) {
+        const workspaceDir = getCustom('TRUSTIFY_DA_WORKSPACE_DIR', null, opts);
+        const dirToCheck = workspaceDir ? path.resolve(workspaceDir) : manifestDir;
+        const lock = path.join(dirToCheck, this._lockFileName());
         return fs.existsSync(lock);
     }
     /**
@@ -132,17 +138,43 @@ export default class Base_javascript {
             contentType: 'application/vnd.cyclonedx+json'
         };
     }
+    /**
+     * Read license from manifest (package.json). Reused by npm, pnpm, yarn.
+     * @param {string} manifestPath - path to package.json
+     * @returns {string|null}
+     */
+    readLicenseFromManifest(manifestPath) {
+        let manifestLicense;
+        try {
+            const content = JSON.parse(fs.readFileSync(manifestPath, 'utf-8'));
+            if (typeof content.license === 'string') {
+                manifestLicense = content.license.trim() || null;
+            }
+            else if (Array.isArray(content.licenses) && content.licenses.length > 0) {
+                const first = content.licenses[0];
+                const name = first.type || first.name;
+                manifestLicense = (typeof name === 'string' ? name.trim() : null);
+            }
+        }
+        catch {
+            manifestLicense = null;
+        }
+        return getLicense(manifestLicense, manifestPath);
+    }
     /**
    * Builds the dependency tree for the project
    * @param {boolean} includeTransitive - Whether to include transitive dependencies
+   * @param {Object} [opts={}] - Configuration options; when `TRUSTIFY_DA_WORKSPACE_DIR` is set, commands run from workspace root
    * @returns {Object} The dependency tree
    * @protected
    */
-    _buildDependencyTree(includeTransitive) {
+    _buildDependencyTree(includeTransitive, opts = {}) {
         this._version();
-        let manifestDir = path.dirname(this.#manifest.manifestPath);
-        this.#createLockFile(manifestDir);
-        let output = this.#executeListCmd(includeTransitive, manifestDir);
+        const manifestDir = path.dirname(this.#manifest.manifestPath);
+        const workspaceDir = getCustom('TRUSTIFY_DA_WORKSPACE_DIR', null, opts);
+        const cmdDir = workspaceDir ? path.resolve(workspaceDir) : manifestDir;
+        this.#createLockFile(cmdDir);
+        let output = this.#executeListCmd(includeTransitive, cmdDir);
         output = this._parseDepTreeOutput(output);
         return JSON.parse(output);
     }
@@ -153,10 +185,11 @@ export default class Base_javascript {
    * @private
    */
     #getSBOM(opts = {}) {
-        const depsObject = this._buildDependencyTree(true);
+        const depsObject = this._buildDependencyTree(true, opts);
         let mainComponent = toPurl(purlType, this.#manifest.name, this.#manifest.version);
+        const license = this.readLicenseFromManifest(this.#manifest.manifestPath);
         let sbom = new Sbom();
-        sbom.addRoot(mainComponent);
+        sbom.addRoot(mainComponent, license);
         this._addDependenciesToSbom(sbom, depsObject);
         sbom.filterIgnoredDeps(this.#manifest.ignored);
         return sbom.getAsJsonString(opts);
@@ -204,10 +237,11 @@ export default class Base_javascript {
    * @private
    */
     #getDirectDependencySbom(opts = {}) {
-        const depTree = this._buildDependencyTree(false);
+        const depTree = this._buildDependencyTree(false, opts);
         let mainComponent = toPurl(purlType, this.#manifest.name, this.#manifest.version);
+        const license = this.readLicenseFromManifest(this.#manifest.manifestPath);
         let sbom = new Sbom();
-        sbom.addRoot(mainComponent);
+        sbom.addRoot(mainComponent, license);
         const rootDeps = this._getRootDependencies(depTree);
         const sortedDepsKeys = Array
             .from(rootDeps.keys())

package/dist/src/providers/golang_gomodules.d.ts

@@ -3,6 +3,7 @@ declare namespace _default {
     export { validateLockFile };
     export { provideComponent };
     export { provideStack };
+    export { readLicenseFromManifest };
 }
 export default _default;
 export type Provided = import("../provider").Provided;
@@ -20,7 +21,7 @@ export type Dependency = {
 /**
  * @param {string} manifestName - the subject manifest name-type
  * @returns {boolean} - return true if `pom.xml` is the manifest name-type
- */
+*/
 declare function isSupported(manifestName: string): boolean;
 /**
  * @param {string} manifestDir - the directory where the manifest lies
@@ -40,3 +41,9 @@ declare function provideComponent(manifest: string, opts?: {}): Provided;
  * @returns {Provided}
  */
 declare function provideStack(manifest: string, opts?: {}): Provided;
+/**
+ * Go modules have no standard license field in go.mod
+ * @param {string} manifestPath - path to go.mod
+ * @returns {string|null}
+*/
+declare function readLicenseFromManifest(manifestPath: string): string | null;

package/dist/src/providers/golang_gomodules.js

@@ -2,9 +2,10 @@ import fs from 'node:fs';
 import path from 'node:path';
 import { EOL } from "os";
 import { PackageURL } from 'packageurl-js';
+import { readLicenseFile } from '../license/license_utils.js';
 import Sbom from '../sbom.js';
 import { getCustom, getCustomPath, invokeCommand } from "../tools.js";
-export default { isSupported, validateLockFile, provideComponent, provideStack };
+export default { isSupported, validateLockFile, provideComponent, provideStack, readLicenseFromManifest };
 /** @typedef {import('../provider').Provider} */
 /** @typedef {import('../provider').Provided} Provided */
 /** @typedef {{name: string, version: string}} Package */
@@ -12,16 +13,23 @@ export default { isSupported, validateLockFile, provideComponent, provideStack }
 /**
  * @type {string} ecosystem for npm-npm is 'maven'
  * @private
- */
+*/
 const ecosystem = 'golang';
 const defaultMainModuleVersion = "v0.0.0";
 /**
  * @param {string} manifestName - the subject manifest name-type
  * @returns {boolean} - return true if `pom.xml` is the manifest name-type
- */
+*/
 function isSupported(manifestName) {
     return 'go.mod' === manifestName;
 }
+/**
+ * Go modules have no standard license field in go.mod
+ * @param {string} manifestPath - path to go.mod
+ * @returns {string|null}
+*/
+// eslint-disable-next-line no-unused-vars
+function readLicenseFromManifest(manifestPath) { return readLicenseFile(manifestPath); }
 /**
  * @param {string} manifestDir - the directory where the manifest lies
  */
@@ -250,7 +258,8 @@ function getSBOM(manifest, opts = {}, includeTransitive) {
         performManifestVersionsCheck(root, rows, manifest);
     }
     const mainModule = toPurl(root, "@");
-    sbom.addRoot(mainModule);
+    const license = readLicenseFromManifest(manifest);
+    sbom.addRoot(mainModule, license);
     const exhortGoMvsLogicEnabled = getCustom("TRUSTIFY_DA_GO_MVS_LOGIC_ENABLED", "true", opts);
     if (includeTransitive && exhortGoMvsLogicEnabled === "true") {
         rows = getFinalPackagesVersionsForModule(rows, manifest, goBin);

package/dist/src/providers/java_gradle.d.ts

@@ -15,6 +15,12 @@ export default class Java_gradle extends Base_java {
      * @param {string} manifestDir - the directory where the manifest lies
      */
     validateLockFile(): boolean;
+    /**
+     * Gradle manifests (build.gradle, build.gradle.kts) have no standard license field.
+     * @param {string} manifestPath - path to manifest
+     * @returns {null}
+     */
+    readLicenseFromManifest(manifestPath: string): null;
     /**
      * Provide content and content type for stack analysis.
      * @param {string} manifest - the manifest path or name

package/dist/src/providers/java_gradle.js

@@ -2,6 +2,7 @@ import fs from 'node:fs';
 import path from 'node:path';
 import { EOL } from 'os';
 import TOML from 'fast-toml';
+import { readLicenseFile } from '../license/license_utils.js';
 import Sbom from '../sbom.js';
 import Base_java, { ecosystem_gradle } from "./base_java.js";
 /** @typedef {import('../provider.js').Provider} */
@@ -49,6 +50,13 @@ export default class Java_gradle extends Base_java {
      * @param {string} manifestDir - the directory where the manifest lies
      */
     validateLockFile() { return true; }
+    /**
+     * Gradle manifests (build.gradle, build.gradle.kts) have no standard license field.
+     * @param {string} manifestPath - path to manifest
+     * @returns {null}
+     */
+    // eslint-disable-next-line no-unused-vars
+    readLicenseFromManifest(manifestPath) { return readLicenseFile(manifestPath); }
     /**
      * Provide content and content type for stack analysis.
      * @param {string} manifest - the manifest path or name
@@ -158,7 +166,8 @@ export default class Java_gradle extends Base_java {
         let sbom = new Sbom();
         let root = `${properties.group}:${properties[ROOT_PROJECT_KEY_NAME].match(/Root project '(.+)'/)[1]}:jar:${properties.version}`;
         let rootPurl = this.parseDep(root);
-        sbom.addRoot(rootPurl);
+        const license = this.readLicenseFromManifest(manifestPath);
+        sbom.addRoot(rootPurl, license);
         let ignoredDeps = this.#getIgnoredDeps(manifestPath);
         const [runtimeConfig, compileConfig] = this.#extractConfigurations(content);
         const processedDeps = new Set();
@@ -298,7 +307,8 @@ export default class Java_gradle extends Base_java {
         let sbom = new Sbom();
         let root = `${properties.group}:${properties[ROOT_PROJECT_KEY_NAME].match(/Root project '(.+)'/)[1]}:jar:${properties.version}`;
         let rootPurl = this.parseDep(root);
-        sbom.addRoot(rootPurl);
+        const license = this.readLicenseFromManifest(manifestPath);
+        sbom.addRoot(rootPurl, license);
         let ignoredDeps = this.#getIgnoredDeps(manifestPath);
         const [runtimeConfig, compileConfig] = this.#extractConfigurations(content);
         let directDependencies = new Map();

package/dist/src/providers/java_maven.d.ts

@@ -27,13 +27,20 @@ export default class Java_maven extends Base_java {
      * @returns {Provided}
      */
     provideComponent(manifest: string, opts?: {}): Provided;
+    /**
+     * Read license from pom.xml manifest, with fallback to LICENSE file
+     * @param {string} manifestPath - path to pom.xml
+     * @returns {string|null}
+     */
+    readLicenseFromManifest(manifestPath: string): string | null;
     /**
      *
      * @param {String} textGraphList Text graph String of the manifest
      * @param {[String]} ignoredDeps List of ignored dependencies to be omitted from sbom
+     * @param {String} manifestPath Path to the pom.xml manifest
      * @return {String} formatted sbom Json String with all dependencies
      */
-    createSbomFileFromTextFormat(textGraphList: string, ignoredDeps: [string], opts: any): string;
+    createSbomFileFromTextFormat(textGraphList: string, ignoredDeps: [string], opts: any, manifestPath: string): string;
     #private;
 }
 export type Java_maven = import("../provider").Provider;