@trustify-da/trustify-da-javascript-client 0.3.0-ea.8adb67b → 0.3.0-ea.8eab29b

package/dist/src/cyclone_dx_sbom.js

@@ -5,10 +5,12 @@ import { PackageURL } from "packageurl-js";
  * @param component {PackageURL}
  * @param type type of package - application or library
  * @param scope scope of the component - runtime or compile
- * @return {{"bom-ref": string, name, purl: string, type, version, scope}}
+ * @param licenses optional license string or array of licenses for the component
+ * @param hashes optional array of hash objects for the component, e.g. [{alg: "SHA-256", content: "..."}]
+ * @return {{"bom-ref": string, name, purl: string, type, version, scope, licenses?, hashes?}}
  * @private
  */
-function getComponent(component, type, scope) {
+function getComponent(component, type, scope, licenses, hashes) {
     let componentObject;
     if (component instanceof PackageURL) {
         if (component.namespace) {
@@ -36,6 +38,28 @@ function getComponent(component, type, scope) {
     else {
         componentObject = component;
     }
+    // Add licenses if provided (CycloneDX format). Callers must provide valid SPDX identifiers.
+    if (licenses) {
+        const licenseArray = Array.isArray(licenses) ? licenses : [licenses];
+        const validLicenses = licenseArray
+            .map(lic => {
+            if (typeof lic === 'string') {
+                return { license: { id: lic } };
+            }
+            if (typeof lic === 'object' && lic !== null && ('license' in lic || 'expression' in lic)) {
+                return lic;
+            }
+            return null;
+        })
+            .filter(Boolean);
+        if (validLicenses.length > 0) {
+            componentObject.licenses = validLicenses;
+        }
+    }
+    // Add hashes if provided (CycloneDX 1.4 format).
+    if (hashes && hashes.length > 0) {
+        componentObject.hashes = hashes;
+    }
     return componentObject;
 }
 function createDependency(dependency) {
@@ -56,11 +80,12 @@ export default class CycloneDxSbom {
     }
     /**
      * @param {PackageURL} root - add main/root component for sbom
+     * @param {string|Array} [licenses] - optional license(s) for the root component
      * @return {CycloneDxSbom} the CycloneDxSbom Sbom Object
      */
-    addRoot(root) {
+    addRoot(root, licenses) {
         this.rootComponent =
-            getComponent(root, "application");
+            getComponent(root, "application", undefined, licenses);
         this.components.push(this.rootComponent);
         return this;
     }
@@ -74,16 +99,24 @@ export default class CycloneDxSbom {
      * Adds a dependency relationship between two components in the SBOM
      * @param {PackageURL} sourceRef - The source component (parent)
      * @param {PackageURL} targetRef - The target component (dependency)
+     * @param {string} [scope] - Scope of the dependency
+     * @param {Array<{alg: string, content: string}>} [targetHashes] - Optional hashes for the target component
      * @return {CycloneDxSbom} The updated SBOM
      */
-    addDependency(sourceRef, targetRef, scope) {
+    addDependency(sourceRef, targetRef, scope, targetHashes) {
         const sourcePurl = sourceRef.toString();
         const targetPurl = targetRef.toString();
         // Ensure both components exist in the components list
         [sourceRef, targetRef].forEach((ref, index) => {
             const purl = index === 0 ? sourcePurl : targetPurl;
-            if (this.getComponentIndex(purl) < 0) {
-                this.components.push(getComponent(ref, "library", scope));
+            const existingIndex = this.getComponentIndex(purl);
+            if (existingIndex < 0) {
+                const hashes = index === 1 ? targetHashes : undefined;
+                this.components.push(getComponent(ref, "library", scope, undefined, hashes));
+            }
+            else if (index === 1 && targetHashes && targetHashes.length > 0 && !this.components[existingIndex].hashes) {
+                // Update hashes if the component was first seen without them (e.g. as a source)
+                this.components[existingIndex].hashes = targetHashes;
             }
         });
         // Ensure source dependency exists
@@ -108,6 +141,7 @@ export default class CycloneDxSbom {
     getAsJsonString(opts) {
         let manifestType = opts["manifest-type"];
         this.setSourceManifest(opts["source-manifest"]);
+        const rootPurl = this.rootComponent?.purl;
         this.sbomObject = {
             "bomFormat": "CycloneDX",
             "specVersion": "1.4",
@@ -117,7 +151,7 @@ export default class CycloneDxSbom {
                 "component": this.rootComponent,
                 "properties": new Array()
             },
-            "components": this.components,
+            "components": this.components.filter(c => c.purl !== rootPurl),
             "dependencies": this.dependencies
         };
         if (this.rootComponent === undefined) {
@@ -229,6 +263,20 @@ export default class CycloneDxSbom {
             return false;
         }
     }
+    /**
+     * Checks if any entry in the dependsOn list of sourceRef starts with the given purl prefix.
+     * @param {PackageURL} sourceRef - The source component
+     * @param {string} purlPrefix - The purl prefix to match (e.g. "pkg:npm/minimist@")
+     * @return {boolean}
+     */
+    checkDependsOnByPurlPrefix(sourceRef, purlPrefix) {
+        const sourcePurl = sourceRef.toString();
+        const depIndex = this.getDependencyIndex(sourcePurl);
+        if (depIndex < 0) {
+            return false;
+        }
+        return this.dependencies[depIndex].dependsOn.some(dep => dep.startsWith(purlPrefix));
+    }
     /** Removes the root component from the sbom
      */
     removeRootComponent() {

package/dist/src/index.d.ts

@@ -13,16 +13,28 @@ export function selectTrustifyDABackend(opts?: {
     TRUSTIFY_DA_DEBUG?: string | undefined;
     TRUSTIFY_DA_BACKEND_URL?: string | undefined;
 }): string;
+/**
+ * Generate a CycloneDX SBOM from a manifest file. No backend HTTP request is made.
+ *
+ * @param {string} manifestPath - path to the manifest file (e.g. pom.xml, package.json)
+ * @param {Options} [opts={}] - optional options (e.g. workspace dir, tool paths)
+ * @returns {Promise<object>} parsed CycloneDX SBOM JSON object
+ * @throws {Error} if the manifest is unsupported or SBOM generation fails
+ */
+export function generateSbom(manifestPath: string, opts?: Options): Promise<object>;
 export { parseImageRef } from "./oci_image/utils.js";
 export { ImageRef } from "./oci_image/images.js";
 declare namespace _default {
     export { componentAnalysis };
     export { stackAnalysis };
+    export { stackAnalysisBatch };
     export { imageAnalysis };
     export { validateToken };
+    export { generateSbom };
 }
 export default _default;
 export type Options = {
+    TRUSTIFY_DA_CARGO_PATH?: string | undefined;
     TRUSTIFY_DA_DOCKER_PATH?: string | undefined;
     TRUSTIFY_DA_GO_MVS_LOGIC_ENABLED?: string | undefined;
     TRUSTIFY_DA_GO_PATH?: string | undefined;
@@ -47,11 +59,45 @@ export type Options = {
     TRUSTIFY_DA_SYFT_CONFIG_PATH?: string | undefined;
     TRUSTIFY_DA_SYFT_PATH?: string | undefined;
     TRUSTIFY_DA_YARN_PATH?: string | undefined;
+    TRUSTIFY_DA_WORKSPACE_DIR?: string | undefined;
+    TRUSTIFY_DA_LICENSE_CHECK?: string | undefined;
     MATCH_MANIFEST_VERSIONS?: string | undefined;
-    RHDA_SOURCE?: string | undefined;
-    RHDA_TOKEN?: string | undefined;
-    RHDA_TELEMETRY_ID?: string | undefined;
-    [key: string]: string | undefined;
+    TRUSTIFY_DA_SOURCE?: string | undefined;
+    TRUSTIFY_DA_TOKEN?: string | undefined;
+    TRUSTIFY_DA_TELEMETRY_ID?: string | undefined;
+    TRUSTIFY_DA_WORKSPACE_DIR?: string | undefined;
+    batchConcurrency?: number | undefined;
+    TRUSTIFY_DA_BATCH_CONCURRENCY?: string | undefined;
+    workspaceDiscoveryIgnore?: string[] | undefined;
+    TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE?: string | undefined;
+    continueOnError?: boolean | undefined;
+    TRUSTIFY_DA_CONTINUE_ON_ERROR?: string | undefined;
+    batchMetadata?: boolean | undefined;
+    TRUSTIFY_DA_BATCH_METADATA?: string | undefined;
+    TRUSTIFY_DA_UV_PATH?: string | undefined;
+    TRUSTIFY_DA_POETRY_PATH?: string | undefined;
+    [key: string]: string | number | boolean | string[] | undefined;
+};
+export type BatchAnalysisMetadata = {
+    workspaceRoot: string;
+    ecosystem: "javascript" | "cargo" | "pyproject" | "unknown";
+    total: number;
+    successful: number;
+    failed: number;
+    errors: Array<{
+        manifestPath: string;
+        phase: "validation" | "sbom";
+        reason: string;
+    }>;
+};
+export type SbomResult = {
+    ok: true;
+    purl: string;
+    sbom: object;
+} | {
+    ok: false;
+    manifestPath: string;
+    reason: string;
 };
 /**
  * Get component analysis report for a manifest content.
@@ -90,6 +136,81 @@ declare function stackAnalysis(manifest: string, html: false, opts?: Options | u
  * 		or backend request failed
  */
 declare function stackAnalysis(manifest: string, html?: boolean | undefined, opts?: Options | undefined): Promise<string | import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport>;
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {true} html
+ * @param {Options & { batchMetadata: true }} opts
+ * @returns {Promise<{ analysis: string, metadata: BatchAnalysisMetadata }>}
+ * @throws {Error}
+ */
+declare function stackAnalysisBatch(workspaceRoot: string, html: true, opts: Options & {
+    batchMetadata: true;
+}): Promise<{
+    analysis: string;
+    metadata: BatchAnalysisMetadata;
+}>;
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {true} html
+ * @param {Options & { batchMetadata?: false }} [opts={}]
+ * @returns {Promise<string>}
+ * @throws {Error}
+ */
+declare function stackAnalysisBatch(workspaceRoot: string, html: true, opts?: (Options & {
+    batchMetadata?: false;
+}) | undefined): Promise<string>;
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {false} html
+ * @param {Options & { batchMetadata: true }} opts
+ * @returns {Promise<{ analysis: Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>, metadata: BatchAnalysisMetadata }>}
+ * @throws {Error}
+ */
+declare function stackAnalysisBatch(workspaceRoot: string, html: false, opts: Options & {
+    batchMetadata: true;
+}): Promise<{
+    analysis: {
+        [x: string]: import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport;
+    };
+    metadata: BatchAnalysisMetadata;
+}>;
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {false} html
+ * @param {Options & { batchMetadata?: false }} [opts={}]
+ * @returns {Promise<Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>>}
+ * @throws {Error}
+ */
+declare function stackAnalysisBatch(workspaceRoot: string, html: false, opts?: (Options & {
+    batchMetadata?: false;
+}) | undefined): Promise<{
+    [x: string]: import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport;
+}>;
+/**
+ * Get stack analysis for all workspace packages/crates (batch).
+ * Detects ecosystem from workspace root: Cargo (Cargo.toml + Cargo.lock) or JS/TS (package.json + lock file).
+ * SBOMs are generated in parallel (see `batchConcurrency`) unless `continueOnError: false` (fail-fast sequential).
+ * With `opts.batchMetadata` / `TRUSTIFY_DA_BATCH_METADATA`, returns `{ analysis, metadata }` including validation and SBOM errors.
+ *
+ * @overload
+ * @param {string} workspaceRoot - Path to workspace root (containing lock file and workspace config)
+ * @param {boolean} [html=false] - true returns HTML, false returns JSON report
+ * @param {Options} [opts={}] - `batchConcurrency`, discovery ignores, `continueOnError` (default true), `batchMetadata` (default false)
+ * @returns {Promise<string|Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>|{ analysis: string|Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>, metadata: BatchAnalysisMetadata }>}
+ * @throws {Error} if workspace root invalid, no manifests found, no packages pass validation, no SBOMs produced, or backend request failed. When `opts.batchMetadata` is set, `error.batchMetadata` may be set on thrown errors.
+ */
+declare function stackAnalysisBatch(workspaceRoot: string, html?: boolean | undefined, opts?: Options | undefined): Promise<string | {
+    [x: string]: import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport;
+} | {
+    analysis: string | {
+        [x: string]: import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport;
+    };
+    metadata: BatchAnalysisMetadata;
+}>;
 /**
  * @overload
  * @param {Array<string>} imageRefs
@@ -130,3 +251,16 @@ declare function imageAnalysis(imageRefs: Array<string>, html?: boolean | undefi
  * @throws {Error} if the backend request failed.
  */
 declare function validateToken(opts?: Options): Promise<object>;
+import { discoverMavenModules } from './providers/java_maven.js';
+import { discoverGradleSubprojects } from './providers/java_gradle.js';
+import { discoverGoWorkspaceModules } from './providers/golang_gomodules.js';
+import { discoverUvWorkspaceMembers } from './providers/python_uv.js';
+import { discoverWorkspacePackages } from './workspace.js';
+import { discoverWorkspaceCrates } from './workspace.js';
+import { validatePackageJson } from './workspace.js';
+import { resolveWorkspaceDiscoveryIgnore } from './workspace.js';
+import { filterManifestPathsByDiscoveryIgnore } from './workspace.js';
+import { resolveContinueOnError } from './batch_opts.js';
+import { resolveBatchMetadata } from './batch_opts.js';
+export { discoverMavenModules, discoverGradleSubprojects, discoverGoWorkspaceModules, discoverUvWorkspaceMembers, discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson, resolveWorkspaceDiscoveryIgnore, filterManifestPathsByDiscoveryIgnore, resolveContinueOnError, resolveBatchMetadata };
+export { getProjectLicense, findLicenseFilePath, identifyLicense, getLicenseDetails, licensesFromReport, normalizeLicensesResponse, runLicenseCheck, getCompatibility } from "./license/index.js";