@trustify-da/trustify-da-javascript-client 0.3.0-ea.6549d2a → 0.3.0-ea.7144952

package/dist/src/workspace.js

@@ -0,0 +1,256 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import fg from 'fast-glob';
+import { load as yamlLoad } from 'js-yaml';
+import micromatch from 'micromatch';
+import { getCustom, getCustomPath, invokeCommand } from './tools.js';
+/** Default paths skipped during JS workspace discovery (merged with user patterns). */
+const DEFAULT_WORKSPACE_DISCOVERY_IGNORE = [
+    '**/node_modules/**',
+    '**/.git/**',
+];
+/**
+ * Resolve ignore globs for workspace discovery: defaults + `TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE` + `opts.workspaceDiscoveryIgnore`.
+ * Patterns are fast-glob / micromatch style, relative to the workspace root (forward slashes).
+ *
+ * @param {{ workspaceDiscoveryIgnore?: string[], TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE?: string, [key: string]: unknown }} [opts={}]
+ * @returns {string[]}
+ */
+export function resolveWorkspaceDiscoveryIgnore(opts = {}) {
+    const merged = [...DEFAULT_WORKSPACE_DISCOVERY_IGNORE];
+    const fromEnv = getCustom('TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE', null, opts);
+    if (fromEnv && String(fromEnv).trim()) {
+        merged.push(...String(fromEnv).split(',').map(s => s.trim()).filter(Boolean));
+    }
+    const extra = opts.workspaceDiscoveryIgnore;
+    if (Array.isArray(extra)) {
+        for (const p of extra) {
+            if (typeof p === 'string' && p.trim()) {
+                merged.push(p.trim());
+            }
+        }
+    }
+    return [...new Set(merged)];
+}
+/**
+ * @param {string} root - Workspace root (absolute)
+ * @param {string[]} ignorePatterns
+ */
+function buildWorkspaceDiscoveryGlobOptions(root, ignorePatterns) {
+    return {
+        cwd: root,
+        absolute: true,
+        onlyFiles: true,
+        ignore: ignorePatterns,
+        followSymbolicLinks: false,
+    };
+}
+/**
+ * @param {string} filePath - Absolute path
+ * @param {string} root - Workspace root (absolute)
+ * @returns {string} Relative path with forward slashes
+ */
+function relativePathForGlobMatch(filePath, root) {
+    const rel = path.relative(root, filePath);
+    return rel.split(path.sep).join('/');
+}
+/**
+ * Drop manifest paths whose location matches an ignore pattern (e.g. root unshift, Cargo paths).
+ *
+ * @param {string[]} manifestPaths
+ * @param {string} root
+ * @param {string[]} ignorePatterns
+ * @returns {string[]}
+ */
+export function filterManifestPathsByDiscoveryIgnore(manifestPaths, root, ignorePatterns) {
+    if (!ignorePatterns.length) {
+        return manifestPaths;
+    }
+    const resolvedRoot = path.resolve(root);
+    return manifestPaths.filter(absPath => {
+        const rel = relativePathForGlobMatch(absPath, resolvedRoot);
+        if (rel === '') {
+            return true;
+        }
+        return !ignorePatterns.some(pattern => micromatch.isMatch(rel, pattern, { dot: true }));
+    });
+}
+/**
+ * @typedef {{ valid: true, name: string, version: string } | { valid: false, error: string }} ValidatePackageJsonResult
+ */
+/**
+ * Validate a package.json has non-empty `name` and `version` (required for stable SBOM root identity in batch).
+ *
+ * @param {string} packageJsonPath - Absolute or relative path to package.json
+ * @returns {ValidatePackageJsonResult}
+ */
+export function validatePackageJson(packageJsonPath) {
+    let content;
+    try {
+        const raw = fs.readFileSync(packageJsonPath, 'utf-8');
+        content = JSON.parse(raw);
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        return { valid: false, error: `Invalid package.json: ${msg}` };
+    }
+    if (!content || typeof content !== 'object') {
+        return { valid: false, error: 'package.json must be a JSON object' };
+    }
+    const name = content.name;
+    const version = content.version;
+    if (typeof name !== 'string' || !name.trim()) {
+        return { valid: false, error: 'Missing or invalid name' };
+    }
+    if (typeof version !== 'string' || !version.trim()) {
+        return { valid: false, error: 'Missing or invalid version' };
+    }
+    return { valid: true, name: name.trim(), version: version.trim() };
+}
+/**
+ * Discover all package.json paths in a JS/TS workspace.
+ * Reads pnpm-workspace.yaml or package.json workspaces.
+ *
+ * @param {string} workspaceRoot - Absolute or relative path to workspace root
+ * @param {{ workspaceDiscoveryIgnore?: string[], TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE?: string, [key: string]: unknown }} [opts={}] - optional `workspaceDiscoveryIgnore` globs (merged with defaults and env)
+ * @returns {Promise<string[]>} Paths to package.json files (absolute)
+ */
+export async function discoverWorkspacePackages(workspaceRoot, opts = {}) {
+    const root = path.resolve(workspaceRoot);
+    const ignorePatterns = resolveWorkspaceDiscoveryIgnore(opts);
+    const globOpts = buildWorkspaceDiscoveryGlobOptions(root, ignorePatterns);
+    const pnpmWorkspace = path.join(root, 'pnpm-workspace.yaml');
+    const packageJson = path.join(root, 'package.json');
+    if (fs.existsSync(pnpmWorkspace)) {
+        return discoverFromPnpmWorkspace(root, pnpmWorkspace, globOpts, ignorePatterns);
+    }
+    if (fs.existsSync(packageJson)) {
+        return discoverFromPackageJsonWorkspaces(root, packageJson, globOpts, ignorePatterns);
+    }
+    return [];
+}
+/**
+ * @param {string} root
+ * @param {string} pnpmWorkspacePath
+ * @param {object} globOpts - fast-glob options (cwd, ignore, followSymbolicLinks, …)
+ * @param {string[]} ignorePatterns - for post-filter
+ * @returns {Promise<string[]>}
+ */
+async function discoverFromPnpmWorkspace(root, pnpmWorkspacePath, globOpts, ignorePatterns) {
+    const content = fs.readFileSync(pnpmWorkspacePath, 'utf-8');
+    const packages = parsePnpmPackages(content);
+    if (packages.length === 0) {
+        return [];
+    }
+    const patterns = toManifestGlobPatterns(packages, 'package.json');
+    const manifestPaths = await fg(patterns, globOpts);
+    return filterManifestPathsByDiscoveryIgnore(manifestPaths, root, ignorePatterns);
+}
+/**
+ * Parse the `packages` array from pnpm-workspace.yaml content.
+ * @param {string} content - Raw YAML content
+ * @returns {string[]}
+ */
+function parsePnpmPackages(content) {
+    let doc;
+    try {
+        doc = yamlLoad(content);
+    }
+    catch {
+        return [];
+    }
+    if (!doc || typeof doc !== 'object' || !Array.isArray(doc.packages)) {
+        return [];
+    }
+    return doc.packages.filter(p => typeof p === 'string' && p.trim()).map(p => p.trim());
+}
+/**
+ * Convert workspace glob patterns to manifest-file glob patterns,
+ * correctly handling negation prefixes.
+ *
+ * @param {string[]} patterns - Workspace glob patterns (may include negations)
+ * @param {string} manifestFileName - e.g. 'package.json' or 'Cargo.toml'
+ * @returns {string[]}
+ */
+function toManifestGlobPatterns(patterns, manifestFileName) {
+    return patterns.map(p => {
+        if (p.startsWith('!')) {
+            return `!${p.slice(1)}/${manifestFileName}`;
+        }
+        return `${p}/${manifestFileName}`;
+    });
+}
+/**
+ * @param {string} root
+ * @param {string} packageJsonPath
+ * @param {object} globOpts
+ * @param {string[]} ignorePatterns
+ * @returns {Promise<string[]>}
+ */
+async function discoverFromPackageJsonWorkspaces(root, packageJsonPath, globOpts, ignorePatterns) {
+    let pkg;
+    try {
+        pkg = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8'));
+    }
+    catch {
+        return [];
+    }
+    const workspaces = pkg.workspaces;
+    if (!workspaces) {
+        return [];
+    }
+    const raw = Array.isArray(workspaces) ? workspaces : workspaces.packages || [];
+    const patterns = toManifestGlobPatterns(raw.filter(p => typeof p === 'string'), 'package.json');
+    if (patterns.length === 0) {
+        return [];
+    }
+    const manifestPaths = await fg(patterns, globOpts);
+    const rootPkg = path.join(root, 'package.json');
+    if (fs.existsSync(rootPkg) && !manifestPaths.includes(rootPkg)) {
+        manifestPaths.unshift(rootPkg);
+    }
+    return filterManifestPathsByDiscoveryIgnore(manifestPaths, root, ignorePatterns);
+}
+/**
+ * Discover all Cargo.toml manifest paths in a Cargo workspace.
+ * Uses `cargo metadata` to get workspace members.
+ *
+ * @param {string} workspaceRoot - Absolute or relative path to workspace root (must contain Cargo.toml and Cargo.lock)
+ * @param {import('./index.js').Options} [opts={}]
+ * @returns {Promise<string[]>} Paths to Cargo.toml files (absolute)
+ */
+export async function discoverWorkspaceCrates(workspaceRoot, opts = {}) {
+    const root = path.resolve(workspaceRoot);
+    const cargoToml = path.join(root, 'Cargo.toml');
+    const cargoLock = path.join(root, 'Cargo.lock');
+    if (!fs.existsSync(cargoToml) || !fs.existsSync(cargoLock)) {
+        return [];
+    }
+    const cargoBin = getCustomPath('cargo', opts);
+    let output;
+    try {
+        output = invokeCommand(cargoBin, ['metadata', '--format-version', '1', '--no-deps'], { cwd: root });
+    }
+    catch {
+        return [];
+    }
+    let metadata;
+    try {
+        metadata = JSON.parse(output.toString().trim());
+    }
+    catch {
+        return [];
+    }
+    const memberIds = new Set(metadata.workspace_members || []);
+    const manifestPaths = [];
+    for (const pkg of metadata.packages || []) {
+        if (memberIds.has(pkg.id) && pkg.manifest_path) {
+            const manifestPath = path.resolve(pkg.manifest_path);
+            if (fs.existsSync(manifestPath)) {
+                manifestPaths.push(manifestPath);
+            }
+        }
+    }
+    const ignorePatterns = resolveWorkspaceDiscoveryIgnore(opts);
+    return filterManifestPathsByDiscoveryIgnore(manifestPaths, root, ignorePatterns);
+}

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@trustify-da/trustify-da-javascript-client",
-	"version": "0.3.0-ea.6549d2a",
+	"version": "0.3.0-ea.7144952",
 	"description": "Code-Ready Dependency Analytics JavaScript API.",
 	"license": "Apache-2.0",
 	"homepage": "https://github.com/guacsec/trustify-da-javascript-client#README.md",
@@ -40,19 +40,27 @@
 		"test": "c8 npm run tests",
 		"tests": "mocha --config .mocharc.json --grep \".*analysis module.*\" --invert",
 		"tests:rep": "mocha --reporter-option maxDiffSize=0 --reporter json > unit-tests-result.json",
+		"pretest": "cp node_modules/tree-sitter-requirements/tree-sitter-requirements.wasm src/providers/tree-sitter-requirements.wasm",
 		"precompile": "rm -rf dist",
-		"compile": "tsc -p tsconfig.json"
+		"compile": "tsc -p tsconfig.json",
+		"compile:dev": "tsc -p tsconfig.dev.json",
+		"postcompile": "cp node_modules/tree-sitter-requirements/tree-sitter-requirements.wasm dist/src/providers/tree-sitter-requirements.wasm"
 	},
 	"dependencies": {
 		"@babel/core": "^7.23.2",
 		"@cyclonedx/cyclonedx-library": "^6.13.0",
 		"eslint-import-resolver-typescript": "^4.4.4",
+		"fast-glob": "^3.3.3",
 		"fast-toml": "^0.5.4",
 		"fast-xml-parser": "^5.3.4",
 		"help": "^3.0.2",
 		"https-proxy-agent": "^7.0.6",
+		"js-yaml": "^4.1.1",
+		"micromatch": "^4.0.8",
 		"node-fetch": "^3.3.2",
+		"p-limit": "^5.0.0",
 		"packageurl-js": "~1.0.2",
+		"smol-toml": "^1.6.0",
 		"tree-sitter-requirements": "github:Strum355/tree-sitter-requirements#d0261ee76b84253997fe70d7d397e78c006c3801",
 		"web-tree-sitter": "^0.26.6",
 		"yargs": "^18.0.0"

package/dist/src/license/compatibility.d.ts

@@ -1,18 +0,0 @@
-/**
- * License compatibility: whether a dependency license is compatible with the project license.
- * Relies on backend-provided license categories.
- *
- * Compatibility is based on restrictiveness hierarchy:
- * PERMISSIVE < WEAK_COPYLEFT < STRONG_COPYLEFT
- *
- * A dependency is compatible if it's equal or less restrictive than the project license.
- * A dependency is incompatible if it's more restrictive than the project license.
- */
-/**
- * Check if a dependency's license is compatible with the project license based on backend categories.
- *
- * @param {string} [projectCategory] - backend category for project license: PERMISSIVE | WEAK_COPYLEFT | STRONG_COPYLEFT | UNKNOWN
- * @param {string} [dependencyCategory] - backend category for dependency license: PERMISSIVE | WEAK_COPYLEFT | STRONG_COPYLEFT | UNKNOWN
- * @returns {'compatible'|'incompatible'|'unknown'}
- */
-export function getCompatibility(projectCategory?: string, dependencyCategory?: string): "compatible" | "incompatible" | "unknown";

package/dist/src/license/compatibility.js

@@ -1,45 +0,0 @@
-/**
- * License compatibility: whether a dependency license is compatible with the project license.
- * Relies on backend-provided license categories.
- *
- * Compatibility is based on restrictiveness hierarchy:
- * PERMISSIVE < WEAK_COPYLEFT < STRONG_COPYLEFT
- *
- * A dependency is compatible if it's equal or less restrictive than the project license.
- * A dependency is incompatible if it's more restrictive than the project license.
- */
-/**
- * Check if a dependency's license is compatible with the project license based on backend categories.
- *
- * @param {string} [projectCategory] - backend category for project license: PERMISSIVE | WEAK_COPYLEFT | STRONG_COPYLEFT | UNKNOWN
- * @param {string} [dependencyCategory] - backend category for dependency license: PERMISSIVE | WEAK_COPYLEFT | STRONG_COPYLEFT | UNKNOWN
- * @returns {'compatible'|'incompatible'|'unknown'}
- */
-export function getCompatibility(projectCategory, dependencyCategory) {
-    if (!projectCategory || !dependencyCategory) {
-        return 'unknown';
-    }
-    const proj = projectCategory.toUpperCase();
-    const dep = dependencyCategory.toUpperCase();
-    // Unknown categories
-    if (proj === 'UNKNOWN' || dep === 'UNKNOWN') {
-        return 'unknown';
-    }
-    // Define restrictiveness levels (higher number = more restrictive)
-    const restrictiveness = {
-        'PERMISSIVE': 1,
-        'WEAK_COPYLEFT': 2,
-        'STRONG_COPYLEFT': 3
-    };
-    const projLevel = restrictiveness[proj];
-    const depLevel = restrictiveness[dep];
-    if (projLevel === undefined || depLevel === undefined) {
-        return 'unknown';
-    }
-    // Dependency is more restrictive than project → incompatible
-    if (depLevel > projLevel) {
-        return 'incompatible';
-    }
-    // Dependency is equal or less restrictive → compatible
-    return 'compatible';
-}