@trustify-da/trustify-da-javascript-client 0.3.0-ea.7144952 → 0.3.0-ea.7281b26

package/README.md

@@ -224,7 +224,8 @@ $ trustify-da-javascript-client license /path/to/package.json
 <li><a href="https://www.javascript.com/">JavaScript</a> - <a href="https://pnpm.io/">pnpm</a></li>
 <li><a href="https://www.javascript.com/">JavaScript</a> - <a href="https://classic.yarnpkg.com/">Yarn Classic</a> /  <a href="https://yarnpkg.com/">Yarn Berry</a></li>
 <li><a href="https://go.dev/">Golang</a> - <a href="https://go.dev/blog/using-go-modules/">Go Modules</a></li>
-<li><a href="https://www.python.org/">Python</a> - <a href="https://pypi.org/project/pip/">pip Installer</a></li>
+<li><a href="https://www.python.org/">Python</a> - <a href="https://pypi.org/project/pip/">pip Installer</a> (<code>requirements.txt</code>)</li>
+<li><a href="https://www.python.org/">Python</a> - <a href="https://python-poetry.org/">Poetry</a> / <a href="https://docs.astral.sh/uv/">uv</a> (<code>pyproject.toml</code>)</li>
 <li><a href="https://gradle.org/">Gradle (Groovy and Kotlin DSL)</a> - <a href="https://gradle.org/install/">Gradle Installation</a></li>
 <li><a href="https://www.rust-lang.org/">Rust</a> - <a href="https://doc.rust-lang.org/cargo/">Cargo</a></li>
 </ul>
@@ -287,8 +288,11 @@ Excluding a package from any analysis can be achieved by marking the package for
   ]
 }
 ```
+</li>
+
+<li>
+<em>Golang</em> users can add in go.mod a comment with <code>// exhortignore</code> next to the package to be ignored, or to "piggyback" on existing comment ( e.g - <code>// indirect</code>), for example:
 
-<em>Golang</em> users can add in go.mod a comment with //exhortignore next to the package to be ignored, or to "piggyback" on existing comment ( e.g - //indirect) , for example:
 ```go
 module github.com/trustify-da/SaaSi/deployer
 
@@ -297,7 +301,7 @@ go 1.19
 require (
         github.com/gin-gonic/gin v1.9.1
         github.com/google/uuid v1.1.2
-        github.com/jessevdk/go-flags v1.5.0 //exhortignore
+        github.com/jessevdk/go-flags v1.5.0 // exhortignore
         github.com/kr/pretty v0.3.1
         gopkg.in/yaml.v2 v2.4.0
         k8s.io/apimachinery v0.26.1
@@ -305,14 +309,20 @@ require (
 )
 
 require (
-        github.com/davecgh/go-spew v1.1.1 // indirect exhortignore
+        github.com/davecgh/go-spew v1.1.1 // indirect; exhortignore
         github.com/emicklei/go-restful/v3 v3.9.0 // indirect
-        github.com/go-logr/logr v1.2.3 // indirect //exhortignore
+        github.com/go-logr/logr v1.2.3 // indirect; exhortignore
 
 )
 ```
 
+<b>NOTE</b>: It is important to format <code>exhortignore</code> markers on indirect dependencies as shown above, otherwise the Go tooling (as well as this library) may incorrectly parse dependencies marked as indirect as being direct dependencies instead.
+</li>
+
+
+<li>
 <em>Python pip</em> users can add in requirements.txt a comment with #exhortignore(or # exhortignore) to the right of the same artifact to be ignored, for example:
+
 ```properties
 anyio==3.6.2
 asgiref==3.4.1
@@ -343,11 +353,14 @@ Werkzeug==2.0.3
 zipp==3.6.0
 
 ```
+</li>
 
+<li>
 <em>Gradle</em> users can add in build.gradle a comment with //exhortignore next to the package to be ignored:
+
 ```build.gradle
 plugins {
-id 'java'
+    id 'java'
 }
 
 group = 'groupName'
@@ -379,9 +392,31 @@ version = "1.10"
 log = "0.4" # trustify-da-ignore
 ```
 
-All of the 6 above examples are valid for marking a package to be ignored
-</li>
 
+<em>Python pyproject.toml</em> users can add a comment with <code>#exhortignore</code> (or <code># trustify-da-ignore</code>) next to the dependency in <code>pyproject.toml</code>.
+
+PEP 621 style (<code>[project]</code> dependencies):
+```toml
+[project]
+dependencies = [
+    "flask>=2.0.3",
+    "requests>=2.25.1",
+    "uvicorn>=0.17.0", #exhortignore
+    "click>=8.0.4", # trustify-da-ignore
+]
+```
+
+Poetry style (<code>[tool.poetry.dependencies]</code>):
+```toml
+[tool.poetry.dependencies]
+flask = "^2.0.3"
+requests = "^2.25.1"
+uvicorn = "^0.17.0" #exhortignore
+click = "^8.0.4" # trustify-da-ignore
+```
+
+All of the above examples are valid for marking a package to be ignored
+</li>
 </ul>
 
 <h3>Customization</h3>
@@ -410,6 +445,8 @@ let options = {
   'TRUSTIFY_DA_PIP3_PATH' : '/path/to/pip3',
   'TRUSTIFY_DA_PYTHON_PATH' : '/path/to/python',
   'TRUSTIFY_DA_PIP_PATH' : '/path/to/pip',
+  'TRUSTIFY_DA_UV_PATH' : '/path/to/uv',
+  'TRUSTIFY_DA_POETRY_PATH' : '/path/to/poetry',
   'TRUSTIFY_DA_GRADLE_PATH' : '/path/to/gradle',
   'TRUSTIFY_DA_CARGO_PATH' : '/path/to/cargo',
   // Workspace root for monorepos (Cargo, npm/pnpm/yarn); lock file expected here
@@ -556,6 +593,16 @@ following keys for setting custom paths for the said executables.
 <td>TRUSTIFY_DA_CARGO_PATH</td>
 </tr>
 <tr>
+<td><a href="https://docs.astral.sh/uv/">uv</a></td>
+<td><em>uv</em></td>
+<td>TRUSTIFY_DA_UV_PATH</td>
+</tr>
+<tr>
+<td><a href="https://python-poetry.org/">Poetry</a></td>
+<td><em>poetry</em></td>
+<td>TRUSTIFY_DA_POETRY_PATH</td>
+</tr>
+<tr>
 <td>Workspace root (monorepos)</td>
 <td>—</td>
 <td>workspaceDir / TRUSTIFY_DA_WORKSPACE_DIR</td>
@@ -608,6 +655,24 @@ TRUSTIFY_DA_GO_MVS_LOGIC_ENABLED=false
 
 #### Python Support
 
+The client supports two Python manifest formats:
+
+- **`requirements.txt`** — uses pip/pip3 to resolve dependencies
+- **`pyproject.toml`** — uses [uv](https://docs.astral.sh/uv/) or [Poetry](https://python-poetry.org/) to resolve dependencies
+
+##### pyproject.toml
+
+For `pyproject.toml` projects, the client detects which tool manages the project by checking for lock files:
+- If `poetry.lock` is present and `[tool.poetry]` is defined, **Poetry** is used (`poetry show --tree` and `poetry show --all`)
+- If `uv.lock` is present, **uv** is used (`uv export --format requirements.txt --frozen --no-hashes`)
+- If neither lock file is found, an error is thrown
+
+Both PEP 621 (`[project]` dependencies) and Poetry-style (`[tool.poetry.dependencies]`) are supported.
+
+Custom executable paths can be set via `TRUSTIFY_DA_UV_PATH` and `TRUSTIFY_DA_POETRY_PATH`.
+
+##### requirements.txt
+
 By default, For python support, the api assumes that the package is installed using the pip/pip3 binary on the system PATH, or using the customized
 Binaries passed to environment variables. In any case, If the package is not installed , then an error will be thrown.
 

package/dist/package.json

@@ -38,13 +38,13 @@
         "lint": "eslint src test --ext js",
         "lint:fix": "eslint src test --ext js --fix",
         "test": "c8 npm run tests",
-        "tests": "mocha --config .mocharc.json --grep \".*analysis module.*\" --invert",
+        "tests": "mocha --config .mocharc.json",
         "tests:rep": "mocha --reporter-option maxDiffSize=0 --reporter json > unit-tests-result.json",
-        "pretest": "cp node_modules/tree-sitter-requirements/tree-sitter-requirements.wasm src/providers/tree-sitter-requirements.wasm",
+        "pretest": "cp node_modules/tree-sitter-requirements/tree-sitter-requirements.wasm src/providers/tree-sitter-requirements.wasm && cp node_modules/tree-sitter-gomod/tree-sitter-gomod.wasm src/providers/tree-sitter-gomod.wasm",
         "precompile": "rm -rf dist",
         "compile": "tsc -p tsconfig.json",
         "compile:dev": "tsc -p tsconfig.dev.json",
-        "postcompile": "cp node_modules/tree-sitter-requirements/tree-sitter-requirements.wasm dist/src/providers/tree-sitter-requirements.wasm"
+        "postcompile": "cp node_modules/tree-sitter-requirements/tree-sitter-requirements.wasm dist/src/providers/tree-sitter-requirements.wasm && cp node_modules/tree-sitter-gomod/tree-sitter-gomod.wasm dist/src/providers/tree-sitter-gomod.wasm"
     },
     "dependencies": {
         "@babel/core": "^7.23.2",
@@ -58,11 +58,12 @@
         "js-yaml": "^4.1.1",
         "micromatch": "^4.0.8",
         "node-fetch": "^3.3.2",
-        "p-limit": "^5.0.0",
+        "p-limit": "^4.0.0",
         "packageurl-js": "~1.0.2",
         "smol-toml": "^1.6.0",
+        "tree-sitter-gomod": "github:strum355/tree-sitter-go-mod#56326f2ad478892ace58ff247a97d492a3cbcdda",
         "tree-sitter-requirements": "github:Strum355/tree-sitter-requirements#d0261ee76b84253997fe70d7d397e78c006c3801",
-        "web-tree-sitter": "^0.26.6",
+        "web-tree-sitter": "^0.26.7",
         "yargs": "^18.0.0"
     },
     "devDependencies": {

package/dist/src/analysis.js

@@ -189,7 +189,7 @@ async function requestImages(imageRefs, url, html = false, opts = {}) {
     if (opts['TRUSTIFY_DA_RECOMMENDATIONS_ENABLED'] === 'false') {
         finalUrl.searchParams.append('recommend', 'false');
     }
-    const resp = await fetch(finalUrl, {
+    const fetchOptions = addProxyAgent({
         method: 'POST',
         headers: {
             'Accept': html ? 'text/html' : 'application/json',
@@ -197,7 +197,8 @@ async function requestImages(imageRefs, url, html = false, opts = {}) {
             ...getTokenHeaders(opts)
         },
         body: JSON.stringify(imageSboms),
-    });
+    }, opts);
+    const resp = await fetch(finalUrl, fetchOptions);
     if (resp.status === 200) {
         let result;
         if (!html) {

package/dist/src/cli.js

@@ -1,9 +1,10 @@
 #!/usr/bin/env node
+import fs from 'node:fs';
 import * as path from "path";
 import yargs from 'yargs';
 import { hideBin } from 'yargs/helpers';
 import { getProjectLicense, getLicenseDetails } from './license/index.js';
-import client, { selectTrustifyDABackend } from './index.js';
+import client, { selectTrustifyDABackend, generateSbom } from './index.js';
 // command for component analysis take manifest type and content
 const component = {
     command: 'component </path/to/manifest>',
@@ -325,15 +326,63 @@ const license = {
         console.log(JSON.stringify(output, null, 2));
     }
 };
+const sbom = {
+    command: 'sbom </path/to/manifest> [--output]',
+    desc: 'generate a CycloneDX SBOM from a manifest file',
+    builder: yargs => yargs.positional('/path/to/manifest', {
+        desc: 'manifest path for SBOM generation',
+        type: 'string',
+        normalize: true,
+    }).options({
+        output: {
+            alias: 'o',
+            desc: 'Write SBOM JSON to a file instead of stdout',
+            type: 'string',
+            normalize: true,
+        },
+        workspaceDir: {
+            alias: 'w',
+            desc: 'Workspace root directory (for monorepos; lock file is expected here)',
+            type: 'string',
+            normalize: true,
+        }
+    }),
+    handler: async (args) => {
+        let manifest = args['/path/to/manifest'];
+        const opts = args.workspaceDir ? { TRUSTIFY_DA_WORKSPACE_DIR: args.workspaceDir } : {};
+        let result;
+        try {
+            result = await generateSbom(manifest, opts);
+        }
+        catch (err) {
+            console.error(JSON.stringify({ error: `Failed to generate SBOM: ${err.message}` }, null, 2));
+            process.exit(1);
+        }
+        const json = JSON.stringify(result, null, 2);
+        if (args.output) {
+            try {
+                fs.writeFileSync(args.output, json);
+            }
+            catch (err) {
+                console.error(JSON.stringify({ error: `Failed to write output file: ${err.message}` }, null, 2));
+                process.exit(1);
+            }
+        }
+        else {
+            console.log(json);
+        }
+    }
+};
 // parse and invoke the command
 yargs(hideBin(process.argv))
-    .usage(`Usage: ${process.argv[0].includes("node") ? path.parse(process.argv[1]).base : path.parse(process.argv[0]).base} {component|stack|stack-batch|image|validate-token|license}`)
+    .usage(`Usage: ${process.argv[0].includes("node") ? path.parse(process.argv[1]).base : path.parse(process.argv[0]).base} {component|stack|stack-batch|image|validate-token|license|sbom}`)
     .command(stack)
     .command(stackBatch)
     .command(component)
     .command(image)
     .command(validateToken)
     .command(license)
+    .command(sbom)
     .scriptName('')
     .version(false)
     .demandCommand(1)

package/dist/src/cyclone_dx_sbom.d.ts

@@ -70,6 +70,13 @@ export default class CycloneDxSbom {
      * @return {boolean}
      */
     checkIfPackageInsideDependsOnList(component: any, name: string): boolean;
+    /**
+     * Checks if any entry in the dependsOn list of sourceRef starts with the given purl prefix.
+     * @param {PackageURL} sourceRef - The source component
+     * @param {string} purlPrefix - The purl prefix to match (e.g. "pkg:npm/minimist@")
+     * @return {boolean}
+     */
+    checkDependsOnByPurlPrefix(sourceRef: PackageURL, purlPrefix: string): boolean;
     /** Removes the root component from the sbom
      */
     removeRootComponent(): void;

package/dist/src/cyclone_dx_sbom.js

@@ -242,6 +242,20 @@ export default class CycloneDxSbom {
             return false;
         }
     }
+    /**
+     * Checks if any entry in the dependsOn list of sourceRef starts with the given purl prefix.
+     * @param {PackageURL} sourceRef - The source component
+     * @param {string} purlPrefix - The purl prefix to match (e.g. "pkg:npm/minimist@")
+     * @return {boolean}
+     */
+    checkDependsOnByPurlPrefix(sourceRef, purlPrefix) {
+        const sourcePurl = sourceRef.toString();
+        const depIndex = this.getDependencyIndex(sourcePurl);
+        if (depIndex < 0) {
+            return false;
+        }
+        return this.dependencies[depIndex].dependsOn.some(dep => dep.startsWith(purlPrefix));
+    }
     /** Removes the root component from the sbom
      */
     removeRootComponent() {

package/dist/src/index.d.ts

@@ -13,6 +13,15 @@ export function selectTrustifyDABackend(opts?: {
     TRUSTIFY_DA_DEBUG?: string | undefined;
     TRUSTIFY_DA_BACKEND_URL?: string | undefined;
 }): string;
+/**
+ * Generate a CycloneDX SBOM from a manifest file. No backend HTTP request is made.
+ *
+ * @param {string} manifestPath - path to the manifest file (e.g. pom.xml, package.json)
+ * @param {Options} [opts={}] - optional options (e.g. workspace dir, tool paths)
+ * @returns {Promise<object>} parsed CycloneDX SBOM JSON object
+ * @throws {Error} if the manifest is unsupported or SBOM generation fails
+ */
+export function generateSbom(manifestPath: string, opts?: Options): Promise<object>;
 export { parseImageRef } from "./oci_image/utils.js";
 export { ImageRef } from "./oci_image/images.js";
 declare namespace _default {
@@ -21,6 +30,7 @@ declare namespace _default {
     export { stackAnalysisBatch };
     export { imageAnalysis };
     export { validateToken };
+    export { generateSbom };
 }
 export default _default;
 export type Options = {
@@ -64,6 +74,8 @@ export type Options = {
     TRUSTIFY_DA_CONTINUE_ON_ERROR?: string | undefined;
     batchMetadata?: boolean | undefined;
     TRUSTIFY_DA_BATCH_METADATA?: string | undefined;
+    TRUSTIFY_DA_UV_PATH?: string | undefined;
+    TRUSTIFY_DA_POETRY_PATH?: string | undefined;
     [key: string]: string | number | boolean | string[] | undefined;
 };
 export type BatchAnalysisMetadata = {

package/dist/src/index.js

@@ -12,7 +12,7 @@ import * as url from 'url';
 export { parseImageRef } from "./oci_image/utils.js";
 export { ImageRef } from "./oci_image/images.js";
 export { getProjectLicense, findLicenseFilePath, identifyLicense, getLicenseDetails, licensesFromReport, normalizeLicensesResponse, runLicenseCheck, getCompatibility } from "./license/index.js";
-export default { componentAnalysis, stackAnalysis, stackAnalysisBatch, imageAnalysis, validateToken };
+export default { componentAnalysis, stackAnalysis, stackAnalysisBatch, imageAnalysis, validateToken, generateSbom };
 export { discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson, resolveWorkspaceDiscoveryIgnore, filterManifestPathsByDiscoveryIgnore, resolveContinueOnError, resolveBatchMetadata, };
 /**
  * @typedef {{
@@ -56,6 +56,8 @@ export { discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson
  * TRUSTIFY_DA_CONTINUE_ON_ERROR?: string | undefined,
  * batchMetadata?: boolean | undefined,
  * TRUSTIFY_DA_BATCH_METADATA?: string | undefined,
+ * TRUSTIFY_DA_UV_PATH?: string | undefined,
+ * TRUSTIFY_DA_POETRY_PATH?: string | undefined,
  * [key: string]: string | number | boolean | string[] | undefined,
  * }} Options
  */
@@ -235,6 +237,22 @@ function buildBatchAnalysisMetadata(root, ecosystem, totalSbomAttempts, successf
         errors: [...errors],
     };
 }
+/**
+ * Generate a CycloneDX SBOM from a manifest file. No backend HTTP request is made.
+ *
+ * @param {string} manifestPath - path to the manifest file (e.g. pom.xml, package.json)
+ * @param {Options} [opts={}] - optional options (e.g. workspace dir, tool paths)
+ * @returns {Promise<object>} parsed CycloneDX SBOM JSON object
+ * @throws {Error} if the manifest is unsupported or SBOM generation fails
+ */
+export async function generateSbom(manifestPath, opts = {}) {
+    fs.accessSync(manifestPath, fs.constants.R_OK);
+    const result = await generateOneSbom(manifestPath, opts);
+    if (!result.ok) {
+        throw new Error(`Failed to generate SBOM for ${result.manifestPath}: ${result.reason}`);
+    }
+    return result.sbom;
+}
 /**
  * @typedef {{ ok: true, purl: string, sbom: object } | { ok: false, manifestPath: string, reason: string }} SbomResult
  */

package/dist/src/oci_image/utils.js

@@ -135,7 +135,7 @@ function execSyft(imageRef, opts = {}) {
 function getSyftEnvs(dockerPath, podmanPath) {
     let path = null;
     if (dockerPath && podmanPath) {
-        path = `${dockerPath}${File.pathSeparator}${podmanPath}`;
+        path = `${dockerPath}${delimiter}${podmanPath}`;
     }
     else if (dockerPath) {
         path = dockerPath;
@@ -276,7 +276,16 @@ function podmanGetVariant(opts = {}) {
  * @returns {string} - The information
  */
 function dockerPodmanInfo(dockerSupplier, podmanSupplier, opts = {}) {
-    return dockerSupplier(opts) || podmanSupplier(opts);
+    try {
+        const result = dockerSupplier(opts);
+        if (result) {
+            return result;
+        }
+    }
+    catch (_) {
+        // docker not available, fall through to podman
+    }
+    return podmanSupplier(opts);
 }
 /**
  * Gets the digests for an image

package/dist/src/provider.js

@@ -7,6 +7,8 @@ import Javascript_npm from './providers/javascript_npm.js';
 import Javascript_pnpm from './providers/javascript_pnpm.js';
 import Javascript_yarn from './providers/javascript_yarn.js';
 import pythonPipProvider from './providers/python_pip.js';
+import Python_poetry from './providers/python_poetry.js';
+import Python_uv from './providers/python_uv.js';
 import rustCargoProvider from './providers/rust_cargo.js';
 /** @typedef {{ecosystem: string, contentType: string, content: string}} Provided */
 /** @typedef {{isSupported: function(string): boolean, validateLockFile: function(string, Object): void, provideComponent: function(string, {}): Provided | Promise<Provided>, provideStack: function(string, {}): Provided | Promise<Provided>, readLicenseFromManifest: function(string): string | null}} Provider */
@@ -23,6 +25,8 @@ export const availableProviders = [
     new Javascript_npm(),
     golangGomodulesProvider,
     pythonPipProvider,
+    new Python_poetry(),
+    new Python_uv(),
     rustCargoProvider
 ];
 /**

package/dist/src/providers/base_javascript.d.ts

@@ -67,16 +67,26 @@ export default class Base_javascript {
    */
     isSupported(manifestName: string): boolean;
     /**
-   * Checks if a required lock file exists in the manifest directory or at the workspace root.
-   * When TRUSTIFY_DA_WORKSPACE_DIR is provided (via env var or opts),
-   * checks only that directory for the lock file.
+   * Walks up the directory tree from manifestDir looking for the lock file.
+   * Stops when the lock file is found, when a package.json with a "workspaces"
+   * field is encountered without a lock file (workspace root boundary), or
+   * when the filesystem root is reached.
+   *
+   * When TRUSTIFY_DA_WORKSPACE_DIR is set, checks only that directory (no walk-up).
+   *
+   * @param {string} manifestDir - The directory to start searching from
+   * @param {Object} [opts={}] - optional; may contain TRUSTIFY_DA_WORKSPACE_DIR
+   * @returns {string|null} The directory containing the lock file, or null
+   * @protected
+   */
+    protected _isWorkspaceRoot(dir: any): string | null;
+    _findLockFileDir(manifestDir: any, opts?: {}): string | null;
+    /**
    * @param {string} manifestDir - The base directory where the manifest is located
-   * @param {{TRUSTIFY_DA_WORKSPACE_DIR?: string}} [opts={}] - optional workspace root
+   * @param {Object} [opts={}] - optional; may contain TRUSTIFY_DA_WORKSPACE_DIR
    * @returns {boolean} True if the lock file exists
    */
-    validateLockFile(manifestDir: string, opts?: {
-        TRUSTIFY_DA_WORKSPACE_DIR?: string;
-    }): boolean;
+    validateLockFile(manifestDir: string, opts?: any): boolean;
     /**
    * Provides content and content type for stack analysis
    * @param {string} manifestPath - The manifest path or name

package/dist/src/providers/base_javascript.js

@@ -97,18 +97,63 @@ export default class Base_javascript {
         return 'package.json' === manifestName;
     }
     /**
-   * Checks if a required lock file exists in the manifest directory or at the workspace root.
-   * When TRUSTIFY_DA_WORKSPACE_DIR is provided (via env var or opts),
-   * checks only that directory for the lock file.
+   * Walks up the directory tree from manifestDir looking for the lock file.
+   * Stops when the lock file is found, when a package.json with a "workspaces"
+   * field is encountered without a lock file (workspace root boundary), or
+   * when the filesystem root is reached.
+   *
+   * When TRUSTIFY_DA_WORKSPACE_DIR is set, checks only that directory (no walk-up).
+   *
+   * @param {string} manifestDir - The directory to start searching from
+   * @param {Object} [opts={}] - optional; may contain TRUSTIFY_DA_WORKSPACE_DIR
+   * @returns {string|null} The directory containing the lock file, or null
+   * @protected
+   */
+    _isWorkspaceRoot(dir) {
+        if (fs.existsSync(path.join(dir, 'pnpm-workspace.yaml'))) {
+            return true;
+        }
+        const pkgJsonPath = path.join(dir, 'package.json');
+        if (fs.existsSync(pkgJsonPath)) {
+            try {
+                const content = JSON.parse(fs.readFileSync(pkgJsonPath, 'utf-8'));
+                if (content.workspaces) {
+                    return true;
+                }
+            }
+            catch (_) {
+                // ignore parse errors
+            }
+        }
+        return false;
+    }
+    _findLockFileDir(manifestDir, opts = {}) {
+        const workspaceDir = getCustom('TRUSTIFY_DA_WORKSPACE_DIR', null, opts);
+        if (workspaceDir) {
+            const dir = path.resolve(workspaceDir);
+            return fs.existsSync(path.join(dir, this._lockFileName())) ? dir : null;
+        }
+        let dir = path.resolve(manifestDir);
+        let parent = dir;
+        do {
+            dir = parent;
+            if (fs.existsSync(path.join(dir, this._lockFileName()))) {
+                return dir;
+            }
+            if (this._isWorkspaceRoot(dir)) {
+                return null;
+            }
+            parent = path.dirname(dir);
+        } while (parent !== dir);
+        return null;
+    }
+    /**
    * @param {string} manifestDir - The base directory where the manifest is located
-   * @param {{TRUSTIFY_DA_WORKSPACE_DIR?: string}} [opts={}] - optional workspace root
+   * @param {Object} [opts={}] - optional; may contain TRUSTIFY_DA_WORKSPACE_DIR
    * @returns {boolean} True if the lock file exists
    */
     validateLockFile(manifestDir, opts = {}) {
-        const workspaceDir = getCustom('TRUSTIFY_DA_WORKSPACE_DIR', null, opts);
-        const dirToCheck = workspaceDir ? path.resolve(workspaceDir) : manifestDir;
-        const lock = path.join(dirToCheck, this._lockFileName());
-        return fs.existsSync(lock);
+        return this._findLockFileDir(manifestDir, opts) !== null;
     }
     /**
    * Provides content and content type for stack analysis
@@ -171,8 +216,7 @@ export default class Base_javascript {
     _buildDependencyTree(includeTransitive, opts = {}) {
         this._version();
         const manifestDir = path.dirname(this.#manifest.manifestPath);
-        const workspaceDir = getCustom('TRUSTIFY_DA_WORKSPACE_DIR', null, opts);
-        const cmdDir = workspaceDir ? path.resolve(workspaceDir) : manifestDir;
+        const cmdDir = this._findLockFileDir(manifestDir, opts) || manifestDir;
         this.#createLockFile(cmdDir);
         let output = this.#executeListCmd(includeTransitive, cmdDir);
         output = this._parseDepTreeOutput(output);
@@ -191,9 +235,32 @@ export default class Base_javascript {
         let sbom = new Sbom();
         sbom.addRoot(mainComponent, license);
         this._addDependenciesToSbom(sbom, depsObject);
+        this.#ensurePeerAndOptionalDeps(sbom);
         sbom.filterIgnoredDeps(this.#manifest.ignored);
         return sbom.getAsJsonString(opts);
     }
+    /**
+     * Ensures peer and optional dependencies declared in the manifest are
+     * present in the SBOM, even when the package manager does not resolve them
+     * (e.g. yarn does not include peer deps in its dependency listing).
+     * @param {Sbom} sbom - The SBOM to supplement
+     * @private
+     */
+    #ensurePeerAndOptionalDeps(sbom) {
+        const rootPurl = toPurl(purlType, this.#manifest.name, this.#manifest.version);
+        const depSources = [this.#manifest.peerDependencies, this.#manifest.optionalDependencies];
+        for (const source of depSources) {
+            for (const [name, version] of Object.entries(source)) {
+                // Build the purl prefix for exact matching (e.g. "pkg:npm/minimist@"
+                // or "pkg:npm/%40hapi/joi@") to avoid substring false positives
+                const probe = toPurl(purlType, name, version);
+                const purlPrefix = probe.toString().replace(/@[^@]*$/, '@');
+                if (!sbom.checkDependsOnByPurlPrefix(rootPurl, purlPrefix)) {
+                    sbom.addDependency(rootPurl, probe);
+                }
+            }
+        }
+    }
     /**
    * Recursively builds the Sbom from the JSON that npm listing returns
    * @param {Sbom} sbom - The SBOM object to add dependencies to
@@ -201,7 +268,10 @@ export default class Base_javascript {
    * @protected
    */
     _addDependenciesToSbom(sbom, depTree) {
-        const dependencies = depTree["dependencies"] || {};
+        const dependencies = {
+            ...depTree["dependencies"],
+            ...depTree["optionalDependencies"],
+        };
         Object.entries(dependencies)
             .forEach(entry => {
             const [name, artifact] = entry;
@@ -251,6 +321,7 @@ export default class Base_javascript {
             const rootPurl = toPurlFromString(sbom.getRoot().purl);
             sbom.addDependency(rootPurl, rootDeps.get(key));
         }
+        this.#ensurePeerAndOptionalDeps(sbom);
         sbom.filterIgnoredDeps(this.#manifest.ignored);
         return sbom.getAsJsonString(opts);
     }
@@ -261,10 +332,14 @@ export default class Base_javascript {
    * @protected
    */
     _getRootDependencies(depTree) {
-        if (!depTree.dependencies) {
+        const allDeps = {
+            ...depTree.dependencies,
+            ...depTree.optionalDependencies,
+        };
+        if (Object.keys(allDeps).length === 0) {
             return new Map();
         }
-        return new Map(Object.entries(depTree.dependencies).map(([key, value]) => [key, toPurl(purlType, key, value.version)]));
+        return new Map(Object.entries(allDeps).map(([key, value]) => [key, toPurl(purlType, key, value.version)]));
     }
     /**
    * Executes the list command to get dependencies
@@ -275,7 +350,7 @@ export default class Base_javascript {
    */
     #executeListCmd(includeTransitive, manifestDir) {
         const listArgs = this._listCmdArgs(includeTransitive, manifestDir);
-        return this.#invokeCommand(listArgs);
+        return this.#invokeCommand(listArgs, { cwd: manifestDir });
     }
     /**
    * Gets the version of the package manager
@@ -294,13 +369,11 @@ export default class Base_javascript {
         const originalDir = process.cwd();
         const isWindows = os.platform() === 'win32';
         if (isWindows) {
-            // On Windows, --prefix flag doesn't work as expected
-            // Instead of installing from the prefix folder, it installs from current working directory
             process.chdir(manifestDir);
         }
         try {
             const args = this._updateLockFileCmdArgs(manifestDir);
-            this.#invokeCommand(args);
+            this.#invokeCommand(args, { cwd: manifestDir });
         }
         finally {
             if (isWindows) {