@trustify-da/trustify-da-javascript-client 0.3.0-ea.63ae5c2 → 0.3.0-ea.7144952

package/dist/src/tools.js

@@ -1,5 +1,6 @@
 import { execFileSync } from "child_process";
 import { EOL } from "os";
+import { HttpsProxyAgent } from "https-proxy-agent";
 import { PackageURL } from "packageurl-js";
 export const RegexNotToBeLogged = /TRUSTIFY_DA_(.*_)?TOKEN|ex-.*-token|trust-.*-token/;
 /**
@@ -157,3 +158,57 @@ export function invokeCommand(bin, args, opts = {}) {
     };
     return execFileSync(bin, args, { ...{ stdio: 'pipe', encoding: 'utf-8' }, ...opts });
 }
+export const TRUSTIFY_DA_TOKEN_HEADER = "trust-da-token";
+export const TRUSTIFY_DA_TELEMETRY_ID_HEADER = "telemetry-anonymous-id";
+export const TRUSTIFY_DA_SOURCE_HEADER = "trust-da-source";
+export const TRUSTIFY_DA_OPERATION_TYPE_HEADER = "trust-da-operation-type";
+export const TRUSTIFY_DA_PACKAGE_MANAGER_HEADER = "trust-da-pkg-manager";
+/**
+ * Adds proxy agent configuration to fetch options if a proxy URL is specified
+ * @param {RequestInit} options - The base fetch options
+ * @param {import("index.js").Options} opts - The trustify DA options that may contain proxy configuration
+ * @returns {RequestInit} The fetch options with proxy agent if applicable
+ */
+export function addProxyAgent(options, opts) {
+    const proxyUrl = getCustom('TRUSTIFY_DA_PROXY_URL', null, opts);
+    if (proxyUrl) {
+        options.agent = new HttpsProxyAgent(proxyUrl);
+    }
+    return options;
+}
+/**
+ * Utility function for fetching vendor tokens
+ * @param {import("index.js").Options} [opts={}] - optional various options to pass along the application
+ * @returns {{}}
+ */
+export function getTokenHeaders(opts = {}) {
+    let headers = {};
+    setCustomHeader(TRUSTIFY_DA_TOKEN_HEADER, headers, 'TRUSTIFY_DA_TOKEN', opts);
+    setCustomHeader(TRUSTIFY_DA_SOURCE_HEADER, headers, 'TRUSTIFY_DA_SOURCE', opts);
+    setCustomHeader(TRUSTIFY_DA_OPERATION_TYPE_HEADER, headers, TRUSTIFY_DA_OPERATION_TYPE_HEADER.toUpperCase().replaceAll("-", "_"), opts);
+    setCustomHeader(TRUSTIFY_DA_PACKAGE_MANAGER_HEADER, headers, TRUSTIFY_DA_PACKAGE_MANAGER_HEADER.toUpperCase().replaceAll("-", "_"), opts);
+    setCustomHeader(TRUSTIFY_DA_TELEMETRY_ID_HEADER, headers, 'TRUSTIFY_DA_TELEMETRY_ID', opts);
+    if (getCustom("TRUSTIFY_DA_DEBUG", null, opts) === "true") {
+        console.log("Headers Values to be sent to Trustify DA backend:" + EOL);
+        for (const headerKey in headers) {
+            if (!headerKey.match(RegexNotToBeLogged)) {
+                console.log(`${headerKey}: ${headers[headerKey]}`);
+            }
+        }
+    }
+    return headers;
+}
+/**
+ *
+ * @param {string} headerName - the header name to populate in request
+ * @param headers
+ * @param {string} optsKey - key in the options object to use the value for
+ * @param {import("index.js").Options} [opts={}] - options input object to fetch header values from
+ * @private
+ */
+function setCustomHeader(headerName, headers, optsKey, opts) {
+    let customHeaderValue = getCustom(optsKey, null, opts);
+    if (customHeaderValue) {
+        headers[headerName] = customHeaderValue;
+    }
+}

package/dist/src/workspace.d.ts

@@ -0,0 +1,61 @@
+/**
+ * Resolve ignore globs for workspace discovery: defaults + `TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE` + `opts.workspaceDiscoveryIgnore`.
+ * Patterns are fast-glob / micromatch style, relative to the workspace root (forward slashes).
+ *
+ * @param {{ workspaceDiscoveryIgnore?: string[], TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE?: string, [key: string]: unknown }} [opts={}]
+ * @returns {string[]}
+ */
+export function resolveWorkspaceDiscoveryIgnore(opts?: {
+    workspaceDiscoveryIgnore?: string[];
+    TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE?: string;
+    [key: string]: unknown;
+}): string[];
+/**
+ * Drop manifest paths whose location matches an ignore pattern (e.g. root unshift, Cargo paths).
+ *
+ * @param {string[]} manifestPaths
+ * @param {string} root
+ * @param {string[]} ignorePatterns
+ * @returns {string[]}
+ */
+export function filterManifestPathsByDiscoveryIgnore(manifestPaths: string[], root: string, ignorePatterns: string[]): string[];
+/**
+ * @typedef {{ valid: true, name: string, version: string } | { valid: false, error: string }} ValidatePackageJsonResult
+ */
+/**
+ * Validate a package.json has non-empty `name` and `version` (required for stable SBOM root identity in batch).
+ *
+ * @param {string} packageJsonPath - Absolute or relative path to package.json
+ * @returns {ValidatePackageJsonResult}
+ */
+export function validatePackageJson(packageJsonPath: string): ValidatePackageJsonResult;
+/**
+ * Discover all package.json paths in a JS/TS workspace.
+ * Reads pnpm-workspace.yaml or package.json workspaces.
+ *
+ * @param {string} workspaceRoot - Absolute or relative path to workspace root
+ * @param {{ workspaceDiscoveryIgnore?: string[], TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE?: string, [key: string]: unknown }} [opts={}] - optional `workspaceDiscoveryIgnore` globs (merged with defaults and env)
+ * @returns {Promise<string[]>} Paths to package.json files (absolute)
+ */
+export function discoverWorkspacePackages(workspaceRoot: string, opts?: {
+    workspaceDiscoveryIgnore?: string[];
+    TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE?: string;
+    [key: string]: unknown;
+}): Promise<string[]>;
+/**
+ * Discover all Cargo.toml manifest paths in a Cargo workspace.
+ * Uses `cargo metadata` to get workspace members.
+ *
+ * @param {string} workspaceRoot - Absolute or relative path to workspace root (must contain Cargo.toml and Cargo.lock)
+ * @param {import('./index.js').Options} [opts={}]
+ * @returns {Promise<string[]>} Paths to Cargo.toml files (absolute)
+ */
+export function discoverWorkspaceCrates(workspaceRoot: string, opts?: import("./index.js").Options): Promise<string[]>;
+export type ValidatePackageJsonResult = {
+    valid: true;
+    name: string;
+    version: string;
+} | {
+    valid: false;
+    error: string;
+};

package/dist/src/workspace.js

@@ -0,0 +1,256 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import fg from 'fast-glob';
+import { load as yamlLoad } from 'js-yaml';
+import micromatch from 'micromatch';
+import { getCustom, getCustomPath, invokeCommand } from './tools.js';
+/** Default paths skipped during JS workspace discovery (merged with user patterns). */
+const DEFAULT_WORKSPACE_DISCOVERY_IGNORE = [
+    '**/node_modules/**',
+    '**/.git/**',
+];
+/**
+ * Resolve ignore globs for workspace discovery: defaults + `TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE` + `opts.workspaceDiscoveryIgnore`.
+ * Patterns are fast-glob / micromatch style, relative to the workspace root (forward slashes).
+ *
+ * @param {{ workspaceDiscoveryIgnore?: string[], TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE?: string, [key: string]: unknown }} [opts={}]
+ * @returns {string[]}
+ */
+export function resolveWorkspaceDiscoveryIgnore(opts = {}) {
+    const merged = [...DEFAULT_WORKSPACE_DISCOVERY_IGNORE];
+    const fromEnv = getCustom('TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE', null, opts);
+    if (fromEnv && String(fromEnv).trim()) {
+        merged.push(...String(fromEnv).split(',').map(s => s.trim()).filter(Boolean));
+    }
+    const extra = opts.workspaceDiscoveryIgnore;
+    if (Array.isArray(extra)) {
+        for (const p of extra) {
+            if (typeof p === 'string' && p.trim()) {
+                merged.push(p.trim());
+            }
+        }
+    }
+    return [...new Set(merged)];
+}
+/**
+ * @param {string} root - Workspace root (absolute)
+ * @param {string[]} ignorePatterns
+ */
+function buildWorkspaceDiscoveryGlobOptions(root, ignorePatterns) {
+    return {
+        cwd: root,
+        absolute: true,
+        onlyFiles: true,
+        ignore: ignorePatterns,
+        followSymbolicLinks: false,
+    };
+}
+/**
+ * @param {string} filePath - Absolute path
+ * @param {string} root - Workspace root (absolute)
+ * @returns {string} Relative path with forward slashes
+ */
+function relativePathForGlobMatch(filePath, root) {
+    const rel = path.relative(root, filePath);
+    return rel.split(path.sep).join('/');
+}
+/**
+ * Drop manifest paths whose location matches an ignore pattern (e.g. root unshift, Cargo paths).
+ *
+ * @param {string[]} manifestPaths
+ * @param {string} root
+ * @param {string[]} ignorePatterns
+ * @returns {string[]}
+ */
+export function filterManifestPathsByDiscoveryIgnore(manifestPaths, root, ignorePatterns) {
+    if (!ignorePatterns.length) {
+        return manifestPaths;
+    }
+    const resolvedRoot = path.resolve(root);
+    return manifestPaths.filter(absPath => {
+        const rel = relativePathForGlobMatch(absPath, resolvedRoot);
+        if (rel === '') {
+            return true;
+        }
+        return !ignorePatterns.some(pattern => micromatch.isMatch(rel, pattern, { dot: true }));
+    });
+}
+/**
+ * @typedef {{ valid: true, name: string, version: string } | { valid: false, error: string }} ValidatePackageJsonResult
+ */
+/**
+ * Validate a package.json has non-empty `name` and `version` (required for stable SBOM root identity in batch).
+ *
+ * @param {string} packageJsonPath - Absolute or relative path to package.json
+ * @returns {ValidatePackageJsonResult}
+ */
+export function validatePackageJson(packageJsonPath) {
+    let content;
+    try {
+        const raw = fs.readFileSync(packageJsonPath, 'utf-8');
+        content = JSON.parse(raw);
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        return { valid: false, error: `Invalid package.json: ${msg}` };
+    }
+    if (!content || typeof content !== 'object') {
+        return { valid: false, error: 'package.json must be a JSON object' };
+    }
+    const name = content.name;
+    const version = content.version;
+    if (typeof name !== 'string' || !name.trim()) {
+        return { valid: false, error: 'Missing or invalid name' };
+    }
+    if (typeof version !== 'string' || !version.trim()) {
+        return { valid: false, error: 'Missing or invalid version' };
+    }
+    return { valid: true, name: name.trim(), version: version.trim() };
+}
+/**
+ * Discover all package.json paths in a JS/TS workspace.
+ * Reads pnpm-workspace.yaml or package.json workspaces.
+ *
+ * @param {string} workspaceRoot - Absolute or relative path to workspace root
+ * @param {{ workspaceDiscoveryIgnore?: string[], TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE?: string, [key: string]: unknown }} [opts={}] - optional `workspaceDiscoveryIgnore` globs (merged with defaults and env)
+ * @returns {Promise<string[]>} Paths to package.json files (absolute)
+ */
+export async function discoverWorkspacePackages(workspaceRoot, opts = {}) {
+    const root = path.resolve(workspaceRoot);
+    const ignorePatterns = resolveWorkspaceDiscoveryIgnore(opts);
+    const globOpts = buildWorkspaceDiscoveryGlobOptions(root, ignorePatterns);
+    const pnpmWorkspace = path.join(root, 'pnpm-workspace.yaml');
+    const packageJson = path.join(root, 'package.json');
+    if (fs.existsSync(pnpmWorkspace)) {
+        return discoverFromPnpmWorkspace(root, pnpmWorkspace, globOpts, ignorePatterns);
+    }
+    if (fs.existsSync(packageJson)) {
+        return discoverFromPackageJsonWorkspaces(root, packageJson, globOpts, ignorePatterns);
+    }
+    return [];
+}
+/**
+ * @param {string} root
+ * @param {string} pnpmWorkspacePath
+ * @param {object} globOpts - fast-glob options (cwd, ignore, followSymbolicLinks, …)
+ * @param {string[]} ignorePatterns - for post-filter
+ * @returns {Promise<string[]>}
+ */
+async function discoverFromPnpmWorkspace(root, pnpmWorkspacePath, globOpts, ignorePatterns) {
+    const content = fs.readFileSync(pnpmWorkspacePath, 'utf-8');
+    const packages = parsePnpmPackages(content);
+    if (packages.length === 0) {
+        return [];
+    }
+    const patterns = toManifestGlobPatterns(packages, 'package.json');
+    const manifestPaths = await fg(patterns, globOpts);
+    return filterManifestPathsByDiscoveryIgnore(manifestPaths, root, ignorePatterns);
+}
+/**
+ * Parse the `packages` array from pnpm-workspace.yaml content.
+ * @param {string} content - Raw YAML content
+ * @returns {string[]}
+ */
+function parsePnpmPackages(content) {
+    let doc;
+    try {
+        doc = yamlLoad(content);
+    }
+    catch {
+        return [];
+    }
+    if (!doc || typeof doc !== 'object' || !Array.isArray(doc.packages)) {
+        return [];
+    }
+    return doc.packages.filter(p => typeof p === 'string' && p.trim()).map(p => p.trim());
+}
+/**
+ * Convert workspace glob patterns to manifest-file glob patterns,
+ * correctly handling negation prefixes.
+ *
+ * @param {string[]} patterns - Workspace glob patterns (may include negations)
+ * @param {string} manifestFileName - e.g. 'package.json' or 'Cargo.toml'
+ * @returns {string[]}
+ */
+function toManifestGlobPatterns(patterns, manifestFileName) {
+    return patterns.map(p => {
+        if (p.startsWith('!')) {
+            return `!${p.slice(1)}/${manifestFileName}`;
+        }
+        return `${p}/${manifestFileName}`;
+    });
+}
+/**
+ * @param {string} root
+ * @param {string} packageJsonPath
+ * @param {object} globOpts
+ * @param {string[]} ignorePatterns
+ * @returns {Promise<string[]>}
+ */
+async function discoverFromPackageJsonWorkspaces(root, packageJsonPath, globOpts, ignorePatterns) {
+    let pkg;
+    try {
+        pkg = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8'));
+    }
+    catch {
+        return [];
+    }
+    const workspaces = pkg.workspaces;
+    if (!workspaces) {
+        return [];
+    }
+    const raw = Array.isArray(workspaces) ? workspaces : workspaces.packages || [];
+    const patterns = toManifestGlobPatterns(raw.filter(p => typeof p === 'string'), 'package.json');
+    if (patterns.length === 0) {
+        return [];
+    }
+    const manifestPaths = await fg(patterns, globOpts);
+    const rootPkg = path.join(root, 'package.json');
+    if (fs.existsSync(rootPkg) && !manifestPaths.includes(rootPkg)) {
+        manifestPaths.unshift(rootPkg);
+    }
+    return filterManifestPathsByDiscoveryIgnore(manifestPaths, root, ignorePatterns);
+}
+/**
+ * Discover all Cargo.toml manifest paths in a Cargo workspace.
+ * Uses `cargo metadata` to get workspace members.
+ *
+ * @param {string} workspaceRoot - Absolute or relative path to workspace root (must contain Cargo.toml and Cargo.lock)
+ * @param {import('./index.js').Options} [opts={}]
+ * @returns {Promise<string[]>} Paths to Cargo.toml files (absolute)
+ */
+export async function discoverWorkspaceCrates(workspaceRoot, opts = {}) {
+    const root = path.resolve(workspaceRoot);
+    const cargoToml = path.join(root, 'Cargo.toml');
+    const cargoLock = path.join(root, 'Cargo.lock');
+    if (!fs.existsSync(cargoToml) || !fs.existsSync(cargoLock)) {
+        return [];
+    }
+    const cargoBin = getCustomPath('cargo', opts);
+    let output;
+    try {
+        output = invokeCommand(cargoBin, ['metadata', '--format-version', '1', '--no-deps'], { cwd: root });
+    }
+    catch {
+        return [];
+    }
+    let metadata;
+    try {
+        metadata = JSON.parse(output.toString().trim());
+    }
+    catch {
+        return [];
+    }
+    const memberIds = new Set(metadata.workspace_members || []);
+    const manifestPaths = [];
+    for (const pkg of metadata.packages || []) {
+        if (memberIds.has(pkg.id) && pkg.manifest_path) {
+            const manifestPath = path.resolve(pkg.manifest_path);
+            if (fs.existsSync(manifestPath)) {
+                manifestPaths.push(manifestPath);
+            }
+        }
+    }
+    const ignorePatterns = resolveWorkspaceDiscoveryIgnore(opts);
+    return filterManifestPathsByDiscoveryIgnore(manifestPaths, root, ignorePatterns);
+}

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@trustify-da/trustify-da-javascript-client",
-	"version": "0.3.0-ea.63ae5c2",
+	"version": "0.3.0-ea.7144952",
 	"description": "Code-Ready Dependency Analytics JavaScript API.",
 	"license": "Apache-2.0",
 	"homepage": "https://github.com/guacsec/trustify-da-javascript-client#README.md",
@@ -40,26 +40,34 @@
 		"test": "c8 npm run tests",
 		"tests": "mocha --config .mocharc.json --grep \".*analysis module.*\" --invert",
 		"tests:rep": "mocha --reporter-option maxDiffSize=0 --reporter json > unit-tests-result.json",
+		"pretest": "cp node_modules/tree-sitter-requirements/tree-sitter-requirements.wasm src/providers/tree-sitter-requirements.wasm",
 		"precompile": "rm -rf dist",
-		"compile": "tsc -p tsconfig.json"
+		"compile": "tsc -p tsconfig.json",
+		"compile:dev": "tsc -p tsconfig.dev.json",
+		"postcompile": "cp node_modules/tree-sitter-requirements/tree-sitter-requirements.wasm dist/src/providers/tree-sitter-requirements.wasm"
 	},
 	"dependencies": {
 		"@babel/core": "^7.23.2",
 		"@cyclonedx/cyclonedx-library": "^6.13.0",
 		"eslint-import-resolver-typescript": "^4.4.4",
+		"fast-glob": "^3.3.3",
 		"fast-toml": "^0.5.4",
 		"fast-xml-parser": "^5.3.4",
 		"help": "^3.0.2",
 		"https-proxy-agent": "^7.0.6",
+		"js-yaml": "^4.1.1",
+		"micromatch": "^4.0.8",
 		"node-fetch": "^3.3.2",
+		"p-limit": "^5.0.0",
 		"packageurl-js": "~1.0.2",
+		"smol-toml": "^1.6.0",
 		"tree-sitter-requirements": "github:Strum355/tree-sitter-requirements#d0261ee76b84253997fe70d7d397e78c006c3801",
 		"web-tree-sitter": "^0.26.6",
 		"yargs": "^18.0.0"
 	},
 	"devDependencies": {
 		"@babel/core": "^7.23.2",
-		"@trustify-da/trustify-da-api-model": "^2.0.1",
+		"@trustify-da/trustify-da-api-model": "^2.0.7",
 		"@types/node": "^20.17.30",
 		"@types/which": "^3.0.4",
 		"babel-plugin-rewire": "^1.2.0",