@trustify-da/trustify-da-javascript-client 0.3.0-ea.a783c26 → 0.3.0-ea.a8c3942

package/dist/package.json

@@ -51,7 +51,6 @@
         "@cyclonedx/cyclonedx-library": "^6.13.0",
         "eslint-import-resolver-typescript": "^4.4.4",
         "fast-glob": "^3.3.3",
-        "fast-toml": "^0.5.4",
         "fast-xml-parser": "^5.3.4",
         "help": "^3.0.2",
         "https-proxy-agent": "^7.0.6",

package/dist/src/cyclone_dx_sbom.d.ts

@@ -18,9 +18,14 @@ export default class CycloneDxSbom {
      * Adds a dependency relationship between two components in the SBOM
      * @param {PackageURL} sourceRef - The source component (parent)
      * @param {PackageURL} targetRef - The target component (dependency)
+     * @param {string} [scope] - Scope of the dependency
+     * @param {Array<{alg: string, content: string}>} [targetHashes] - Optional hashes for the target component
      * @return {CycloneDxSbom} The updated SBOM
      */
-    addDependency(sourceRef: PackageURL, targetRef: PackageURL, scope: any): CycloneDxSbom;
+    addDependency(sourceRef: PackageURL, targetRef: PackageURL, scope?: string, targetHashes?: Array<{
+        alg: string;
+        content: string;
+    }>): CycloneDxSbom;
     /** @param {{}} opts - various options, settings and configuration of application.
      * @return String CycloneDx Sbom json object in a string format
      */
@@ -50,6 +55,7 @@ export default class CycloneDxSbom {
         version: any;
         scope: any;
         licenses?: any;
+        hashes?: any;
     };
     /**
      * This method gets an array of dependencies to be ignored, and remove all of them from CycloneDx Sbom

package/dist/src/cyclone_dx_sbom.js

@@ -6,10 +6,11 @@ import { PackageURL } from "packageurl-js";
  * @param type type of package - application or library
  * @param scope scope of the component - runtime or compile
  * @param licenses optional license string or array of licenses for the component
- * @return {{"bom-ref": string, name, purl: string, type, version, scope, licenses?}}
+ * @param hashes optional array of hash objects for the component, e.g. [{alg: "SHA-256", content: "..."}]
+ * @return {{"bom-ref": string, name, purl: string, type, version, scope, licenses?, hashes?}}
  * @private
  */
-function getComponent(component, type, scope, licenses) {
+function getComponent(component, type, scope, licenses, hashes) {
     let componentObject;
     if (component instanceof PackageURL) {
         if (component.namespace) {
@@ -47,6 +48,10 @@ function getComponent(component, type, scope, licenses) {
             return lic;
         });
     }
+    // Add hashes if provided (CycloneDX 1.4 format).
+    if (hashes && hashes.length > 0) {
+        componentObject.hashes = hashes;
+    }
     return componentObject;
 }
 function createDependency(dependency) {
@@ -86,16 +91,24 @@ export default class CycloneDxSbom {
      * Adds a dependency relationship between two components in the SBOM
      * @param {PackageURL} sourceRef - The source component (parent)
      * @param {PackageURL} targetRef - The target component (dependency)
+     * @param {string} [scope] - Scope of the dependency
+     * @param {Array<{alg: string, content: string}>} [targetHashes] - Optional hashes for the target component
      * @return {CycloneDxSbom} The updated SBOM
      */
-    addDependency(sourceRef, targetRef, scope) {
+    addDependency(sourceRef, targetRef, scope, targetHashes) {
         const sourcePurl = sourceRef.toString();
         const targetPurl = targetRef.toString();
         // Ensure both components exist in the components list
         [sourceRef, targetRef].forEach((ref, index) => {
             const purl = index === 0 ? sourcePurl : targetPurl;
-            if (this.getComponentIndex(purl) < 0) {
-                this.components.push(getComponent(ref, "library", scope));
+            const existingIndex = this.getComponentIndex(purl);
+            if (existingIndex < 0) {
+                const hashes = index === 1 ? targetHashes : undefined;
+                this.components.push(getComponent(ref, "library", scope, undefined, hashes));
+            }
+            else if (index === 1 && targetHashes && targetHashes.length > 0 && !this.components[existingIndex].hashes) {
+                // Update hashes if the component was first seen without them (e.g. as a source)
+                this.components[existingIndex].hashes = targetHashes;
             }
         });
         // Ensure source dependency exists

package/dist/src/index.d.ts

@@ -80,7 +80,7 @@ export type Options = {
 };
 export type BatchAnalysisMetadata = {
     workspaceRoot: string;
-    ecosystem: "javascript" | "cargo" | "unknown";
+    ecosystem: "javascript" | "cargo" | "pyproject" | "unknown";
     total: number;
     successful: number;
     failed: number;
@@ -136,19 +136,74 @@ declare function stackAnalysis(manifest: string, html: false, opts?: Options | u
  * 		or backend request failed
  */
 declare function stackAnalysis(manifest: string, html?: boolean | undefined, opts?: Options | undefined): Promise<string | import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport>;
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {true} html
+ * @param {Options & { batchMetadata: true }} opts
+ * @returns {Promise<{ analysis: string, metadata: BatchAnalysisMetadata }>}
+ * @throws {Error}
+ */
+declare function stackAnalysisBatch(workspaceRoot: string, html: true, opts: Options & {
+    batchMetadata: true;
+}): Promise<{
+    analysis: string;
+    metadata: BatchAnalysisMetadata;
+}>;
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {true} html
+ * @param {Options & { batchMetadata?: false }} [opts={}]
+ * @returns {Promise<string>}
+ * @throws {Error}
+ */
+declare function stackAnalysisBatch(workspaceRoot: string, html: true, opts?: (Options & {
+    batchMetadata?: false;
+}) | undefined): Promise<string>;
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {false} html
+ * @param {Options & { batchMetadata: true }} opts
+ * @returns {Promise<{ analysis: Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>, metadata: BatchAnalysisMetadata }>}
+ * @throws {Error}
+ */
+declare function stackAnalysisBatch(workspaceRoot: string, html: false, opts: Options & {
+    batchMetadata: true;
+}): Promise<{
+    analysis: {
+        [x: string]: import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport;
+    };
+    metadata: BatchAnalysisMetadata;
+}>;
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {false} html
+ * @param {Options & { batchMetadata?: false }} [opts={}]
+ * @returns {Promise<Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>>}
+ * @throws {Error}
+ */
+declare function stackAnalysisBatch(workspaceRoot: string, html: false, opts?: (Options & {
+    batchMetadata?: false;
+}) | undefined): Promise<{
+    [x: string]: import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport;
+}>;
 /**
  * Get stack analysis for all workspace packages/crates (batch).
  * Detects ecosystem from workspace root: Cargo (Cargo.toml + Cargo.lock) or JS/TS (package.json + lock file).
  * SBOMs are generated in parallel (see `batchConcurrency`) unless `continueOnError: false` (fail-fast sequential).
  * With `opts.batchMetadata` / `TRUSTIFY_DA_BATCH_METADATA`, returns `{ analysis, metadata }` including validation and SBOM errors.
  *
+ * @overload
  * @param {string} workspaceRoot - Path to workspace root (containing lock file and workspace config)
  * @param {boolean} [html=false] - true returns HTML, false returns JSON report
  * @param {Options} [opts={}] - `batchConcurrency`, discovery ignores, `continueOnError` (default true), `batchMetadata` (default false)
  * @returns {Promise<string|Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>|{ analysis: string|Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>, metadata: BatchAnalysisMetadata }>}
  * @throws {Error} if workspace root invalid, no manifests found, no packages pass validation, no SBOMs produced, or backend request failed. When `opts.batchMetadata` is set, `error.batchMetadata` may be set on thrown errors.
  */
-declare function stackAnalysisBatch(workspaceRoot: string, html?: boolean, opts?: Options): Promise<string | {
+declare function stackAnalysisBatch(workspaceRoot: string, html?: boolean | undefined, opts?: Options | undefined): Promise<string | {
     [x: string]: import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport;
 } | {
     analysis: string | {
@@ -196,6 +251,10 @@ declare function imageAnalysis(imageRefs: Array<string>, html?: boolean | undefi
  * @throws {Error} if the backend request failed.
  */
 declare function validateToken(opts?: Options): Promise<object>;
+import { discoverMavenModules } from './providers/java_maven.js';
+import { discoverGradleSubprojects } from './providers/java_gradle.js';
+import { discoverGoWorkspaceModules } from './providers/golang_gomodules.js';
+import { discoverUvWorkspaceMembers } from './providers/python_uv.js';
 import { discoverWorkspacePackages } from './workspace.js';
 import { discoverWorkspaceCrates } from './workspace.js';
 import { validatePackageJson } from './workspace.js';
@@ -203,5 +262,5 @@ import { resolveWorkspaceDiscoveryIgnore } from './workspace.js';
 import { filterManifestPathsByDiscoveryIgnore } from './workspace.js';
 import { resolveContinueOnError } from './batch_opts.js';
 import { resolveBatchMetadata } from './batch_opts.js';
-export { discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson, resolveWorkspaceDiscoveryIgnore, filterManifestPathsByDiscoveryIgnore, resolveContinueOnError, resolveBatchMetadata };
+export { discoverMavenModules, discoverGradleSubprojects, discoverGoWorkspaceModules, discoverUvWorkspaceMembers, discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson, resolveWorkspaceDiscoveryIgnore, filterManifestPathsByDiscoveryIgnore, resolveContinueOnError, resolveBatchMetadata };
 export { getProjectLicense, findLicenseFilePath, identifyLicense, getLicenseDetails, licensesFromReport, normalizeLicensesResponse, runLicenseCheck, getCompatibility } from "./license/index.js";

package/dist/src/index.js

@@ -6,6 +6,10 @@ import analysis from './analysis.js';
 import fs from 'node:fs';
 import { getCustom } from "./tools.js";
 import { resolveBatchMetadata, resolveContinueOnError } from './batch_opts.js';
+import { discoverMavenModules } from './providers/java_maven.js';
+import { discoverGradleSubprojects } from './providers/java_gradle.js';
+import { discoverGoWorkspaceModules } from './providers/golang_gomodules.js';
+import { discoverUvWorkspaceMembers } from './providers/python_uv.js';
 import { discoverWorkspaceCrates, discoverWorkspacePackages, filterManifestPathsByDiscoveryIgnore, resolveWorkspaceDiscoveryIgnore, validatePackageJson, } from './workspace.js';
 import.meta.dirname;
 import * as url from 'url';
@@ -13,7 +17,7 @@ export { parseImageRef } from "./oci_image/utils.js";
 export { ImageRef } from "./oci_image/images.js";
 export { getProjectLicense, findLicenseFilePath, identifyLicense, getLicenseDetails, licensesFromReport, normalizeLicensesResponse, runLicenseCheck, getCompatibility } from "./license/index.js";
 export default { componentAnalysis, stackAnalysis, stackAnalysisBatch, imageAnalysis, validateToken, generateSbom };
-export { discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson, resolveWorkspaceDiscoveryIgnore, filterManifestPathsByDiscoveryIgnore, resolveContinueOnError, resolveBatchMetadata, };
+export { discoverMavenModules, discoverGradleSubprojects, discoverGoWorkspaceModules, discoverUvWorkspaceMembers, discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson, resolveWorkspaceDiscoveryIgnore, filterManifestPathsByDiscoveryIgnore, resolveContinueOnError, resolveBatchMetadata, };
 /**
  * @typedef {{
  * TRUSTIFY_DA_CARGO_PATH?: string | undefined,
@@ -64,7 +68,7 @@ export { discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson
 /**
  * @typedef {{
  *   workspaceRoot: string,
- *   ecosystem: 'javascript' | 'cargo' | 'unknown',
+ *   ecosystem: 'javascript' | 'cargo' | 'pyproject' | 'unknown',
  *   total: number,
  *   successful: number,
  *   failed: number,
@@ -279,16 +283,43 @@ async function generateOneSbom(manifestPath, workspaceOpts) {
  *
  * @param {string} root - Resolved workspace root
  * @param {Options} opts
- * @returns {Promise<{ ecosystem: 'javascript' | 'cargo' | 'unknown', manifestPaths: string[] }>}
+ * @returns {Promise<{ ecosystem: 'javascript' | 'cargo' | 'maven' | 'gradle' | 'gomodules' | 'pyproject' | 'unknown', manifestPaths: string[] }>}
  * @private
  */
 async function detectWorkspaceManifests(root, opts) {
     const cargoToml = path.join(root, 'Cargo.toml');
     const cargoLock = path.join(root, 'Cargo.lock');
     const packageJson = path.join(root, 'package.json');
+    const pomXml = path.join(root, 'pom.xml');
     if (fs.existsSync(cargoToml) && fs.existsSync(cargoLock)) {
         return { ecosystem: 'cargo', manifestPaths: await discoverWorkspaceCrates(root, opts) };
     }
+    if (fs.existsSync(pomXml)) {
+        const manifestPaths = await discoverMavenModules(root, opts);
+        if (manifestPaths.length > 0) {
+            return { ecosystem: 'maven', manifestPaths };
+        }
+    }
+    const hasGradleSettings = fs.existsSync(path.join(root, 'settings.gradle'))
+        || fs.existsSync(path.join(root, 'settings.gradle.kts'));
+    if (hasGradleSettings) {
+        const manifestPaths = await discoverGradleSubprojects(root, opts);
+        if (manifestPaths.length > 0) {
+            return { ecosystem: 'gradle', manifestPaths };
+        }
+    }
+    if (fs.existsSync(path.join(root, 'go.work'))) {
+        const manifestPaths = await discoverGoWorkspaceModules(root, opts);
+        if (manifestPaths.length > 0) {
+            return { ecosystem: 'gomodules', manifestPaths };
+        }
+    }
+    if (fs.existsSync(path.join(root, 'pyproject.toml')) && fs.existsSync(path.join(root, 'uv.lock'))) {
+        const manifestPaths = await discoverUvWorkspaceMembers(root, opts);
+        if (manifestPaths.length > 0) {
+            return { ecosystem: 'pyproject', manifestPaths };
+        }
+    }
     const hasJsLock = fs.existsSync(path.join(root, 'pnpm-lock.yaml'))
         || fs.existsSync(path.join(root, 'yarn.lock'))
         || fs.existsSync(path.join(root, 'package-lock.json'));
@@ -398,12 +429,45 @@ function batchError(message, wantMetadata, metadata) {
     }
     return err;
 }
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {true} html
+ * @param {Options & { batchMetadata: true }} opts
+ * @returns {Promise<{ analysis: string, metadata: BatchAnalysisMetadata }>}
+ * @throws {Error}
+ */
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {true} html
+ * @param {Options & { batchMetadata?: false }} [opts={}]
+ * @returns {Promise<string>}
+ * @throws {Error}
+ */
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {false} html
+ * @param {Options & { batchMetadata: true }} opts
+ * @returns {Promise<{ analysis: Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>, metadata: BatchAnalysisMetadata }>}
+ * @throws {Error}
+ */
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {false} html
+ * @param {Options & { batchMetadata?: false }} [opts={}]
+ * @returns {Promise<Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>>}
+ * @throws {Error}
+ */
 /**
  * Get stack analysis for all workspace packages/crates (batch).
  * Detects ecosystem from workspace root: Cargo (Cargo.toml + Cargo.lock) or JS/TS (package.json + lock file).
  * SBOMs are generated in parallel (see `batchConcurrency`) unless `continueOnError: false` (fail-fast sequential).
  * With `opts.batchMetadata` / `TRUSTIFY_DA_BATCH_METADATA`, returns `{ analysis, metadata }` including validation and SBOM errors.
  *
+ * @overload
  * @param {string} workspaceRoot - Path to workspace root (containing lock file and workspace config)
  * @param {boolean} [html=false] - true returns HTML, false returns JSON report
  * @param {Options} [opts={}] - `batchConcurrency`, discovery ignores, `continueOnError` (default true), `batchMetadata` (default false)
@@ -434,7 +498,7 @@ async function stackAnalysisBatch(workspaceRoot, html = false, opts = {}) {
         }
     }
     if (manifestPaths.length === 0) {
-        throw new Error(`No workspace manifests found at ${root}. Ensure Cargo.toml+Cargo.lock or package.json+lock file exist.`);
+        throw new Error(`No workspace manifests found at ${root}. Ensure a supported workspace root exists (Cargo.toml+Cargo.lock, pom.xml, build.gradle, go.work, pyproject.toml+uv.lock, or package.json+lock file).`);
     }
     const workspaceOpts = { ...opts, TRUSTIFY_DA_WORKSPACE_DIR: root };
     const concurrency = resolveBatchConcurrency(opts);

package/dist/src/providers/base_java.d.ts

@@ -57,15 +57,6 @@ export default class Base_Java {
      * @returns string
      */
     selectToolBinary(manifestPath: string, opts: {}): string | null;
-    /**
-     *
-     * @param {string} startingManifest - the path of the manifest from which to start searching for the wrapper
-     * @param {string} repoRoot - the root of the repository at which point to stop searching for mvnw, derived via git if unset and then fallsback
-     * to the root of the drive the manifest is on (assumes absolute path is given)
-     * @returns {string|undefined}
-     */
-    traverseForWrapper(startingManifest: string, repoRoot?: string): string | undefined;
-    normalizePath(thePath: any): string;
     #private;
 }
 export type Provided = import("../provider").Provided;

package/dist/src/providers/base_java.js

@@ -1,7 +1,6 @@
-import fs from 'node:fs';
 import path from 'node:path';
 import { PackageURL } from 'packageurl-js';
-import { getCustomPath, getGitRootDir, getWrapperPreference, invokeCommand } from "../tools.js";
+import { getCustomPath, getWrapperPreference, invokeCommand, traverseForWrapper } from "../tools.js";
 /** @typedef {import('../provider').Provider} */
 /** @typedef {import('../provider').Provided} Provided */
 /** @typedef {{name: string, version: string}} Package */
@@ -131,7 +130,7 @@ export default class Base_Java {
         const toolPath = getCustomPath(this.globalBinary, opts);
         const useWrapper = getWrapperPreference(this.globalBinary, opts);
         if (useWrapper) {
-            const wrapper = this.traverseForWrapper(manifestPath);
+            const wrapper = traverseForWrapper(manifestDir, this.localWrapper);
             if (wrapper !== undefined) {
                 try {
                     this._invokeCommand(wrapper, ['--version'], { cwd: manifestDir });
@@ -156,39 +155,4 @@ export default class Base_Java {
         }
         return toolPath;
     }
-    /**
-     *
-     * @param {string} startingManifest - the path of the manifest from which to start searching for the wrapper
-     * @param {string} repoRoot - the root of the repository at which point to stop searching for mvnw, derived via git if unset and then fallsback
-     * to the root of the drive the manifest is on (assumes absolute path is given)
-     * @returns {string|undefined}
-     */
-    traverseForWrapper(startingManifest, repoRoot = undefined) {
-        const normalizedManifest = this.normalizePath(startingManifest);
-        const currentDir = this.normalizePath(path.dirname(normalizedManifest));
-        repoRoot = repoRoot || getGitRootDir(currentDir) || path.parse(normalizedManifest).root;
-        const wrapperPath = path.join(currentDir, this.localWrapper);
-        try {
-            fs.accessSync(wrapperPath, fs.constants.X_OK);
-            return wrapperPath;
-        }
-        catch (error) {
-            if (error.code === 'ENOENT') {
-                const rootDir = path.parse(currentDir).root;
-                if (currentDir === repoRoot || currentDir === rootDir) {
-                    return undefined;
-                }
-                const parentDir = path.dirname(currentDir);
-                if (parentDir === currentDir || parentDir === rootDir) {
-                    return undefined;
-                }
-                return this.traverseForWrapper(path.join(parentDir, path.basename(normalizedManifest)), repoRoot);
-            }
-            throw new Error(`failure searching for ${this.localWrapper}`, { cause: error });
-        }
-    }
-    normalizePath(thePath) {
-        const normalized = path.resolve(thePath).normalize();
-        return process.platform === 'win32' ? normalized.toLowerCase() : normalized;
-    }
 }

package/dist/src/providers/base_pyproject.d.ts

@@ -1,4 +1,4 @@
-/** @typedef {{name: string, version: string, children: string[]}} GraphEntry */
+/** @typedef {{name: string, version: string, children: string[], hashes?: Array<{alg: string, content: string}>}} GraphEntry */
 /** @typedef {{name: string, version: string, dependencies: DepTreeEntry[]}} DepTreeEntry */
 /** @typedef {{directDeps: string[], graph: Map<string, GraphEntry>}} DependencyData */
 /** @typedef {{ecosystem: string, content: string, contentType: string}} Provided */
@@ -131,6 +131,10 @@ export type GraphEntry = {
     name: string;
     version: string;
     children: string[];
+    hashes?: Array<{
+        alg: string;
+        content: string;
+    }>;
 };
 export type DepTreeEntry = {
     name: string;

package/dist/src/providers/base_pyproject.js

@@ -7,9 +7,10 @@ import Sbom from '../sbom.js';
 import { getCustom } from '../tools.js';
 const ecosystem = 'pip';
 const IGNORE_MARKERS = ['exhortignore', 'trustify-da-ignore'];
+const NO_SCOPE = undefined;
 const DEFAULT_ROOT_NAME = 'default-pip-root';
 const DEFAULT_ROOT_VERSION = '0.0.0';
-/** @typedef {{name: string, version: string, children: string[]}} GraphEntry */
+/** @typedef {{name: string, version: string, children: string[], hashes?: Array<{alg: string, content: string}>}} GraphEntry */
 /** @typedef {{name: string, version: string, dependencies: DepTreeEntry[]}} DepTreeEntry */
 /** @typedef {{directDeps: string[], graph: Map<string, GraphEntry>}} DependencyData */
 /** @typedef {{ecosystem: string, content: string, contentType: string}} Provided */
@@ -281,7 +282,7 @@ export default class Base_pyproject {
                     continue;
                 }
                 let entry = graph.get(key);
-                sbom.addDependency(rootPurl, this._toPurl(entry.name, entry.version));
+                sbom.addDependency(rootPurl, this._toPurl(entry.name, entry.version), NO_SCOPE, entry.hashes);
             }
             for (let [key, entry] of graph) {
                 if (!reachable.has(key)) {
@@ -293,7 +294,7 @@ export default class Base_pyproject {
                         continue;
                     }
                     let childEntry = graph.get(child);
-                    sbom.addDependency(parentPurl, this._toPurl(childEntry.name, childEntry.version));
+                    sbom.addDependency(parentPurl, this._toPurl(childEntry.name, childEntry.version), NO_SCOPE, childEntry.hashes);
                 }
             }
         }
@@ -306,7 +307,7 @@ export default class Base_pyproject {
                 if (!entry) {
                     continue;
                 }
-                sbom.addDependency(rootPurl, this._toPurl(entry.name, entry.version));
+                sbom.addDependency(rootPurl, this._toPurl(entry.name, entry.version), NO_SCOPE, entry.hashes);
             }
         }
         return sbom.getAsJsonString(opts);

package/dist/src/providers/golang_gomodules.d.ts

@@ -1,3 +1,12 @@
+/**
+ * Discover all go.mod manifest paths in a Go workspace.
+ * Uses `go work edit -json` to get workspace members.
+ *
+ * @param {string} workspaceRoot - Absolute or relative path to workspace root (must contain go.work)
+ * @param {import('../index.js').Options} [opts={}]
+ * @returns {Promise<string[]>} Paths to go.mod files (absolute)
+ */
+export function discoverGoWorkspaceModules(workspaceRoot: string, opts?: import("../index.js").Options): Promise<string[]>;
 declare namespace _default {
     export { isSupported };
     export { validateLockFile };

package/dist/src/providers/golang_gomodules.js

@@ -4,6 +4,7 @@ import { PackageURL } from 'packageurl-js';
 import { readLicenseFile } from '../license/license_utils.js';
 import Sbom from '../sbom.js';
 import { getCustom, getCustomPath, invokeCommand } from "../tools.js";
+import { filterManifestPathsByDiscoveryIgnore, resolveWorkspaceDiscoveryIgnore } from '../workspace.js';
 import { getParser, getRequireQuery } from './gomod_parser.js';
 export default { isSupported, validateLockFile, provideComponent, provideStack, readLicenseFromManifest };
 /** @typedef {import('../provider').Provider} */
@@ -328,13 +329,7 @@ function getFinalPackagesVersionsForModule(rows, manifestPath, goBin) {
     catch (error) {
         throw new Error('failed to list all modules', { cause: error });
     }
-    let finalVersionModules = new Map();
-    finalVersionsForAllModules.split(getLineSeparatorGolang()).filter(string => string.trim() !== "")
-        .filter(string => string.trim().split(" ").length === 2)
-        .forEach((dependency) => {
-        let dep = dependency.split(" ");
-        finalVersionModules[dep[0]] = dep[1];
-    });
+    let finalVersionModules = parseModuleVersions(finalVersionsForAllModules);
     let finalVersionModulesArray = new Array();
     rows.filter(string => string.trim() !== "").forEach(module => {
         let child = getChildVertexFromEdge(module);
@@ -395,7 +390,69 @@ function getVersionOfPackage(fullPackage) {
     let parts = fullPackage.split("@");
     return parts.length > 1 ? parts[1] : undefined;
 }
+function parseModuleVersions(goListOutput) {
+    let modules = {};
+    goListOutput.split(getLineSeparatorGolang()).filter(string => string.trim() !== "")
+        .forEach((line) => {
+        let parts = line.trim().split(" ");
+        if (parts.length === 2) {
+            modules[parts[0]] = parts[1];
+        }
+        else if (parts.length >= 4 && parts[2] === "=>") {
+            modules[parts[0]] = parts[parts.length - 1];
+        }
+    });
+    return modules;
+}
 function getLineSeparatorGolang() {
     let reg = /\n|\r\n/;
     return reg;
 }
+/**
+ * Discover all go.mod manifest paths in a Go workspace.
+ * Uses `go work edit -json` to get workspace members.
+ *
+ * @param {string} workspaceRoot - Absolute or relative path to workspace root (must contain go.work)
+ * @param {import('../index.js').Options} [opts={}]
+ * @returns {Promise<string[]>} Paths to go.mod files (absolute)
+ */
+export async function discoverGoWorkspaceModules(workspaceRoot, opts = {}) {
+    const root = path.resolve(workspaceRoot);
+    const goWork = path.join(root, 'go.work');
+    if (!fs.existsSync(goWork)) {
+        return [];
+    }
+    const goBin = getCustomPath('go', opts);
+    let output;
+    try {
+        output = invokeCommand(goBin, ['work', 'edit', '-json', goWork], { cwd: root });
+    }
+    catch {
+        return [];
+    }
+    let workspace;
+    try {
+        workspace = JSON.parse(output.toString().trim());
+    }
+    catch {
+        return [];
+    }
+    const useEntries = workspace.Use || [];
+    if (useEntries.length === 0) {
+        return [];
+    }
+    const manifestPaths = [];
+    for (const entry of useEntries) {
+        const diskPath = entry.DiskPath;
+        if (!diskPath) {
+            continue;
+        }
+        const moduleDir = path.resolve(root, diskPath);
+        const goMod = path.join(moduleDir, 'go.mod');
+        if (fs.existsSync(goMod)) {
+            manifestPaths.push(goMod);
+        }
+    }
+    const ignorePatterns = resolveWorkspaceDiscoveryIgnore(opts);
+    return filterManifestPathsByDiscoveryIgnore(manifestPaths, root, ignorePatterns);
+}

package/dist/src/providers/java_gradle.d.ts

@@ -1,3 +1,22 @@
+/**
+ * Discover all build.gradle[.kts] manifest paths in a Gradle multi-project build.
+ * Uses a custom init script to get structured project listing.
+ *
+ * @param {string} workspaceRoot - Absolute or relative path to workspace root (must contain settings.gradle[.kts])
+ * @param {import('../index.js').Options} [opts={}]
+ * @returns {Promise<string[]>} Paths to build.gradle[.kts] files (absolute)
+ */
+export function discoverGradleSubprojects(workspaceRoot: string, opts?: import("../index.js").Options): Promise<string[]>;
+/**
+ * Parse the structured output from the Gradle init script.
+ *
+ * @param {string} raw - Raw stdout from gradle
+ * @returns {{ path: string, dir: string }[]}
+ */
+export function parseGradleInitScriptOutput(raw: string): {
+    path: string;
+    dir: string;
+}[];
 /**
  * This class provides common functionality for Groovy and Kotlin DSL files.
  */