@trustify-da/trustify-da-javascript-client 0.3.0-ea.6549d2a → 0.3.0-ea.7144952

package/README.md

@@ -32,6 +32,11 @@ let stackAnalysis = await client.stackAnalysis('/path/to/pom.xml')
 let stackAnalysisHtml = await client.stackAnalysis('/path/to/pom.xml', true)
 // Get component analysis in JSON format
 let componentAnalysis = await client.componentAnalysis('/path/to/pom.xml')
+// For monorepos, pass workspace root so the client finds the lock file
+let monorepoOpts = { workspaceDir: '/path/to/workspace-root' }
+let stackAnalysisMonorepo = await client.stackAnalysis('/path/to/package.json', false, monorepoOpts)
+// Batch analysis for entire workspace (Cargo or JS/TS); optional parallel SBOM generation
+let batchReport = await client.stackAnalysisBatch('/path/to/workspace-root', false, { batchConcurrency: 10 })
 // Get image analysis in JSON format
 let imageAnalysis = await client.imageAnalysis(['docker.io/library/node:18'])
 // Get image analysis in HTML format (string)
@@ -43,6 +48,21 @@ let imageAnalysisWithArch = await client.imageAnalysis(['httpd:2.4.49^^amd64'])
 ```
 </li>
 </ul>
+
+<h3>License Detection</h3>
+<p>
+The client automatically detects your project's license with intelligent fallback:
+</p>
+<ul>
+<li><strong>Manifest-first:</strong> For ecosystems with license support (Maven, JavaScript, Rust Cargo), reads from manifest file (<code>pom.xml</code>, <code>package.json</code>, <code>Cargo.toml</code>)</li>
+<li><strong>LICENSE file fallback:</strong> If no license in manifest, or for ecosystems without license support (Gradle, Go, Python), automatically reads from <code>LICENSE</code>, <code>LICENSE.md</code>, or <code>LICENSE.txt</code></li>
+<li><strong>SBOM integration:</strong> Detected licenses are included in generated SBOMs for all ecosystems</li>
+<li><strong>SPDX support:</strong> Automatically detects common licenses (Apache-2.0, MIT, GPL, BSD) from LICENSE file content</li>
+</ul>
+<p>
+See <a href="./docs/license-resolution-and-compliance.md">License Resolution and Compliance</a> for detailed documentation.
+</p>
+
 <ul>
 <li>
 Use as ESM Module from Common-JS module
@@ -86,8 +106,9 @@ $ npx @trustify-da/trustify-da-javascript-client help
 Usage: trustify-da-javascript-client {component|stack|image|validate-token|license}
 
 Commands:
-  trustify-da-javascript-client stack </path/to/manifest> [--html|--summary]               produce stack report for manifest path
-  trustify-da-javascript-client component <path/to/manifest> [--summary]   produce component report for a manifest type and content
+  trustify-da-javascript-client stack </path/to/manifest> [--workspace-dir <path>] [--html|--summary]               produce stack report for manifest path
+  trustify-da-javascript-client stack-batch </path/to/workspace-root> [--html|--summary]   produce stack report for all packages/crates in workspace
+  trustify-da-javascript-client component <path/to/manifest> [--workspace-dir <path>]   produce component report for a manifest type and content
   trustify-da-javascript-client image <image-refs..> [--html|--summary]               produce image analysis report for OCI image references
   trustify-da-javascript-client license </path/to/manifest>               display project license information from manifest and LICENSE file in JSON format
 
@@ -106,9 +127,21 @@ $ npx @trustify-da/trustify-da-javascript-client stack /path/to/pom.xml --summar
 # get stack analysis in html format format
 $ npx @trustify-da/trustify-da-javascript-client stack /path/to/pom.xml --html
 
+# get stack analysis for monorepo (lock file at workspace root)
+$ npx @trustify-da/trustify-da-javascript-client stack /path/to/package.json --workspace-dir /path/to/workspace-root
+
 # get component analysis
 $ npx @trustify-da/trustify-da-javascript-client component /path/to/pom.xml
 
+# get component analysis for monorepo
+$ npx @trustify-da/trustify-da-javascript-client component /path/to/package.json -w /path/to/workspace-root
+
+# batch stack analysis for entire workspace (Cargo or JS/TS)
+$ npx @trustify-da/trustify-da-javascript-client stack-batch /path/to/workspace-root
+
+# optional: extra discovery excludes (merged with defaults); repeat --ignore or use TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE
+$ npx @trustify-da/trustify-da-javascript-client stack-batch /path/to/workspace-root --ignore '**/fixtures/**'
+
 # get image analysis in json format
 $ npx @trustify-da/trustify-da-javascript-client image docker.io/library/node:18
 
@@ -147,9 +180,21 @@ $ trustify-da-javascript-client stack /path/to/pom.xml --summary
 # get stack analysis in html format format
 $ trustify-da-javascript-client stack /path/to/pom.xml --html
 
+# get stack analysis for monorepo (lock file at workspace root)
+$ trustify-da-javascript-client stack /path/to/package.json --workspace-dir /path/to/workspace-root
+
 # get component analysis
 $ trustify-da-javascript-client component /path/to/pom.xml
 
+# get component analysis for monorepo
+$ trustify-da-javascript-client component /path/to/package.json -w /path/to/workspace-root
+
+# batch stack analysis for entire workspace
+$ trustify-da-javascript-client stack-batch /path/to/workspace-root
+
+# with extra discovery excludes
+$ trustify-da-javascript-client stack-batch /path/to/workspace-root -i '**/vendor/**'
+
 # get image analysis in json format
 $ trustify-da-javascript-client image docker.io/library/node:18
 
@@ -181,7 +226,23 @@ $ trustify-da-javascript-client license /path/to/package.json
 <li><a href="https://go.dev/">Golang</a> - <a href="https://go.dev/blog/using-go-modules/">Go Modules</a></li>
 <li><a href="https://www.python.org/">Python</a> - <a href="https://pypi.org/project/pip/">pip Installer</a></li>
 <li><a href="https://gradle.org/">Gradle (Groovy and Kotlin DSL)</a> - <a href="https://gradle.org/install/">Gradle Installation</a></li>
+<li><a href="https://www.rust-lang.org/">Rust</a> - <a href="https://doc.rust-lang.org/cargo/">Cargo</a></li>
+</ul>
+
+<h3>License Detection</h3>
+<p>
+The client automatically detects your project's license with intelligent fallback:
+</p>
+<ul>
+<li><strong>Manifest-first:</strong> For ecosystems with license support (Maven, JavaScript, Rust Cargo), reads from manifest file (<code>pom.xml</code>, <code>package.json</code>, <code>Cargo.toml</code>)</li>
+<li><strong>LICENSE file fallback:</strong> If no license in manifest, or for ecosystems without license support (Gradle, Go, Python), automatically reads from <code>LICENSE</code>, <code>LICENSE.md</code>, or <code>LICENSE.txt</code></li>
+<li><strong>SBOM integration:</strong> Detected licenses are included in generated SBOMs for all ecosystems</li>
+<li><strong>SPDX support:</strong> Automatically detects common licenses (Apache-2.0, MIT, GPL, BSD) from LICENSE file content</li>
 </ul>
+<p>
+See <a href="./docs/license-resolution-and-compliance.md">License Resolution and Compliance</a> for detailed documentation.
+</p>
+
 
 <h3>Excluding Packages</h3>
 <p>
@@ -304,7 +365,21 @@ test {
 }
 ```
 
-All of the 5 above examples are valid for marking a package to be ignored
+<em>Rust Cargo</em> users can add a comment with <code># trustify-da-ignore</code> (or <code># exhortignore</code>) in <em>Cargo.toml</em> next to the dependency to be ignored. This works for inline declarations, table-based declarations, and workspace-level dependency sections:
+
+```toml
+[dependencies]
+serde = "1.0" # trustify-da-ignore
+tokio = { version = "1.35", features = ["full"] }
+
+[dependencies.regex] # trustify-da-ignore
+version = "1.10"
+
+[workspace.dependencies]
+log = "0.4" # trustify-da-ignore
+```
+
+All of the 6 above examples are valid for marking a package to be ignored
 </li>
 
 </ul>
@@ -336,6 +411,9 @@ let options = {
   'TRUSTIFY_DA_PYTHON_PATH' : '/path/to/python',
   'TRUSTIFY_DA_PIP_PATH' : '/path/to/pip',
   'TRUSTIFY_DA_GRADLE_PATH' : '/path/to/gradle',
+  'TRUSTIFY_DA_CARGO_PATH' : '/path/to/cargo',
+  // Workspace root for monorepos (Cargo, npm/pnpm/yarn); lock file expected here
+  'workspaceDir': '/path/to/workspace-root',
   // Configure proxy for all requests
   'TRUSTIFY_DA_PROXY_URL': 'http://proxy.example.com:8080'
 }
@@ -358,6 +436,21 @@ let imageAnalysisWithArch = await client.imageAnalysis(['httpd:2.4.49^^amd64'],
  **_Environment variables takes precedence._**
 </p>
 
+<h4>Monorepo / Workspace Support</h4>
+<p>
+For monorepos (Cargo workspaces, npm/pnpm/yarn workspaces) where the lock file lives at the workspace root rather than next to the manifest, pass the workspace root via <code>workspaceDir</code> or <code>TRUSTIFY_DA_WORKSPACE_DIR</code>:
+</p>
+<ul>
+<li><strong>Cargo:</strong> When set, the client checks only the given directory for <code>Cargo.lock</code> instead of walking up from the manifest.</li>
+<li><strong>JavaScript (npm, pnpm, yarn):</strong> When set, the client looks for the lock file (<code>package-lock.json</code>, <code>pnpm-lock.yaml</code>, <code>yarn.lock</code>) at the workspace root.</li>
+</ul>
+<p>
+Use <code>stackAnalysisBatch(workspaceRoot, html, opts)</code> to analyze all packages/crates in a workspace in one request. Supports Cargo workspaces and JS/TS workspaces (pnpm, npm, yarn). Optional <code>batchConcurrency</code> (or <code>TRUSTIFY_DA_BATCH_CONCURRENCY</code>) limits parallel SBOM generation (default 10). For JS/TS, each <code>package.json</code> must have non-empty <code>name</code> and <code>version</code>; invalid manifests are skipped (warnings). Per-manifest SBOM failures are skipped if at least one SBOM succeeds (unless <code>continueOnError: false</code>). Set <code>batchMetadata: true</code> (or <code>TRUSTIFY_DA_BATCH_METADATA</code>) to receive <code>{ analysis, metadata }</code> with <code>errors[]</code>. CLI: <code>stack-batch --metadata</code>, <code>--fail-fast</code>. See <a href="./docs/monorepo-implementation-plan.md">monorepo implementation plan</a> §2.3 and §3.5.
+</p>
+<p>
+See <a href="./docs/vscode-extension-integration-requirements.md">VS Code Extension Integration Requirements</a> for integration details.
+</p>
+
 <h4>Proxy Configuration</h4>
 <p>
 You can configure a proxy for all HTTP/HTTPS requests made by the API. This is useful when your environment requires going through a proxy to access external services.
@@ -381,7 +474,7 @@ The proxy URL should be in the format: `http://host:port` or `https://host:port`
 
 <h4>License resolution and dependency license compliance</h4>
 <p>
-The client can resolve the <strong>project license</strong> from the manifest (e.g. <code>package.json</code> <code>license</code>, <code>pom.xml</code> <code>&lt;licenses&gt;</code>) and from a <code>LICENSE</code> or <code>LICENSE.md</code> file in the project, and report when they differ. For <strong>component analysis</strong>, you can optionally run a license check: the client fetches dependency licenses from the backend (by purl) and reports dependencies whose licenses are incompatible with the project license. See <a href="docs/license-resolution-and-compliance.md">License resolution and compliance</a> for design and behavior. To disable the check on component analysis, set <code>TRUSTIFY_DA_LICENSE_CHECK=false</code> or pass <code>licenseCheck: false</code> in the options.
+The client can resolve the <strong>project license</strong> from the manifest (e.g. <code>package.json</code> <code>license</code>, <code>pom.xml</code> <code>&lt;licenses&gt;</code>, <code>Cargo.toml</code> <code>license</code>) and from a <code>LICENSE</code> or <code>LICENSE.md</code> file in the project, and report when they differ. For <strong>component analysis</strong>, you can optionally run a license check: the client fetches dependency licenses from the backend (by purl) and reports dependencies whose licenses are incompatible with the project license. See <a href="docs/license-resolution-and-compliance.md">License resolution and compliance</a> for design and behavior. To disable the check on component analysis, set <code>TRUSTIFY_DA_LICENSE_CHECK=false</code> or pass <code>licenseCheck: false</code> in the options.
 </p>
 
 <h4>Customizing Executables</h4>
@@ -457,6 +550,16 @@ following keys for setting custom paths for the said executables.
 <td><em>gradle</em></td>
 <td>TRUSTIFY_DA_PREFER_GRADLEW</td>
 </tr>
+<tr>
+<td><a href="https://www.rust-lang.org/">Rust Cargo</a></td>
+<td><em>cargo</em></td>
+<td>TRUSTIFY_DA_CARGO_PATH</td>
+</tr>
+<tr>
+<td>Workspace root (monorepos)</td>
+<td>—</td>
+<td>workspaceDir / TRUSTIFY_DA_WORKSPACE_DIR</td>
+</tr>
 </table>
 
 #### Match Manifest Versions Feature

package/dist/package.json

@@ -40,19 +40,27 @@
         "test": "c8 npm run tests",
         "tests": "mocha --config .mocharc.json --grep \".*analysis module.*\" --invert",
         "tests:rep": "mocha --reporter-option maxDiffSize=0 --reporter json > unit-tests-result.json",
+        "pretest": "cp node_modules/tree-sitter-requirements/tree-sitter-requirements.wasm src/providers/tree-sitter-requirements.wasm",
         "precompile": "rm -rf dist",
-        "compile": "tsc -p tsconfig.json"
+        "compile": "tsc -p tsconfig.json",
+        "compile:dev": "tsc -p tsconfig.dev.json",
+        "postcompile": "cp node_modules/tree-sitter-requirements/tree-sitter-requirements.wasm dist/src/providers/tree-sitter-requirements.wasm"
     },
     "dependencies": {
         "@babel/core": "^7.23.2",
         "@cyclonedx/cyclonedx-library": "^6.13.0",
         "eslint-import-resolver-typescript": "^4.4.4",
+        "fast-glob": "^3.3.3",
         "fast-toml": "^0.5.4",
         "fast-xml-parser": "^5.3.4",
         "help": "^3.0.2",
         "https-proxy-agent": "^7.0.6",
+        "js-yaml": "^4.1.1",
+        "micromatch": "^4.0.8",
         "node-fetch": "^3.3.2",
+        "p-limit": "^5.0.0",
         "packageurl-js": "~1.0.2",
+        "smol-toml": "^1.6.0",
         "tree-sitter-requirements": "github:Strum355/tree-sitter-requirements#d0261ee76b84253997fe70d7d397e78c006c3801",
         "web-tree-sitter": "^0.26.6",
         "yargs": "^18.0.0"

package/dist/src/analysis.d.ts

@@ -1,6 +1,9 @@
+/** Media type for CycloneDX JSON batch payloads (batch-analysis API). */
+export const CYCLONEDX_JSON_MEDIA_TYPE: "application/vnd.cyclonedx+json";
 declare namespace _default {
     export { requestComponent };
     export { requestStack };
+    export { requestStackBatch };
     export { requestImages };
     export { validateToken };
 }
@@ -24,6 +27,19 @@ declare function requestComponent(provider: import("./provider").Provider, manif
  * @returns {Promise<string|import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>}
  */
 declare function requestStack(provider: import("./provider").Provider, manifest: string, url: string, html?: boolean, opts?: import("index.js").Options): Promise<string | import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport>;
+/**
+ * Send a batch stack analysis request for multiple manifests (SBOMs keyed by purl).
+ * @param {Object.<string, object>} sbomByPurl - Map of root purl to CycloneDX SBOM object
+ * @param {string} url - the backend url
+ * @param {boolean} [html=false] - true returns HTML, false returns JSON
+ * @param {import("index.js").Options} [opts={}]
+ * @returns {Promise<string|Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>>}
+ */
+declare function requestStackBatch(sbomByPurl: {
+    [x: string]: any;
+}, url: string, html?: boolean, opts?: import("index.js").Options): Promise<string | {
+    [x: string]: import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport;
+}>;
 /**
  *
  * @param {Array<string>} imageRefs

package/dist/src/analysis.js

@@ -4,7 +4,9 @@ import { EOL } from "os";
 import { runLicenseCheck } from "./license/index.js";
 import { generateImageSBOM, parseImageRef } from "./oci_image/utils.js";
 import { addProxyAgent, getCustom, getTokenHeaders, TRUSTIFY_DA_OPERATION_TYPE_HEADER, TRUSTIFY_DA_PACKAGE_MANAGER_HEADER } from "./tools.js";
-export default { requestComponent, requestStack, requestImages, validateToken };
+/** Media type for CycloneDX JSON batch payloads (batch-analysis API). */
+export const CYCLONEDX_JSON_MEDIA_TYPE = 'application/vnd.cyclonedx+json';
+export default { requestComponent, requestStack, requestStackBatch, requestImages, validateToken };
 /**
  * Send a stack analysis request and get the report as 'text/html' or 'application/json'.
  * @param {import('./provider').Provider} provider - the provided data for constructing the request
@@ -124,6 +126,52 @@ async function requestComponent(provider, manifest, url, opts = {}) {
     }
     return Promise.resolve(result);
 }
+/**
+ * Send a batch stack analysis request for multiple manifests (SBOMs keyed by purl).
+ * @param {Object.<string, object>} sbomByPurl - Map of root purl to CycloneDX SBOM object
+ * @param {string} url - the backend url
+ * @param {boolean} [html=false] - true returns HTML, false returns JSON
+ * @param {import("index.js").Options} [opts={}]
+ * @returns {Promise<string|Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>>}
+ */
+async function requestStackBatch(sbomByPurl, url, html = false, opts = {}) {
+    const finalUrl = new URL(`${url}/api/v5/batch-analysis`);
+    if (opts['TRUSTIFY_DA_RECOMMENDATIONS_ENABLED'] === 'false') {
+        finalUrl.searchParams.append('recommend', 'false');
+    }
+    const fetchOptions = addProxyAgent({
+        method: 'POST',
+        headers: {
+            'Accept': html ? 'text/html' : 'application/json',
+            'Content-Type': CYCLONEDX_JSON_MEDIA_TYPE,
+            ...getTokenHeaders(opts)
+        },
+        body: JSON.stringify(sbomByPurl)
+    }, opts);
+    const resp = await fetch(finalUrl, fetchOptions);
+    if (resp.status === 200) {
+        let result;
+        if (!html) {
+            result = await resp.json();
+        }
+        else {
+            result = await resp.text();
+        }
+        if (process.env["TRUSTIFY_DA_DEBUG"] === "true") {
+            const exRequestId = resp.headers.get("ex-request-id");
+            if (exRequestId) {
+                console.log("Unique Identifier associated with this request - ex-request-id=" + exRequestId);
+            }
+            console.log("Response body received from Trustify DA backend server : " + EOL + EOL);
+            console.log(JSON.stringify(result, null, 4));
+            console.log("Ending time of sending batch stack analysis request to Trustify DA backend server= " + new Date());
+        }
+        return result;
+    }
+    else {
+        throw new Error(`Got error response from Trustify DA backend - http return code : ${resp.status}, ex-request-id: ${resp.headers.get("ex-request-id")}  error message =>  ${await resp.text()}`);
+    }
+}
 /**
  *
  * @param {Array<string>} imageRefs
@@ -145,7 +193,7 @@ async function requestImages(imageRefs, url, html = false, opts = {}) {
         method: 'POST',
         headers: {
             'Accept': html ? 'text/html' : 'application/json',
-            'Content-Type': 'application/vnd.cyclonedx+json',
+            'Content-Type': CYCLONEDX_JSON_MEDIA_TYPE,
             ...getTokenHeaders(opts)
         },
         body: JSON.stringify(imageSboms),

package/dist/src/batch_opts.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Whether to skip failed manifests and continue (default), or fail on first SBOM/validation error.
+ * `opts.continueOnError` overrides; env `TRUSTIFY_DA_CONTINUE_ON_ERROR=false` disables continuation.
+ *
+ * @param {{ continueOnError?: boolean, TRUSTIFY_DA_CONTINUE_ON_ERROR?: string, [key: string]: unknown }} [opts={}]
+ * @returns {boolean} true = collect errors (default), false = fail-fast
+ */
+export function resolveContinueOnError(opts?: {
+    continueOnError?: boolean;
+    TRUSTIFY_DA_CONTINUE_ON_ERROR?: string;
+    [key: string]: unknown;
+}): boolean;
+/**
+ * When true, `stackAnalysisBatch` returns `{ analysis, metadata }` instead of the backend response only.
+ * `opts.batchMetadata` overrides; env `TRUSTIFY_DA_BATCH_METADATA=true` enables.
+ *
+ * @param {{ batchMetadata?: boolean, TRUSTIFY_DA_BATCH_METADATA?: string, [key: string]: unknown }} [opts={}]
+ * @returns {boolean}
+ */
+export function resolveBatchMetadata(opts?: {
+    batchMetadata?: boolean;
+    TRUSTIFY_DA_BATCH_METADATA?: string;
+    [key: string]: unknown;
+}): boolean;

package/dist/src/batch_opts.js

@@ -0,0 +1,35 @@
+import { getCustom } from './tools.js';
+/**
+ * Whether to skip failed manifests and continue (default), or fail on first SBOM/validation error.
+ * `opts.continueOnError` overrides; env `TRUSTIFY_DA_CONTINUE_ON_ERROR=false` disables continuation.
+ *
+ * @param {{ continueOnError?: boolean, TRUSTIFY_DA_CONTINUE_ON_ERROR?: string, [key: string]: unknown }} [opts={}]
+ * @returns {boolean} true = collect errors (default), false = fail-fast
+ */
+export function resolveContinueOnError(opts = {}) {
+    if (typeof opts.continueOnError === 'boolean') {
+        return opts.continueOnError;
+    }
+    const v = getCustom('TRUSTIFY_DA_CONTINUE_ON_ERROR', null, opts);
+    if (v != null && String(v).trim() !== '') {
+        return String(v).toLowerCase() !== 'false';
+    }
+    return true;
+}
+/**
+ * When true, `stackAnalysisBatch` returns `{ analysis, metadata }` instead of the backend response only.
+ * `opts.batchMetadata` overrides; env `TRUSTIFY_DA_BATCH_METADATA=true` enables.
+ *
+ * @param {{ batchMetadata?: boolean, TRUSTIFY_DA_BATCH_METADATA?: string, [key: string]: unknown }} [opts={}]
+ * @returns {boolean}
+ */
+export function resolveBatchMetadata(opts = {}) {
+    if (typeof opts.batchMetadata === 'boolean') {
+        return opts.batchMetadata;
+    }
+    const v = getCustom('TRUSTIFY_DA_BATCH_METADATA', null, opts);
+    if (v != null && String(v).trim() !== '') {
+        return String(v).toLowerCase() === 'true';
+    }
+    return false;
+}

package/dist/src/cli.js

@@ -12,10 +12,18 @@ const component = {
         desc: 'manifest path for analyzing',
         type: 'string',
         normalize: true,
+    }).options({
+        workspaceDir: {
+            alias: 'w',
+            desc: 'Workspace root directory (for monorepos; lock file is expected here)',
+            type: 'string',
+            normalize: true,
+        }
     }),
     handler: async (args) => {
         let manifestName = args['/path/to/manifest'];
-        let res = await client.componentAnalysis(manifestName);
+        const opts = args.workspaceDir ? { TRUSTIFY_DA_WORKSPACE_DIR: args.workspaceDir } : {};
+        let res = await client.componentAnalysis(manifestName, opts);
         console.log(JSON.stringify(res, null, 2));
     }
 };
@@ -117,15 +125,22 @@ const stack = {
             desc: 'For JSON report, get only the \'summary\'',
             type: 'boolean',
             conflicts: 'html'
+        },
+        workspaceDir: {
+            alias: 'w',
+            desc: 'Workspace root directory (for monorepos; lock file is expected here)',
+            type: 'string',
+            normalize: true,
         }
     }),
     handler: async (args) => {
         let manifest = args['/path/to/manifest'];
         let html = args['html'];
         let summary = args['summary'];
+        const opts = args.workspaceDir ? { TRUSTIFY_DA_WORKSPACE_DIR: args.workspaceDir } : {};
         let theProvidersSummary = new Map();
         let theProvidersObject = {};
-        let res = await client.stackAnalysis(manifest, html);
+        let res = await client.stackAnalysis(manifest, html, opts);
         if (summary) {
             for (let provider in res.providers) {
                 if (res.providers[provider].sources !== undefined) {
@@ -143,6 +158,108 @@ const stack = {
         console.log(html ? res : JSON.stringify(!html && summary ? theProvidersObject : res, null, 2));
     }
 };
+// command for batch stack analysis (workspace)
+const stackBatch = {
+    command: 'stack-batch </path/to/workspace-root> [--html|--summary] [--concurrency <n>] [--ignore <pattern>...] [--metadata] [--fail-fast]',
+    desc: 'produce stack report for all packages/crates in a workspace (Cargo or JS/TS)',
+    builder: yargs => yargs.positional('/path/to/workspace-root', {
+        desc: 'workspace root directory (containing Cargo.toml+Cargo.lock or package.json+lock file)',
+        type: 'string',
+        normalize: true,
+    }).options({
+        html: {
+            alias: 'r',
+            desc: 'Get the report as HTML instead of JSON',
+            type: 'boolean',
+            conflicts: 'summary'
+        },
+        summary: {
+            alias: 's',
+            desc: 'For JSON report, get only the \'summary\' per package',
+            type: 'boolean',
+            conflicts: 'html'
+        },
+        concurrency: {
+            alias: 'c',
+            desc: 'Max parallel SBOM generations (default: 10, env: TRUSTIFY_DA_BATCH_CONCURRENCY)',
+            type: 'number',
+        },
+        ignore: {
+            alias: 'i',
+            desc: 'Extra glob patterns excluded from workspace discovery (merged with defaults). Repeat flag per pattern. Env: TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE (comma-separated)',
+            type: 'string',
+            array: true,
+        },
+        metadata: {
+            alias: 'm',
+            desc: 'Return { analysis, metadata } with per-manifest errors (env: TRUSTIFY_DA_BATCH_METADATA=true)',
+            type: 'boolean',
+            default: false,
+        },
+        failFast: {
+            desc: 'Stop on first invalid package.json or SBOM error (env: TRUSTIFY_DA_CONTINUE_ON_ERROR=false)',
+            type: 'boolean',
+            default: false,
+        }
+    }),
+    handler: async (args) => {
+        const workspaceRoot = args['/path/to/workspace-root'];
+        const html = args['html'];
+        const summary = args['summary'];
+        const opts = {};
+        if (args.concurrency != null) {
+            opts.batchConcurrency = args.concurrency;
+        }
+        const extraIgnores = Array.isArray(args.ignore) ? args.ignore.filter(p => p != null && String(p).trim()) : [];
+        if (extraIgnores.length > 0) {
+            opts.workspaceDiscoveryIgnore = extraIgnores;
+        }
+        if (args.metadata) {
+            opts.batchMetadata = true;
+        }
+        if (args.failFast) {
+            opts.continueOnError = false;
+        }
+        let res = await client.stackAnalysisBatch(workspaceRoot, html, opts);
+        const batchAnalysis = res && typeof res === 'object' && res != null && 'analysis' in res ? res.analysis : res;
+        if (summary && !html && typeof batchAnalysis === 'object') {
+            const summaries = {};
+            for (const [purl, report] of Object.entries(batchAnalysis)) {
+                if (report?.providers) {
+                    for (const provider of Object.keys(report.providers)) {
+                        const sources = report.providers[provider]?.sources;
+                        if (sources) {
+                            for (const [source, data] of Object.entries(sources)) {
+                                if (data?.summary) {
+                                    if (!summaries[purl]) {
+                                        summaries[purl] = {};
+                                    }
+                                    if (!summaries[purl][provider]) {
+                                        summaries[purl][provider] = {};
+                                    }
+                                    summaries[purl][provider][source] = data.summary;
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+            if (res && typeof res === 'object' && res != null && 'metadata' in res) {
+                res = { analysis: summaries, metadata: res.metadata };
+            }
+            else {
+                res = summaries;
+            }
+        }
+        if (html) {
+            const htmlContent = res && typeof res === 'object' && 'analysis' in res ? res.analysis : res;
+            console.log(htmlContent);
+        }
+        else {
+            console.log(JSON.stringify(res, null, 2));
+        }
+    }
+};
 // command for license checking
 const license = {
     command: 'license </path/to/manifest>',
@@ -210,8 +327,9 @@ const license = {
 };
 // parse and invoke the command
 yargs(hideBin(process.argv))
-    .usage(`Usage: ${process.argv[0].includes("node") ? path.parse(process.argv[1]).base : path.parse(process.argv[0]).base} {component|stack|image|validate-token|license}`)
+    .usage(`Usage: ${process.argv[0].includes("node") ? path.parse(process.argv[1]).base : path.parse(process.argv[0]).base} {component|stack|stack-batch|image|validate-token|license}`)
     .command(stack)
+    .command(stackBatch)
     .command(component)
     .command(image)
     .command(validateToken)

package/dist/src/cyclone_dx_sbom.js

@@ -120,6 +120,7 @@ export default class CycloneDxSbom {
     getAsJsonString(opts) {
         let manifestType = opts["manifest-type"];
         this.setSourceManifest(opts["source-manifest"]);
+        const rootPurl = this.rootComponent?.purl;
         this.sbomObject = {
             "bomFormat": "CycloneDX",
             "specVersion": "1.4",
@@ -129,7 +130,7 @@ export default class CycloneDxSbom {
                 "component": this.rootComponent,
                 "properties": new Array()
             },
-            "components": this.components,
+            "components": this.components.filter(c => c.purl !== rootPurl),
             "dependencies": this.dependencies
         };
         if (this.rootComponent === undefined) {