@trustify-da/trustify-da-javascript-client 0.3.0-ea.6549d2a → 0.3.0-ea.7281b26

package/dist/src/providers/golang_gomodules.js

@@ -1,9 +1,10 @@
 import fs from 'node:fs';
 import path from 'node:path';
-import { EOL } from "os";
 import { PackageURL } from 'packageurl-js';
+import { readLicenseFile } from '../license/license_utils.js';
 import Sbom from '../sbom.js';
 import { getCustom, getCustomPath, invokeCommand } from "../tools.js";
+import { getParser, getRequireQuery } from './gomod_parser.js';
 export default { isSupported, validateLockFile, provideComponent, provideStack, readLicenseFromManifest };
 /** @typedef {import('../provider').Provider} */
 /** @typedef {import('../provider').Provided} Provided */
@@ -16,46 +17,46 @@ export default { isSupported, validateLockFile, provideComponent, provideStack,
 const ecosystem = 'golang';
 const defaultMainModuleVersion = "v0.0.0";
 /**
- * @param {string} manifestName - the subject manifest name-type
- * @returns {boolean} - return true if `pom.xml` is the manifest name-type
+ * @param {string} manifestName the subject manifest name-type
+ * @returns {boolean} return true if `pom.xml` is the manifest name-type
 */
 function isSupported(manifestName) {
     return 'go.mod' === manifestName;
 }
 /**
  * Go modules have no standard license field in go.mod
- * @param {string} manifestPath - path to go.mod
+ * @param {string} manifestPath path to go.mod
  * @returns {string|null}
 */
 // eslint-disable-next-line no-unused-vars
-function readLicenseFromManifest(manifestPath) { return null; }
+function readLicenseFromManifest(manifestPath) { return readLicenseFile(manifestPath); }
 /**
- * @param {string} manifestDir - the directory where the manifest lies
+ * @param {string} manifestDir the directory where the manifest lies
  */
 function validateLockFile() { return true; }
 /**
  * Provide content and content type for maven-maven stack analysis.
- * @param {string} manifest - the manifest path or name
- * @param {{}} [opts={}] - optional various options to pass along the application
- * @returns {Provided}
+ * @param {string} manifest the manifest path or name
+ * @param {{}} [opts={}] optional various options to pass along the application
+ * @returns {Promise<Provided>}
  */
-function provideStack(manifest, opts = {}) {
+async function provideStack(manifest, opts = {}) {
     return {
         ecosystem,
-        content: getSBOM(manifest, opts, true),
+        content: await getSBOM(manifest, opts, true),
         contentType: 'application/vnd.cyclonedx+json'
     };
 }
 /**
  * Provide content and content type for maven-maven component analysis.
- * @param {string} manifest - path to go.mod for component report
- * @param {{}} [opts={}] - optional various options to pass along the application
- * @returns {Provided}
+ * @param {string} manifest path to go.mod for component report
+ * @param {{}} [opts={}] optional various options to pass along the application
+ * @returns {Promise<Provided>}
  */
-function provideComponent(manifest, opts = {}) {
+async function provideComponent(manifest, opts = {}) {
     return {
         ecosystem,
-        content: getSBOM(manifest, opts, false),
+        content: await getSBOM(manifest, opts, false),
         contentType: 'application/vnd.cyclonedx+json'
     };
 }
@@ -76,50 +77,52 @@ function getChildVertexFromEdge(edge) {
     return edge.split(" ")[1];
 }
 /**
- *
- * @param line one row from go.mod file
- * @return {boolean} whether line from go.mod should be considered as ignored or not
+ * Check whether a require_spec has a valid exhortignore marker.
+ * For direct dependencies: `//exhortignore` or `// exhortignore`
+ * For indirect dependencies: `// indirect; exhortignore` (semicolon-separated)
+ * @param {import('web-tree-sitter').SyntaxNode} specNode
+ * @return {boolean}
  */
-function ignoredLine(line) {
-    let result = false;
-    if (line.match(".*exhortignore.*")) {
-        if (line.match(".+//\\s*exhortignore") || line.match(".+//\\sindirect (//)?\\s*exhortignore")) {
-            let trimmedRow = line.trim();
-            if (!trimmedRow.startsWith("module ") && !trimmedRow.startsWith("go ") && !trimmedRow.startsWith("require (") && !trimmedRow.startsWith("require(")
-                && !trimmedRow.startsWith("exclude ") && !trimmedRow.startsWith("replace ") && !trimmedRow.startsWith("retract ") && !trimmedRow.startsWith("use ")
-                && !trimmedRow.includes("=>")) {
-                if (trimmedRow.startsWith("require ") || trimmedRow.match("^[a-z.0-9/-]+\\s{1,2}[vV][0-9]\\.[0-9](\\.[0-9]){0,2}.*")) {
-                    result = true;
-                }
-            }
+function hasExhortIgnore(specNode) {
+    // Ideally this would be the following tree-sitter query instead, but for some
+    // reason it throws an error here but not in the playground.
+    // (require_spec) ((module_path) @path (version) (comment) @comment (#match? @comment "^//.*exhortignore"))
+    // QueryError: Bad pattern structure at offset 53: '(comment) @comment (#match? @comment "^//.*exhortignore")) @spec'...
+    let comments = specNode.children.filter(c => c.type === 'comment');
+    for (let comment of comments) {
+        let text = comment.text;
+        if (/^\/\/\s*indirect;\s*exhortignore/.test(text)) {
+            return true;
+        }
+        if (/^\/\/\s*exhortignore/.test(text)) {
+            return true;
         }
     }
-    return result;
-}
-/**
- * extract package name from go.mod line that contains exhortignore comment.
- * @param line a row contains exhortignore as part of a comment
- * @return {string} the full package name + group/namespace + version
- * @private
- */
-function extractPackageName(line) {
-    let trimmedRow = line.trim();
-    let firstRemarkNotationOccurrence = trimmedRow.indexOf("//");
-    return trimmedRow.substring(0, firstRemarkNotationOccurrence).trim();
+    return false;
 }
 /**
  *
- * @param {string } manifest - path to manifest
- * @return {[PackageURL]} list of ignored dependencies d
+ * @param {string} manifestContent go.mod file contents
+ * @param {import('web-tree-sitter').Parser} parser
+ * @param {import('web-tree-sitter').Query} requireQuery
+ * @return {PackageURL[]} list of ignored dependencies
  */
-function getIgnoredDeps(manifest) {
-    let goMod = fs.readFileSync(manifest).toString().trim();
-    let lines = goMod.split(getLineSeparatorGolang());
-    return lines.filter(line => ignoredLine(line)).map(line => extractPackageName(line)).map(dep => toPurl(dep, /[ ]{1,3}/));
+function getIgnoredDeps(manifestContent, parser, requireQuery) {
+    let tree = parser.parse(manifestContent);
+    return requireQuery.matches(tree.rootNode)
+        .filter(match => {
+        let specNode = match.captures.find(c => c.name === 'spec').node;
+        return hasExhortIgnore(specNode);
+    })
+        .map(match => {
+        let name = match.captures.find(c => c.name === 'name').node.text;
+        let version = match.captures.find(c => c.name === 'version').node.text;
+        return toPurl(`${name} ${version}`, /[ ]{1,3}/);
+    });
 }
 /**
  *
- * @param {[PackageURL]}allIgnoredDeps - list of purls of all dependencies that should be ignored
+ * @param {PackageURL[]} allIgnoredDeps list of purls of all dependencies that should be ignored
  * @param {PackageURL} purl object to be checked if needed to be ignored
  * @return {boolean}
  */
@@ -138,59 +141,29 @@ function enforceRemovingIgnoredDepsInCaseOfAutomaticVersionUpdate(ignoredDeps, s
 }
 /**
  *
- * @param {[string]} lines - array of lines of go.mod manifest
- * @param {string} goMod - content of go.mod manifest
- * @return {[string]} all dependencies from go.mod file as array
+ * @param {string} manifestContent go.mod file contents
+ * @param {import('web-tree-sitter').Parser} parser
+ * @param {import('web-tree-sitter').Query} requireQuery
+ * @return {string[]} all dependencies from go.mod file as "name version" strings
  */
-function collectAllDepsFromManifest(lines, goMod) {
-    let result;
-    // collect all deps that starts with require keyword
-    result = lines.filter((line) => line.trim().startsWith("require") && !line.includes("(")).map((dep) => dep.substring("require".length).trim());
-    // collect all deps that are inside `require` blocks
-    let currentSegmentOfGoMod = goMod;
-    let requirePositionObject = decideRequireBlockIndex(currentSegmentOfGoMod);
-    while (requirePositionObject.index > -1) {
-        let depsInsideRequirementsBlock = currentSegmentOfGoMod.substring(requirePositionObject.index + requirePositionObject.startingOffeset).trim();
-        let endOfBlockIndex = depsInsideRequirementsBlock.indexOf(")");
-        let currentIndex = 0;
-        while (currentIndex < endOfBlockIndex) {
-            let endOfLinePosition = depsInsideRequirementsBlock.indexOf(EOL, currentIndex);
-            let dependency = depsInsideRequirementsBlock.substring(currentIndex, endOfLinePosition);
-            result.push(dependency.trim());
-            currentIndex = endOfLinePosition + 1;
-        }
-        currentSegmentOfGoMod = currentSegmentOfGoMod.substring(endOfBlockIndex + 1).trim();
-        requirePositionObject = decideRequireBlockIndex(currentSegmentOfGoMod);
-    }
-    function decideRequireBlockIndex(goMod) {
-        let object = {};
-        let index = goMod.indexOf("require(");
-        object.startingOffeset = "require(".length;
-        if (index === -1) {
-            index = goMod.indexOf("require (");
-            object.startingOffeset = "require (".length;
-            if (index === -1) {
-                index = goMod.indexOf("require  (");
-                object.startingOffeset = "require  (".length;
-            }
-        }
-        object.index = index;
-        return object;
-    }
-    return result;
+function collectAllDepsFromManifest(manifestContent, parser, requireQuery) {
+    let tree = parser.parse(manifestContent);
+    return requireQuery.matches(tree.rootNode).map(match => {
+        let name = match.captures.find(c => c.name === 'name').node.text;
+        let version = match.captures.find(c => c.name === 'version').node.text;
+        return `${name} ${version}`;
+    });
 }
 /**
  *
  * @param {string} rootElementName the rootElementName element of go mod graph, to compare only direct deps from go mod graph against go.mod manifest
- * @param{[string]} goModGraphOutputRows the goModGraphOutputRows from go mod graph' output
- * @param {string }manifest path to go.mod manifest on file system
+ * @param {string[]} goModGraphOutputRows the goModGraphOutputRows from go mod graph' output
+ * @param {string} manifestContent go.mod file contents
  * @private
  */
-function performManifestVersionsCheck(rootElementName, goModGraphOutputRows, manifest) {
-    let goMod = fs.readFileSync(manifest).toString().trim();
-    let lines = goMod.split(getLineSeparatorGolang());
+function performManifestVersionsCheck(rootElementName, goModGraphOutputRows, manifestContent, parser, requireQuery) {
     let comparisonLines = goModGraphOutputRows.filter((line) => line.startsWith(rootElementName)).map((line) => getChildVertexFromEdge(line));
-    let manifestDeps = collectAllDepsFromManifest(lines, goMod);
+    let manifestDeps = collectAllDepsFromManifest(manifestContent, parser, requireQuery);
     try {
         comparisonLines.forEach((dependency) => {
             let parts = dependency.split("@");
@@ -202,7 +175,7 @@ function performManifestVersionsCheck(rootElementName, goModGraphOutputRows, man
                 let currentVersion = components[1];
                 if (currentDepName === depName) {
                     if (currentVersion !== version) {
-                        throw new Error(`versions mismatch for dependency name ${depName}, manifest version=${currentVersion}, installed Version=${version}, if you want to allow version mismatch for analysis between installed and requested packages, set environment variable/setting - MATCH_MANIFEST_VERSIONS=false`);
+                        throw new Error(`version mismatch for dependency "${depName}", manifest version=${currentVersion}, installed version=${version}, if you want to allow version mismatch for analysis between installed and requested packages, set environment variable/setting MATCH_MANIFEST_VERSIONS=false`);
                     }
                 }
             });
@@ -218,10 +191,10 @@ function performManifestVersionsCheck(rootElementName, goModGraphOutputRows, man
  * @param {string} manifest - path for go.mod
  * @param {{}} [opts={}] - optional various options to pass along the application
  * @param {boolean} includeTransitive - whether the sbom should contain transitive dependencies of the main module or not.
- * @returns {string} the SBOM json content
+ * @returns {Promise<string>} the SBOM json content
  * @private
  */
-function getSBOM(manifest, opts = {}, includeTransitive) {
+async function getSBOM(manifest, opts = {}, includeTransitive) {
     // get custom goBin path
     let goBin = getCustomPath('go', opts);
     // verify goBin is accessible
@@ -247,14 +220,25 @@ function getSBOM(manifest, opts = {}, includeTransitive) {
     catch (error) {
         throw new Error('failed to determine root module name', { cause: error });
     }
-    let ignoredDeps = getIgnoredDeps(manifest);
+    let manifestContent = fs.readFileSync(manifest).toString();
+    let [parser, requireQuery] = await Promise.all([getParser(), getRequireQuery()]);
+    let ignoredDeps = getIgnoredDeps(manifestContent, parser, requireQuery);
     let allIgnoredDeps = ignoredDeps.map((dep) => dep.toString());
     let sbom = new Sbom();
     let rows = goGraphOutput.split(getLineSeparatorGolang()).filter(line => !line.includes(' go@'));
-    let root = getParentVertexFromEdge(goModEditOutput['Module']['Path']);
+    let root = goModEditOutput['Module']['Path'];
+    // Build set of direct dependency paths from go mod edit -json
+    let directDepPaths = new Set();
+    if (goModEditOutput['Require']) {
+        goModEditOutput['Require'].forEach(req => {
+            if (!req['Indirect']) {
+                directDepPaths.add(req['Path']);
+            }
+        });
+    }
     let matchManifestVersions = getCustom("MATCH_MANIFEST_VERSIONS", "false", opts);
     if (matchManifestVersions === "true") {
-        performManifestVersionsCheck(root, rows, manifest);
+        performManifestVersionsCheck(root, rows, manifestContent, parser, requireQuery);
     }
     const mainModule = toPurl(root, "@");
     const license = readLicenseFromManifest(manifest);
@@ -272,7 +256,11 @@ function getSBOM(manifest, opts = {}, includeTransitive) {
                 currentParent = getParentVertexFromEdge(row);
                 source = toPurl(currentParent, "@");
             }
-            let target = toPurl(getChildVertexFromEdge(row), "@");
+            let child = getChildVertexFromEdge(row);
+            let target = toPurl(child, "@");
+            if (getParentVertexFromEdge(row) === root && !directDepPaths.has(getPackageName(child))) {
+                return;
+            }
             sbom.addDependency(source, target);
         });
         // at the end, filter out all ignored dependencies including versions.
@@ -282,10 +270,12 @@ function getSBOM(manifest, opts = {}, includeTransitive) {
     else {
         let directDependencies = rows.filter(row => row.startsWith(root));
         directDependencies.forEach(pair => {
-            let dependency = getChildVertexFromEdge(pair);
-            let depPurl = toPurl(dependency, "@");
-            if (dependencyNotIgnored(ignoredDeps, depPurl)) {
-                sbom.addDependency(mainModule, depPurl);
+            let child = getChildVertexFromEdge(pair);
+            let target = toPurl(child, "@");
+            if (dependencyNotIgnored(ignoredDeps, target)) {
+                if (directDepPaths.has(getPackageName(child))) {
+                    sbom.addDependency(mainModule, target);
+                }
             }
         });
         enforceRemovingIgnoredDepsInCaseOfAutomaticVersionUpdate(ignoredDeps, sbom);
@@ -295,7 +285,7 @@ function getSBOM(manifest, opts = {}, includeTransitive) {
 /**
  * Utility function for creating Purl String
 
- * @param {string }dependency the name of the artifact, can include a namespace(group) or not - namespace/artifactName.
+ * @param {string} dependency the name of the artifact, can include a namespace(group) or not - namespace/artifactName.
  * @param {RegExp} delimiter delimiter between name of dependency and version
  * @private
  * @returns {PackageURL|null} PackageUrl Object ready to be used in SBOM
@@ -320,12 +310,12 @@ function toPurl(dependency, delimiter) {
     }
     return pkg;
 }
-/** This function gets rows from go mod graph , and go.mod graph, and selecting for all
+/** This function gets rows from go mod graph, and go.mod graph, and selecting for all
  * packages the has more than one minor the final versions as selected by golang MVS algorithm.
- * @param {[string]}rows all the rows from go modules dependency tree
+ * @param {string[]} rows all the rows from go modules dependency tree
  * @param {string} manifestPath the path of the go.mod file
  * @param {string} path to go binary
- * @return {[string]} rows that contains final versions.
+ * @return {string[]} rows that contains final versions.
  */
 function getFinalPackagesVersionsForModule(rows, manifestPath, goBin) {
     let manifestDir = path.dirname(manifestPath);
@@ -380,7 +370,7 @@ function getFinalPackagesVersionsForModule(rows, manifestPath, goBin) {
 /**
  *
  * @param {string} fullPackage - full package with its name and version
- * @return -{string} package name only
+ * @return {string} package name only
  * @private
  */
 function getPackageName(fullPackage) {
@@ -398,7 +388,7 @@ function isSpecialGoModule(moduleName) {
 /**
  *
  * @param {string} fullPackage - full package with its name and version
- * @return -{string} package version only
+ * @return {string|undefined} package version only
  * @private
  */
 function getVersionOfPackage(fullPackage) {

package/dist/src/providers/gomod_parser.d.ts

@@ -0,0 +1,4 @@
+export function getParser(): Promise<Parser>;
+export function getRequireQuery(): Promise<Query>;
+import { Parser } from 'web-tree-sitter';
+import { Query } from 'web-tree-sitter';

package/dist/src/providers/gomod_parser.js

@@ -0,0 +1,16 @@
+import { readFile } from 'node:fs/promises';
+import { Language, Parser, Query } from 'web-tree-sitter';
+const wasmUrl = new URL('./tree-sitter-gomod.wasm', import.meta.url);
+async function init() {
+    await Parser.init();
+    const wasmBytes = new Uint8Array(await readFile(wasmUrl));
+    return await Language.load(wasmBytes);
+}
+export async function getParser() {
+    const language = await init();
+    return new Parser().setLanguage(language);
+}
+export async function getRequireQuery() {
+    const language = await init();
+    return new Query(language, '(require_spec (module_path) @name (version) @version) @spec');
+}

package/dist/src/providers/java_gradle.js

@@ -2,6 +2,7 @@ import fs from 'node:fs';
 import path from 'node:path';
 import { EOL } from 'os';
 import TOML from 'fast-toml';
+import { readLicenseFile } from '../license/license_utils.js';
 import Sbom from '../sbom.js';
 import Base_java, { ecosystem_gradle } from "./base_java.js";
 /** @typedef {import('../provider.js').Provider} */
@@ -55,7 +56,7 @@ export default class Java_gradle extends Base_java {
      * @returns {null}
      */
     // eslint-disable-next-line no-unused-vars
-    readLicenseFromManifest(manifestPath) { return null; }
+    readLicenseFromManifest(manifestPath) { return readLicenseFile(manifestPath); }
     /**
      * Provide content and content type for stack analysis.
      * @param {string} manifest - the manifest path or name

package/dist/src/providers/java_maven.d.ts

@@ -28,7 +28,7 @@ export default class Java_maven extends Base_java {
      */
     provideComponent(manifest: string, opts?: {}): Provided;
     /**
-     * Read license from pom.xml manifest
+     * Read license from pom.xml manifest, with fallback to LICENSE file
      * @param {string} manifestPath - path to pom.xml
      * @returns {string|null}
      */

package/dist/src/providers/java_maven.js

@@ -3,6 +3,7 @@ import os from 'node:os';
 import path from 'node:path';
 import { EOL } from 'os';
 import { XMLParser } from 'fast-xml-parser';
+import { getLicense } from '../license/license_utils.js';
 import Sbom from '../sbom.js';
 import { getCustom } from '../tools.js';
 import Base_java, { ecosystem_maven } from "./base_java.js";
@@ -52,28 +53,28 @@ export default class Java_maven extends Base_java {
         };
     }
     /**
-     * Read license from pom.xml manifest
+     * Read license from pom.xml manifest, with fallback to LICENSE file
      * @param {string} manifestPath - path to pom.xml
      * @returns {string|null}
      */
     readLicenseFromManifest(manifestPath) {
+        let fromPom = null;
         try {
             const xml = fs.readFileSync(manifestPath, 'utf-8');
             const parser = new XMLParser({ ignoreAttributes: false });
             const obj = parser.parse(xml);
             const project = obj?.project;
-            if (!project?.licenses?.license) {
-                return null;
+            if (project?.licenses?.license) {
+                const license = Array.isArray(project.licenses.license)
+                    ? project.licenses.license[0]
+                    : project.licenses.license;
+                fromPom = (license?.name && license.name.trim()) || null;
             }
-            const license = Array.isArray(project.licenses.license)
-                ? project.licenses.license[0]
-                : project.licenses.license;
-            const name = (license?.name && license.name.trim()) || null;
-            return name || null;
         }
         catch {
-            return null;
+            // leave fromPom as null
         }
+        return getLicense(fromPom, manifestPath);
     }
     /**
      * Create a Dot Graph dependency tree for a manifest path.

package/dist/src/providers/javascript_pnpm.d.ts

@@ -1,5 +1,5 @@
 export default class Javascript_pnpm extends Base_javascript {
     _listCmdArgs(includeTransitive: any): string[];
-    _buildDependencyTree(includeTransitive: any, manifest: any): any;
+    _buildDependencyTree(includeTransitive: any, opts?: {}): any;
 }
 import Base_javascript from './base_javascript.js';

package/dist/src/providers/javascript_pnpm.js

@@ -12,8 +12,8 @@ export default class Javascript_pnpm extends Base_javascript {
     _updateLockFileCmdArgs() {
         return ['install', '--frozen-lockfile'];
     }
-    _buildDependencyTree(includeTransitive, manifest) {
-        const tree = super._buildDependencyTree(includeTransitive, manifest);
+    _buildDependencyTree(includeTransitive, opts = {}) {
+        const tree = super._buildDependencyTree(includeTransitive, opts);
         if (Array.isArray(tree) && tree.length > 0) {
             return tree[0];
         }

package/dist/src/providers/manifest.d.ts

@@ -2,6 +2,8 @@ export default class Manifest {
     constructor(manifestPath: any);
     manifestPath: any;
     dependencies: any[];
+    peerDependencies: any;
+    optionalDependencies: any;
     name: any;
     version: any;
     ignored: any[];

package/dist/src/providers/manifest.js

@@ -9,6 +9,8 @@ export default class Manifest {
         this.manifestPath = manifestPath;
         const content = this.loadManifest();
         this.dependencies = this.loadDependencies(content);
+        this.peerDependencies = content.peerDependencies || {};
+        this.optionalDependencies = content.optionalDependencies || {};
         this.name = content.name;
         this.version = content.version || DEFAULT_VERSION;
         this.ignored = this.loadIgnored(content);
@@ -27,11 +29,27 @@ export default class Manifest {
     }
     loadDependencies(content) {
         let deps = [];
-        if (!content.dependencies) {
-            return deps;
+        const depSources = [
+            content.dependencies,
+            content.peerDependencies,
+            content.optionalDependencies,
+        ];
+        for (const source of depSources) {
+            if (source) {
+                for (let dep in source) {
+                    if (!deps.includes(dep)) {
+                        deps.push(dep);
+                    }
+                }
+            }
         }
-        for (let dep in content.dependencies) {
-            deps.push(dep);
+        // bundledDependencies is an array of package names (subset of dependencies)
+        if (Array.isArray(content.bundledDependencies)) {
+            for (const dep of content.bundledDependencies) {
+                if (!deps.includes(dep)) {
+                    deps.push(dep);
+                }
+            }
         }
         return deps;
     }

package/dist/src/providers/processors/yarn_berry_processor.js

@@ -48,13 +48,15 @@ export default class Yarn_berry_processor extends Yarn_processor {
         if (!depTree) {
             return new Map();
         }
-        return new Map(depTree.filter(dep => !this.#isRoot(dep.value)).map(dep => {
+        return new Map(depTree.filter(dep => !this.#isRoot(dep.value))
+            .map(dep => {
             const depName = dep.value;
             const idx = depName.lastIndexOf('@');
             const name = depName.substring(0, idx);
             const version = dep.children.Version;
             return [name, toPurl(purlType, name, version)];
-        }));
+        })
+            .filter(([name]) => this._manifest.dependencies.includes(name)));
     }
     /**
    * Checks if a dependency is the root package
@@ -77,14 +79,58 @@ export default class Yarn_berry_processor extends Yarn_processor {
         if (!depTree) {
             return;
         }
+        // Build index of nodes by their value for quick lookup
+        const nodeIndex = new Map();
+        depTree.forEach(n => nodeIndex.set(n.value, n));
+        // Determine the set of node values reachable from root via production deps
+        const prodDeps = new Set(this._manifest.dependencies);
+        const reachable = new Set();
+        const queue = [];
+        // Seed with root's production dependencies
+        const rootNode = depTree.find(n => this.#isRoot(n.value));
+        if (rootNode?.children?.Dependencies) {
+            for (const d of rootNode.children.Dependencies) {
+                const to = this.#purlFromLocator(d.locator);
+                if (to) {
+                    const fullName = to.namespace ? `${to.namespace}/${to.name}` : to.name;
+                    if (prodDeps.has(fullName)) {
+                        queue.push(d.locator);
+                    }
+                }
+            }
+        }
+        // BFS to find all transitively reachable packages
+        while (queue.length > 0) {
+            const locator = queue.shift();
+            if (reachable.has(locator)) {
+                continue;
+            }
+            reachable.add(locator);
+            const node = nodeIndex.get(this.#nodeValueFromLocator(locator));
+            if (node?.children?.Dependencies) {
+                for (const d of node.children.Dependencies) {
+                    if (!reachable.has(d.locator)) {
+                        queue.push(d.locator);
+                    }
+                }
+            }
+        }
+        // Only emit edges for root and reachable nodes
         depTree.forEach(n => {
             const depName = n.value;
-            const from = this.#isRoot(depName) ? toPurlFromString(sbom.getRoot().purl) : this.#purlFromNode(depName, n);
+            const isRoot = this.#isRoot(depName);
+            if (!isRoot && !this.#isReachableNode(depName, reachable)) {
+                return;
+            }
+            const from = isRoot ? toPurlFromString(sbom.getRoot().purl) : this.#purlFromNode(depName, n);
             const deps = n.children?.Dependencies;
             if (!deps) {
                 return;
             }
             deps.forEach(d => {
+                if (!reachable.has(d.locator)) {
+                    return;
+                }
                 const to = this.#purlFromLocator(d.locator);
                 if (to) {
                     sbom.addDependency(from, to);
@@ -92,6 +138,39 @@ export default class Yarn_berry_processor extends Yarn_processor {
             });
         });
     }
+    /**
+     * Converts a locator to the node value format used in yarn info output
+     * @param {string} locator - e.g. "express@npm:4.17.1"
+     * @returns {string} The node value, same as locator for non-virtual
+     * @private
+     */
+    #nodeValueFromLocator(locator) {
+        // Virtual locators: "@scope/name@virtual:hash#npm:version" → "@scope/name@npm:version"
+        const virtualMatch = Yarn_berry_processor.VIRTUAL_LOCATOR_PATTERN.exec(locator);
+        if (virtualMatch) {
+            return `${virtualMatch[1]}@npm:${virtualMatch[2]}`;
+        }
+        return locator;
+    }
+    /**
+     * Checks if a node is in the reachable set by matching its value against reachable locators
+     * @param {string} depName - The node value (e.g. "express@npm:4.17.1")
+     * @param {Set<string>} reachable - Set of reachable locators
+     * @returns {boolean}
+     * @private
+     */
+    #isReachableNode(depName, reachable) {
+        if (reachable.has(depName)) {
+            return true;
+        }
+        // Check if any reachable locator resolves to this node value
+        for (const locator of reachable) {
+            if (this.#nodeValueFromLocator(locator) === depName) {
+                return true;
+            }
+        }
+        return false;
+    }
     /**
    * Creates a PackageURL from a dependency locator
    * @param {string} locator - The dependency locator