@trustify-da/trustify-da-javascript-client 0.3.0-ea.904e9f2 → 0.3.0-ea.9988076

package/README.md

@@ -43,6 +43,21 @@ let imageAnalysisWithArch = await client.imageAnalysis(['httpd:2.4.49^^amd64'])
 ```
 </li>
 </ul>
+
+<h3>License Detection</h3>
+<p>
+The client automatically detects your project's license with intelligent fallback:
+</p>
+<ul>
+<li><strong>Manifest-first:</strong> For ecosystems with license support (Maven, JavaScript, Rust Cargo), reads from manifest file (<code>pom.xml</code>, <code>package.json</code>, <code>Cargo.toml</code>)</li>
+<li><strong>LICENSE file fallback:</strong> If no license in manifest, or for ecosystems without license support (Gradle, Go, Python), automatically reads from <code>LICENSE</code>, <code>LICENSE.md</code>, or <code>LICENSE.txt</code></li>
+<li><strong>SBOM integration:</strong> Detected licenses are included in generated SBOMs for all ecosystems</li>
+<li><strong>SPDX support:</strong> Automatically detects common licenses (Apache-2.0, MIT, GPL, BSD) from LICENSE file content</li>
+</ul>
+<p>
+See <a href="./docs/license-resolution-and-compliance.md">License Resolution and Compliance</a> for detailed documentation.
+</p>
+
 <ul>
 <li>
 Use as ESM Module from Common-JS module
@@ -83,12 +98,13 @@ Use as CLI Script
 ```shell
 $ npx @trustify-da/trustify-da-javascript-client help
 
-Usage: trustify-da-javascript-client {component|stack|image|validate-token}
+Usage: trustify-da-javascript-client {component|stack|image|validate-token|license}
 
 Commands:
   trustify-da-javascript-client stack </path/to/manifest> [--html|--summary]               produce stack report for manifest path
   trustify-da-javascript-client component <path/to/manifest> [--summary]   produce component report for a manifest type and content
   trustify-da-javascript-client image <image-refs..> [--html|--summary]               produce image analysis report for OCI image references
+  trustify-da-javascript-client license </path/to/manifest>               display project license information from manifest and LICENSE file in JSON format
 
 Options:
   --help  Show help                                                    [boolean]
@@ -123,6 +139,9 @@ $ npx @trustify-da/trustify-da-javascript-client image docker.io/library/node:18
 
 # specify architecture using ^^ notation (e.g., httpd:2.4.49^^amd64)
 $ npx @trustify-da/trustify-da-javascript-client image httpd:2.4.49^^amd64
+
+# get project license information
+$ npx @trustify-da/trustify-da-javascript-client license /path/to/package.json
 ```
 </li>
 
@@ -161,6 +180,9 @@ $ trustify-da-javascript-client image docker.io/library/node:18 docker.io/librar
 
 # specify architecture using ^^ notation (e.g., httpd:2.4.49^^amd64)
 $ trustify-da-javascript-client image httpd:2.4.49^^amd64
+
+# get project license information
+$ trustify-da-javascript-client license /path/to/package.json
 ```
 </li>
 </ul>
@@ -174,7 +196,23 @@ $ trustify-da-javascript-client image httpd:2.4.49^^amd64
 <li><a href="https://go.dev/">Golang</a> - <a href="https://go.dev/blog/using-go-modules/">Go Modules</a></li>
 <li><a href="https://www.python.org/">Python</a> - <a href="https://pypi.org/project/pip/">pip Installer</a></li>
 <li><a href="https://gradle.org/">Gradle (Groovy and Kotlin DSL)</a> - <a href="https://gradle.org/install/">Gradle Installation</a></li>
+<li><a href="https://www.rust-lang.org/">Rust</a> - <a href="https://doc.rust-lang.org/cargo/">Cargo</a></li>
+</ul>
+
+<h3>License Detection</h3>
+<p>
+The client automatically detects your project's license with intelligent fallback:
+</p>
+<ul>
+<li><strong>Manifest-first:</strong> For ecosystems with license support (Maven, JavaScript, Rust Cargo), reads from manifest file (<code>pom.xml</code>, <code>package.json</code>, <code>Cargo.toml</code>)</li>
+<li><strong>LICENSE file fallback:</strong> If no license in manifest, or for ecosystems without license support (Gradle, Go, Python), automatically reads from <code>LICENSE</code>, <code>LICENSE.md</code>, or <code>LICENSE.txt</code></li>
+<li><strong>SBOM integration:</strong> Detected licenses are included in generated SBOMs for all ecosystems</li>
+<li><strong>SPDX support:</strong> Automatically detects common licenses (Apache-2.0, MIT, GPL, BSD) from LICENSE file content</li>
 </ul>
+<p>
+See <a href="./docs/license-resolution-and-compliance.md">License Resolution and Compliance</a> for detailed documentation.
+</p>
+
 
 <h3>Excluding Packages</h3>
 <p>
@@ -297,7 +335,21 @@ test {
 }
 ```
 
-All of the 5 above examples are valid for marking a package to be ignored
+<em>Rust Cargo</em> users can add a comment with <code># trustify-da-ignore</code> (or <code># exhortignore</code>) in <em>Cargo.toml</em> next to the dependency to be ignored. This works for inline declarations, table-based declarations, and workspace-level dependency sections:
+
+```toml
+[dependencies]
+serde = "1.0" # trustify-da-ignore
+tokio = { version = "1.35", features = ["full"] }
+
+[dependencies.regex] # trustify-da-ignore
+version = "1.10"
+
+[workspace.dependencies]
+log = "0.4" # trustify-da-ignore
+```
+
+All of the 6 above examples are valid for marking a package to be ignored
 </li>
 
 </ul>
@@ -329,6 +381,7 @@ let options = {
   'TRUSTIFY_DA_PYTHON_PATH' : '/path/to/python',
   'TRUSTIFY_DA_PIP_PATH' : '/path/to/pip',
   'TRUSTIFY_DA_GRADLE_PATH' : '/path/to/gradle',
+  'TRUSTIFY_DA_CARGO_PATH' : '/path/to/cargo',
   // Configure proxy for all requests
   'TRUSTIFY_DA_PROXY_URL': 'http://proxy.example.com:8080'
 }
@@ -372,6 +425,11 @@ const options = {
 The proxy URL should be in the format: `http://host:port` or `https://host:port`. The API will automatically use the appropriate protocol (HTTP or HTTPS) based on the proxy URL provided.
 </p>
 
+<h4>License resolution and dependency license compliance</h4>
+<p>
+The client can resolve the <strong>project license</strong> from the manifest (e.g. <code>package.json</code> <code>license</code>, <code>pom.xml</code> <code>&lt;licenses&gt;</code>, <code>Cargo.toml</code> <code>license</code>) and from a <code>LICENSE</code> or <code>LICENSE.md</code> file in the project, and report when they differ. For <strong>component analysis</strong>, you can optionally run a license check: the client fetches dependency licenses from the backend (by purl) and reports dependencies whose licenses are incompatible with the project license. See <a href="docs/license-resolution-and-compliance.md">License resolution and compliance</a> for design and behavior. To disable the check on component analysis, set <code>TRUSTIFY_DA_LICENSE_CHECK=false</code> or pass <code>licenseCheck: false</code> in the options.
+</p>
+
 <h4>Customizing Executables</h4>
 <p>
 This project uses each ecosystem's executable for creating dependency trees. These executables are expected to be
@@ -445,6 +503,11 @@ following keys for setting custom paths for the said executables.
 <td><em>gradle</em></td>
 <td>TRUSTIFY_DA_PREFER_GRADLEW</td>
 </tr>
+<tr>
+<td><a href="https://www.rust-lang.org/">Rust Cargo</a></td>
+<td><em>cargo</em></td>
+<td>TRUSTIFY_DA_CARGO_PATH</td>
+</tr>
 </table>
 
 #### Match Manifest Versions Feature

package/dist/package.json

@@ -40,34 +40,42 @@
         "test": "c8 npm run tests",
         "tests": "mocha --config .mocharc.json --grep \".*analysis module.*\" --invert",
         "tests:rep": "mocha --reporter-option maxDiffSize=0 --reporter json > unit-tests-result.json",
+        "pretest": "cp node_modules/tree-sitter-requirements/tree-sitter-requirements.wasm src/providers/tree-sitter-requirements.wasm",
         "precompile": "rm -rf dist",
-        "compile": "tsc -p tsconfig.json"
+        "compile": "tsc -p tsconfig.json",
+        "compile:dev": "tsc -p tsconfig.dev.json",
+        "postcompile": "cp node_modules/tree-sitter-requirements/tree-sitter-requirements.wasm dist/src/providers/tree-sitter-requirements.wasm"
     },
     "dependencies": {
         "@babel/core": "^7.23.2",
-        "@cyclonedx/cyclonedx-library": "~1.13.3",
+        "@cyclonedx/cyclonedx-library": "^6.13.0",
+        "eslint-import-resolver-typescript": "^4.4.4",
         "fast-toml": "^0.5.4",
-        "fast-xml-parser": "^4.5.3",
+        "fast-xml-parser": "^5.3.4",
         "help": "^3.0.2",
         "https-proxy-agent": "^7.0.6",
-        "node-fetch": "^2.7.0",
-        "packageurl-js": "^1.0.2",
-        "yargs": "^17.7.2"
+        "node-fetch": "^3.3.2",
+        "packageurl-js": "~1.0.2",
+        "smol-toml": "^1.6.0",
+        "tree-sitter-requirements": "github:Strum355/tree-sitter-requirements#d0261ee76b84253997fe70d7d397e78c006c3801",
+        "web-tree-sitter": "^0.26.6",
+        "yargs": "^18.0.0"
     },
     "devDependencies": {
         "@babel/core": "^7.23.2",
-        "@trustify-da/trustify-da-api-model": "^2.0.1",
+        "@trustify-da/trustify-da-api-model": "^2.0.7",
         "@types/node": "^20.17.30",
         "@types/which": "^3.0.4",
         "babel-plugin-rewire": "^1.2.0",
-        "c8": "^8.0.0",
+        "c8": "^11.0.0",
         "chai": "^4.3.7",
         "eslint": "^8.42.0",
+        "eslint-import-resolver-typescript": "^4.4.4",
         "eslint-plugin-editorconfig": "^4.0.3",
         "eslint-plugin-import": "^2.29.1",
         "esmock": "^2.6.2",
         "mocha": "^10.2.0",
-        "msw": "^1.3.2",
+        "msw": "^2.12.7",
         "sinon": "^15.1.2",
         "sinon-chai": "^3.7.0",
         "typescript": "^5.1.3",

package/dist/src/analysis.d.ts

@@ -13,7 +13,7 @@ export default _default;
  * @param {import("index.js").Options} [opts={}] - optional various options to pass along the application
  * @returns {Promise<import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>}
  */
-declare function requestComponent(provider: import('./provider').Provider, manifest: string, url: string, opts?: import("index.js").Options | undefined): Promise<import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>;
+declare function requestComponent(provider: import("./provider").Provider, manifest: string, url: string, opts?: import("index.js").Options): Promise<import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport>;
 /**
  * Send a stack analysis request and get the report as 'text/html' or 'application/json'.
  * @param {import('./provider').Provider} provider - the provided data for constructing the request
@@ -23,7 +23,7 @@ declare function requestComponent(provider: import('./provider').Provider, manif
  * @param {import("index.js").Options} [opts={}] - optional various options to pass along the application
  * @returns {Promise<string|import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>}
  */
-declare function requestStack(provider: import('./provider').Provider, manifest: string, url: string, html?: boolean | undefined, opts?: import("index.js").Options | undefined): Promise<string | import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>;
+declare function requestStack(provider: import("./provider").Provider, manifest: string, url: string, html?: boolean, opts?: import("index.js").Options): Promise<string | import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport>;
 /**
  *
  * @param {Array<string>} imageRefs
@@ -31,8 +31,8 @@ declare function requestStack(provider: import('./provider').Provider, manifest:
  * @param {import("index.js").Options} [opts={}] - optional various options to pass along the application
  * @returns {Promise<string|Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>>}
  */
-declare function requestImages(imageRefs: Array<string>, url: string, html?: boolean, opts?: import("index.js").Options | undefined): Promise<string | {
-    [x: string]: import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport;
+declare function requestImages(imageRefs: Array<string>, url: string, html?: boolean, opts?: import("index.js").Options): Promise<string | {
+    [x: string]: import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport;
 }>;
 /**
  *
@@ -40,4 +40,4 @@ declare function requestImages(imageRefs: Array<string>, url: string, html?: boo
  * @param {import("index.js").Options} [opts={}] - optional various options to pass headers for t he validateToken Request
  * @return {Promise<number>} return the HTTP status Code of the response from the validate token request.
  */
-declare function validateToken(url: any, opts?: import("index.js").Options | undefined): Promise<number>;
+declare function validateToken(url: any, opts?: import("index.js").Options): Promise<number>;

package/dist/src/analysis.js

@@ -1,28 +1,10 @@
 import fs from "node:fs";
 import path from "node:path";
 import { EOL } from "os";
-import { HttpsProxyAgent } from "https-proxy-agent";
+import { runLicenseCheck } from "./license/index.js";
 import { generateImageSBOM, parseImageRef } from "./oci_image/utils.js";
-import { RegexNotToBeLogged, getCustom } from "./tools.js";
+import { addProxyAgent, getCustom, getTokenHeaders, TRUSTIFY_DA_OPERATION_TYPE_HEADER, TRUSTIFY_DA_PACKAGE_MANAGER_HEADER } from "./tools.js";
 export default { requestComponent, requestStack, requestImages, validateToken };
-const rhdaTokenHeader = "rhda-token";
-const rhdaTelemetryId = "rhda-telemetry-id";
-const rhdaSourceHeader = "rhda-source";
-const rhdaOperationTypeHeader = "rhda-operation-type";
-const rhdaPackageManagerHeader = "rhda-pkg-manager";
-/**
- * Adds proxy agent configuration to fetch options if a proxy URL is specified
- * @param {RequestInit} options - The base fetch options
- * @param {import("index.js").Options} opts - The trustify DA options that may contain proxy configuration
- * @returns {RequestInit} The fetch options with proxy agent if applicable
- */
-function addProxyAgent(options, opts) {
-    const proxyUrl = getCustom('TRUSTIFY_DA_PROXY_URL', null, opts);
-    if (proxyUrl) {
-        options.agent = new HttpsProxyAgent(proxyUrl);
-    }
-    return options;
-}
 /**
  * Send a stack analysis request and get the report as 'text/html' or 'application/json'.
  * @param {import('./provider').Provider} provider - the provided data for constructing the request
@@ -35,15 +17,15 @@ function addProxyAgent(options, opts) {
 async function requestStack(provider, manifest, url, html = false, opts = {}) {
     opts["source-manifest"] = Buffer.from(fs.readFileSync(manifest).toString()).toString('base64');
     opts["manifest-type"] = path.parse(manifest).base;
-    let provided = provider.provideStack(manifest, opts); // throws error if content providing failed
+    let provided = await provider.provideStack(manifest, opts); // throws error if content providing failed
     opts["source-manifest"] = "";
-    opts[rhdaOperationTypeHeader.toUpperCase().replaceAll("-", "_")] = "stack-analysis";
+    opts[TRUSTIFY_DA_OPERATION_TYPE_HEADER.toUpperCase().replaceAll("-", "_")] = "stack-analysis";
     let startTime = new Date();
     let endTime;
     if (process.env["TRUSTIFY_DA_DEBUG"] === "true") {
         console.log("Starting time of sending stack analysis request to the dependency analytics server= " + startTime);
     }
-    opts[rhdaPackageManagerHeader.toUpperCase().replaceAll("-", "_")] = provided.ecosystem;
+    opts[TRUSTIFY_DA_PACKAGE_MANAGER_HEADER.toUpperCase().replaceAll("-", "_")] = provided.ecosystem;
     const fetchOptions = addProxyAgent({
         method: 'POST',
         headers: {
@@ -53,7 +35,7 @@ async function requestStack(provider, manifest, url, html = false, opts = {}) {
         },
         body: provided.content
     }, opts);
-    const finalUrl = new URL(`${url}/api/v4/analysis`);
+    const finalUrl = new URL(`${url}/api/v5/analysis`);
     if (opts['TRUSTIFY_DA_RECOMMENDATIONS_ENABLED'] === 'false') {
         finalUrl.searchParams.append('recommend', 'false');
     }
@@ -94,13 +76,13 @@ async function requestStack(provider, manifest, url, html = false, opts = {}) {
  */
 async function requestComponent(provider, manifest, url, opts = {}) {
     opts["source-manifest"] = Buffer.from(fs.readFileSync(manifest).toString()).toString('base64');
-    let provided = provider.provideComponent(manifest, opts); // throws error if content providing failed
+    let provided = await provider.provideComponent(manifest, opts); // throws error if content providing failed
     opts["source-manifest"] = "";
-    opts[rhdaOperationTypeHeader.toUpperCase().replaceAll("-", "_")] = "component-analysis";
+    opts[TRUSTIFY_DA_OPERATION_TYPE_HEADER.toUpperCase().replaceAll("-", "_")] = "component-analysis";
     if (process.env["TRUSTIFY_DA_DEBUG"] === "true") {
         console.log("Starting time of sending component analysis request to Trustify DA backend server= " + new Date());
     }
-    opts[rhdaPackageManagerHeader.toUpperCase().replaceAll("-", "_")] = provided.ecosystem;
+    opts[TRUSTIFY_DA_PACKAGE_MANAGER_HEADER.toUpperCase().replaceAll("-", "_")] = provided.ecosystem;
     const fetchOptions = addProxyAgent({
         method: 'POST',
         headers: {
@@ -110,7 +92,7 @@ async function requestComponent(provider, manifest, url, opts = {}) {
         },
         body: provided.content
     }, opts);
-    const finalUrl = new URL(`${url}/api/v4/analysis`);
+    const finalUrl = new URL(`${url}/api/v5/analysis`);
     if (opts['TRUSTIFY_DA_RECOMMENDATIONS_ENABLED'] === 'false') {
         finalUrl.searchParams.append('recommend', 'false');
     }
@@ -127,6 +109,15 @@ async function requestComponent(provider, manifest, url, opts = {}) {
             console.log(JSON.stringify(result, null, 4));
             console.log("Ending time of sending component analysis request to Trustify DA backend server= " + new Date());
         }
+        const licenseCheckEnabled = getCustom('TRUSTIFY_DA_LICENSE_CHECK', 'true', opts) !== 'false' && opts.licenseCheck !== false;
+        if (licenseCheckEnabled) {
+            try {
+                result.licenseSummary = await runLicenseCheck(provided.content, manifest, url, opts, result);
+            }
+            catch (licenseErr) {
+                result.licenseSummary = { error: licenseErr.message };
+            }
+        }
     }
     else {
         throw new Error(`Got error response from Trustify DA backend - http return code : ${resp.status}, ex-request-id: ${resp.headers.get("ex-request-id")}  error message =>  ${await resp.text()}`);
@@ -146,7 +137,7 @@ async function requestImages(imageRefs, url, html = false, opts = {}) {
         const parsedImageRef = parseImageRef(image, opts);
         imageSboms[parsedImageRef.getPackageURL().toString()] = generateImageSBOM(parsedImageRef, opts);
     }
-    const finalUrl = new URL(`${url}/api/v4/batch-analysis`);
+    const finalUrl = new URL(`${url}/api/v5/batch-analysis`);
     if (opts['TRUSTIFY_DA_RECOMMENDATIONS_ENABLED'] === 'false') {
         finalUrl.searchParams.append('recommend', 'false');
     }
@@ -195,7 +186,7 @@ async function validateToken(url, opts = {}) {
             ...getTokenHeaders(opts),
         }
     }, opts);
-    let resp = await fetch(`${url}/api/v4/token`, fetchOptions);
+    let resp = await fetch(`${url}/api/v5/token`, fetchOptions);
     if (process.env["TRUSTIFY_DA_DEBUG"] === "true") {
         let exRequestId = resp.headers.get("ex-request-id");
         if (exRequestId) {
@@ -204,49 +195,3 @@ async function validateToken(url, opts = {}) {
     }
     return resp.status;
 }
-/**
- *
- * @param {string} headerName - the header name to populate in request
- * @param headers
- * @param {import("index.js").Options} [opts={}] - optional various options to pass along the application
- * @private
- */
-function setRhdaHeader(headerName, headers, opts) {
-    let rhdaHeaderValue = getCustom(headerName.toUpperCase().replaceAll("-", "_"), null, opts);
-    if (rhdaHeaderValue) {
-        headers[headerName] = rhdaHeaderValue;
-    }
-}
-/**
- * Utility function for fetching vendor tokens
- * @param {import("index.js").Options} [opts={}] - optional various options to pass along the application
- * @returns {{}}
- */
-function getTokenHeaders(opts = {}) {
-    let supportedTokens = ['snyk', 'oss-index'];
-    let headers = {};
-    supportedTokens.forEach(vendor => {
-        let token = getCustom(`TRUSTIFY_DA_${vendor.replace("-", "_").toUpperCase()}_TOKEN`, null, opts);
-        if (token) {
-            headers[`ex-${vendor}-token`] = token;
-        }
-        let user = getCustom(`TRUSTIFY_DA_${vendor.replace("-", "_").toUpperCase()}_USER`, null, opts);
-        if (user) {
-            headers[`ex-${vendor}-user`] = user;
-        }
-    });
-    setRhdaHeader(rhdaTokenHeader, headers, opts);
-    setRhdaHeader(rhdaSourceHeader, headers, opts);
-    setRhdaHeader(rhdaOperationTypeHeader, headers, opts);
-    setRhdaHeader(rhdaPackageManagerHeader, headers, opts);
-    setRhdaHeader(rhdaTelemetryId, headers, opts);
-    if (process.env["TRUSTIFY_DA_DEBUG"] === "true") {
-        console.log("Headers Values to be sent to Trustify DA backend:" + EOL);
-        for (const headerKey in headers) {
-            if (!headerKey.match(RegexNotToBeLogged)) {
-                console.log(`${headerKey}: ${headers[headerKey]}`);
-            }
-        }
-    }
-    return headers;
-}

package/dist/src/cli.js

@@ -2,7 +2,8 @@
 import * as path from "path";
 import yargs from 'yargs';
 import { hideBin } from 'yargs/helpers';
-import client from './index.js';
+import { getProjectLicense, getLicenseDetails } from './license/index.js';
+import client, { selectTrustifyDABackend } from './index.js';
 // command for component analysis take manifest type and content
 const component = {
     command: 'component </path/to/manifest>',
@@ -22,9 +23,8 @@ const validateToken = {
     command: 'validate-token <token-provider> [--token-value thevalue]',
     desc: 'Validates input token if authentic and authorized',
     builder: yargs => yargs.positional('token-provider', {
-        desc: 'the token provider',
-        type: 'string',
-        choices: ['snyk', 'oss-index'],
+        desc: 'the token provider name',
+        type: 'string'
     }).options({
         tokenValue: {
             alias: 'value',
@@ -37,7 +37,7 @@ const validateToken = {
         let opts = {};
         if (args['tokenValue'] !== undefined && args['tokenValue'].trim() !== "") {
             let tokenValue = args['tokenValue'].trim();
-            opts[`TRUSTIFY_DA_${tokenProvider}_TOKEN`] = tokenValue;
+            opts[`TRUSTIFY_DA_PROVIDER_${tokenProvider}_TOKEN`] = tokenValue;
         }
         let res = await client.validateToken(opts);
         console.log(res);
@@ -143,13 +143,79 @@ const stack = {
         console.log(html ? res : JSON.stringify(!html && summary ? theProvidersObject : res, null, 2));
     }
 };
+// command for license checking
+const license = {
+    command: 'license </path/to/manifest>',
+    desc: 'Display project license information from manifest and LICENSE file in JSON format',
+    builder: yargs => yargs.positional('/path/to/manifest', {
+        desc: 'manifest path for license analysis',
+        type: 'string',
+        normalize: true,
+    }),
+    handler: async (args) => {
+        let manifestPath = args['/path/to/manifest'];
+        const opts = {}; // CLI options can be extended in the future
+        try {
+            selectTrustifyDABackend(opts);
+        }
+        catch (err) {
+            console.error(JSON.stringify({ error: err.message }, null, 2));
+            process.exit(1);
+        }
+        let localResult;
+        try {
+            localResult = getProjectLicense(manifestPath);
+        }
+        catch (err) {
+            console.error(JSON.stringify({ error: `Failed to read manifest: ${err.message}` }, null, 2));
+            process.exit(1);
+        }
+        const errors = [];
+        // Build LicenseInfo objects
+        const buildLicenseInfo = async (spdxId) => {
+            if (!spdxId) {
+                return null;
+            }
+            const licenseInfo = { spdxId };
+            try {
+                const details = await getLicenseDetails(spdxId, opts);
+                if (details) {
+                    // Check if backend recognized the license as valid
+                    if (details.category === 'UNKNOWN') {
+                        errors.push(`"${spdxId}" is not a valid SPDX license identifier. Please use a valid SPDX expression (e.g., "Apache-2.0", "MIT"). See https://spdx.org/licenses/`);
+                    }
+                    else {
+                        Object.assign(licenseInfo, details);
+                    }
+                }
+                else {
+                    errors.push(`No license details found for ${spdxId}`);
+                }
+            }
+            catch (err) {
+                errors.push(`Failed to fetch details for ${spdxId}: ${err.message}`);
+            }
+            return licenseInfo;
+        };
+        const output = {
+            manifestLicense: await buildLicenseInfo(localResult.fromManifest),
+            fileLicense: await buildLicenseInfo(localResult.fromFile),
+            mismatch: localResult.mismatch
+        };
+        if (errors.length > 0) {
+            output.errors = errors;
+        }
+        console.log(JSON.stringify(output, null, 2));
+    }
+};
 // parse and invoke the command
 yargs(hideBin(process.argv))
-    .usage(`Usage: ${process.argv[0].includes("node") ? path.parse(process.argv[1]).base : path.parse(process.argv[0]).base} {component|stack|image|validate-token}`)
+    .usage(`Usage: ${process.argv[0].includes("node") ? path.parse(process.argv[1]).base : path.parse(process.argv[0]).base} {component|stack|image|validate-token|license}`)
     .command(stack)
     .command(component)
     .command(image)
     .command(validateToken)
+    .command(license)
     .scriptName('')
     .version(false)
     .demandCommand(1)

package/dist/src/cyclone_dx_sbom.d.ts

@@ -1,4 +1,3 @@
-/// <reference types="packageurl-js/src/package-url" />
 export default class CycloneDxSbom {
     sbomObject: any;
     rootComponent: any;
@@ -7,9 +6,10 @@ export default class CycloneDxSbom {
     sourceManifestForAuditTrail: any;
     /**
      * @param {PackageURL} root - add main/root component for sbom
+     * @param {string|Array} [licenses] - optional license(s) for the root component
      * @return {CycloneDxSbom} the CycloneDxSbom Sbom Object
      */
-    addRoot(root: PackageURL): CycloneDxSbom;
+    addRoot(root: PackageURL, licenses?: string | any[]): CycloneDxSbom;
     /**
      * @return {{{"bom-ref": string, name, purl: string, type, version}}} root component of sbom.
      */
@@ -49,6 +49,7 @@ export default class CycloneDxSbom {
         type: any;
         version: any;
         scope: any;
+        licenses?: any;
     };
     /**
      * This method gets an array of dependencies to be ignored, and remove all of them from CycloneDx Sbom

package/dist/src/cyclone_dx_sbom.js

@@ -5,10 +5,11 @@ import { PackageURL } from "packageurl-js";
  * @param component {PackageURL}
  * @param type type of package - application or library
  * @param scope scope of the component - runtime or compile
- * @return {{"bom-ref": string, name, purl: string, type, version, scope}}
+ * @param licenses optional license string or array of licenses for the component
+ * @return {{"bom-ref": string, name, purl: string, type, version, scope, licenses?}}
  * @private
  */
-function getComponent(component, type, scope) {
+function getComponent(component, type, scope, licenses) {
     let componentObject;
     if (component instanceof PackageURL) {
         if (component.namespace) {
@@ -36,6 +37,16 @@ function getComponent(component, type, scope) {
     else {
         componentObject = component;
     }
+    // Add licenses if provided (CycloneDX format). Callers must provide valid SPDX identifiers.
+    if (licenses) {
+        const licenseArray = Array.isArray(licenses) ? licenses : [licenses];
+        componentObject.licenses = licenseArray.map(lic => {
+            if (typeof lic === 'string') {
+                return { license: { id: lic } };
+            }
+            return lic;
+        });
+    }
     return componentObject;
 }
 function createDependency(dependency) {
@@ -56,11 +67,12 @@ export default class CycloneDxSbom {
     }
     /**
      * @param {PackageURL} root - add main/root component for sbom
+     * @param {string|Array} [licenses] - optional license(s) for the root component
      * @return {CycloneDxSbom} the CycloneDxSbom Sbom Object
      */
-    addRoot(root) {
+    addRoot(root, licenses) {
         this.rootComponent =
-            getComponent(root, "application");
+            getComponent(root, "application", undefined, licenses);
         this.components.push(this.rootComponent);
         return this;
     }
@@ -108,6 +120,7 @@ export default class CycloneDxSbom {
     getAsJsonString(opts) {
         let manifestType = opts["manifest-type"];
         this.setSourceManifest(opts["source-manifest"]);
+        const rootPurl = this.rootComponent?.purl;
         this.sbomObject = {
             "bomFormat": "CycloneDX",
             "specVersion": "1.4",
@@ -117,7 +130,7 @@ export default class CycloneDxSbom {
                 "component": this.rootComponent,
                 "properties": new Array()
             },
-            "components": this.components,
+            "components": this.components.filter(c => c.purl !== rootPurl),
             "dependencies": this.dependencies
         };
         if (this.rootComponent === undefined) {