@trustify-da/trustify-da-javascript-client 0.3.0-ea.a783c26 → 0.3.0-ea.a8c3942

package/dist/src/providers/python_poetry.js

@@ -1,7 +1,9 @@
 import fs from 'node:fs';
 import path from 'node:path';
+import { parse as parseToml } from 'smol-toml';
 import { environmentVariableIsPopulated, getCustom, getCustomPath, invokeCommand } from '../tools.js';
 import Base_pyproject from './base_pyproject.js';
+import { evaluateMarker } from './marker_evaluator.js';
 export default class Python_poetry extends Base_pyproject {
     /**
      * Poetry has no native workspace/monorepo support (python-poetry/poetry#2270).
@@ -43,7 +45,9 @@ export default class Python_poetry extends Base_pyproject {
         let treeOutput = this._getPoetryShowTreeOutput(manifestDir, hasDevGroup, opts);
         let showAllOutput = this._getPoetryShowAllOutput(manifestDir, opts);
         let versionMap = this._parsePoetryShowAll(showAllOutput);
-        return this._parsePoetryTree(treeOutput, versionMap);
+        let lockDir = this._findLockFileDir(manifestDir, opts);
+        let markerData = this._extractMarkerData(lockDir, parsed);
+        return this._parsePoetryTree(treeOutput, versionMap, markerData);
     }
     /**
      * Get poetry show --tree output.
@@ -98,16 +102,60 @@ export default class Python_poetry extends Base_pyproject {
         }
         return versions;
     }
+    /**
+     * Collects PEP 508 marker expressions for direct and transitive deps.
+     * Direct markers come from pyproject.toml dependency strings, e.g.:
+     *   "pywin32>=311 ; sys_platform == 'win32'"  → directMarkers['pywin32'] = "sys_platform == 'win32'"
+     * Transitive markers come from poetry.lock [package.dependencies] entries, e.g.:
+     *   colorama = {version = "*", markers = "sys_platform == 'win32'"}
+     *   → transitiveMarkers['click']['colorama'] = "sys_platform == 'win32'"
+     * @param {string|null} lockDir
+     * @param {object} parsed - parsed pyproject.toml
+     * @returns {{directMarkers: Map<string, string>, transitiveMarkers: Map<string, Map<string, string>>}}
+     */
+    _extractMarkerData(lockDir, parsed) {
+        let directMarkers = new Map();
+        let transitiveMarkers = new Map();
+        // Extract markers from PEP 621 dependency strings: "name[extras]>=ver ; marker"
+        let deps = parsed.project?.dependencies || [];
+        for (let dep of deps) {
+            let m = dep.match(/^([A-Za-z0-9][A-Za-z0-9._-]*)\s*[^;]*;\s*(.+)$/);
+            if (m) {
+                directMarkers.set(this._canonicalize(m[1]), m[2].trim());
+            }
+        }
+        if (lockDir) {
+            let lockPath = path.join(lockDir, this._lockFileName());
+            if (fs.existsSync(lockPath)) {
+                let lockContent = fs.readFileSync(lockPath, 'utf-8');
+                let lock = parseToml(lockContent);
+                let packages = lock.package || [];
+                for (let pkg of packages) {
+                    let pkgKey = this._canonicalize(pkg.name);
+                    let pkgDeps = pkg.dependencies || {};
+                    for (let [depName, depSpec] of Object.entries(pkgDeps)) {
+                        let markers = typeof depSpec === 'object' && depSpec != null ? depSpec.markers : null;
+                        if (markers) {
+                            if (!transitiveMarkers.has(pkgKey)) {
+                                transitiveMarkers.set(pkgKey, new Map());
+                            }
+                            transitiveMarkers.get(pkgKey).set(this._canonicalize(depName), markers);
+                        }
+                    }
+                }
+            }
+        }
+        return { directMarkers, transitiveMarkers };
+    }
     /**
      * Parse poetry show --tree output into a dependency graph structure.
-     * Top-level lines (no indentation/tree chars) are direct deps: "name version description"
-     * Indented lines are transitive deps with tree chars: "├── name >=constraint"
      *
      * @param {string} treeOutput
      * @param {Map<string, string>} versionMap - canonical name -> resolved version
+     * @param {{directMarkers: Map<string, string>, transitiveMarkers: Map<string, Map<string, string>>}} markerData
      * @returns {{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}}
      */
-    _parsePoetryTree(treeOutput, versionMap) {
+    _parsePoetryTree(treeOutput, versionMap, markerData) {
         let lines = treeOutput.split(/\r?\n/);
         let graph = new Map();
         let directDeps = [];
@@ -123,6 +171,12 @@ export default class Python_poetry extends Base_pyproject {
                 let name = topMatch[1];
                 let version = topMatch[2];
                 let key = this._canonicalize(name);
+                let marker = markerData.directMarkers.get(key);
+                if (marker && !evaluateMarker(marker)) {
+                    currentDirectDep = null;
+                    stack = [];
+                    continue;
+                }
                 directDeps.push(key);
                 if (!graph.has(key)) {
                     graph.set(key, { name, version, children: [] });
@@ -149,6 +203,20 @@ export default class Python_poetry extends Base_pyproject {
             // determine depth by counting tree-drawing groups in the prefix
             let prefix = line.substring(0, nameStart);
             let depth = (prefix.match(/(?:[├└│ ][\s─]{2} ?)/g) || []).length;
+            // pop stack back to find the parent at depth-1
+            while (stack.length > 0 && stack[stack.length - 1].depth >= depth) {
+                stack.pop();
+            }
+            let parentKey = stack.length > 0 ? stack[stack.length - 1].key : null;
+            if (parentKey) {
+                let parentMarkers = markerData.transitiveMarkers.get(parentKey);
+                if (parentMarkers) {
+                    let marker = parentMarkers.get(depKey);
+                    if (marker && !evaluateMarker(marker)) {
+                        continue;
+                    }
+                }
+            }
             // resolve version from the version map
             let version = versionMap.get(depKey) || null;
             if (!version) {
@@ -157,12 +225,7 @@ export default class Python_poetry extends Base_pyproject {
             if (!graph.has(depKey)) {
                 graph.set(depKey, { name: depName, version, children: [] });
             }
-            // pop stack back to find the parent at depth-1
-            while (stack.length > 0 && stack[stack.length - 1].depth >= depth) {
-                stack.pop();
-            }
-            if (stack.length > 0) {
-                let parentKey = stack[stack.length - 1].key;
+            if (parentKey) {
                 let parentEntry = graph.get(parentKey);
                 if (parentEntry && !parentEntry.children.includes(depKey)) {
                     parentEntry.children.push(depKey);

package/dist/src/providers/python_uv.d.ts

@@ -1,4 +1,32 @@
+/**
+ * Discover all pyproject.toml manifest paths in a uv workspace.
+ * Parses `[tool.uv.workspace]` from root pyproject.toml and glob-expands member patterns.
+ *
+ * @param {string} workspaceRoot - Absolute or relative path to workspace root (must contain pyproject.toml and uv.lock)
+ * @param {{ workspaceDiscoveryIgnore?: string[], TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE?: string, [key: string]: unknown }} [opts={}]
+ * @returns {Promise<string[]>} Paths to pyproject.toml files (absolute)
+ */
+export function discoverUvWorkspaceMembers(workspaceRoot: string, opts?: {
+    workspaceDiscoveryIgnore?: string[];
+    TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE?: string;
+    [key: string]: unknown;
+}): Promise<string[]>;
 export default class Python_uv extends Base_pyproject {
+    /**
+     * @param {string} manifestDir - directory containing the target pyproject.toml
+     * @param {string} workspaceDir - workspace root (for resolving editable install paths)
+     * @param {object} parsed - parsed pyproject.toml
+     * @param {Object} opts
+     * @returns {Promise<{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}>}
+     */
+    _getDependencyData(manifestDir: string, workspaceDir: string, parsed: object, opts: any): Promise<{
+        directDeps: string[];
+        graph: Map<string, {
+            name: string;
+            version: string;
+            children: string[];
+        }>;
+    }>;
     /**
      * Get the uv export output, either from env var or by running the command.
      * @param {string} manifestDir

package/dist/src/providers/python_uv.js

@@ -1,8 +1,11 @@
 import fs from 'node:fs';
 import path from 'node:path';
+import fg from 'fast-glob';
 import { parse as parseToml } from 'smol-toml';
 import { environmentVariableIsPopulated, getCustomPath, invokeCommand } from '../tools.js';
+import { filterManifestPathsByDiscoveryIgnore, resolveWorkspaceDiscoveryIgnore, toManifestGlobPatterns } from '../workspace.js';
 import Base_pyproject from './base_pyproject.js';
+import { evaluateMarker } from './marker_evaluator.js';
 import { getParser, getPinnedVersionQuery } from './requirements_parser.js';
 export default class Python_uv extends Base_pyproject {
     /** @returns {string} */
@@ -89,6 +92,16 @@ export default class Python_uv extends Base_pyproject {
                 if (!nameNode) {
                     continue;
                 }
+                // Skip packages with non-matching PEP 508 markers, e.g. "pywin32==311 ; sys_platform == 'win32'"
+                let markerNode = child.children.find(c => c.type === 'marker_spec');
+                if (markerNode) {
+                    let markerText = markerNode.text.replace(/^\s*;\s*/, '');
+                    if (!evaluateMarker(markerText)) {
+                        currentPkg = null;
+                        collectingVia = false;
+                        continue;
+                    }
+                }
                 let name = nameNode.text;
                 let version = null;
                 let versionMatches = pinnedVersionQuery.matches(child);
@@ -147,3 +160,68 @@ export default class Python_uv extends Base_pyproject {
         return { directDeps, graph };
     }
 }
+const DEFAULT_UV_DISCOVERY_IGNORE = [
+    '**/__pycache__/**',
+    '**/.venv/**',
+];
+/**
+ * Discover all pyproject.toml manifest paths in a uv workspace.
+ * Parses `[tool.uv.workspace]` from root pyproject.toml and glob-expands member patterns.
+ *
+ * @param {string} workspaceRoot - Absolute or relative path to workspace root (must contain pyproject.toml and uv.lock)
+ * @param {{ workspaceDiscoveryIgnore?: string[], TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE?: string, [key: string]: unknown }} [opts={}]
+ * @returns {Promise<string[]>} Paths to pyproject.toml files (absolute)
+ */
+export async function discoverUvWorkspaceMembers(workspaceRoot, opts = {}) {
+    const root = path.resolve(workspaceRoot);
+    const rootPyproject = path.join(root, 'pyproject.toml');
+    const uvLock = path.join(root, 'uv.lock');
+    if (!fs.existsSync(rootPyproject) || !fs.existsSync(uvLock)) {
+        return [];
+    }
+    let parsed;
+    try {
+        parsed = parseToml(fs.readFileSync(rootPyproject, 'utf-8'));
+    }
+    catch {
+        return [];
+    }
+    const workspaceConfig = parsed?.tool?.uv?.workspace;
+    if (!workspaceConfig) {
+        return [];
+    }
+    const memberPatterns = workspaceConfig.members;
+    if (!Array.isArray(memberPatterns) || memberPatterns.length === 0) {
+        return [];
+    }
+    const excludePatterns = Array.isArray(workspaceConfig.exclude) ? workspaceConfig.exclude : [];
+    const excludeGlobs = excludePatterns
+        .filter(p => typeof p === 'string' && p.trim())
+        .map(p => `${p.trim()}/pyproject.toml`);
+    const ignorePatterns = [...resolveWorkspaceDiscoveryIgnore(opts), ...DEFAULT_UV_DISCOVERY_IGNORE];
+    const globOpts = {
+        cwd: root,
+        absolute: true,
+        onlyFiles: true,
+        ignore: [...ignorePatterns, ...excludeGlobs],
+        followSymbolicLinks: false,
+    };
+    const patterns = toManifestGlobPatterns(memberPatterns.filter(p => typeof p === 'string'), 'pyproject.toml');
+    const manifestPaths = await fg(patterns, globOpts);
+    if (!manifestPaths.includes(rootPyproject) && hasProjectMetadata(parsed)) {
+        manifestPaths.unshift(rootPyproject);
+    }
+    return filterManifestPathsByDiscoveryIgnore(manifestPaths, root, ignorePatterns);
+}
+/**
+ * @param {import('smol-toml').TomlTable} parsedPyProject
+ * @returns {boolean}
+ */
+function hasProjectMetadata(parsedPyProject) {
+    try {
+        return typeof parsedPyProject?.project?.name === 'string' && parsedPyProject.project.name.trim() !== '';
+    }
+    catch {
+        return false;
+    }
+}

package/dist/src/sbom.d.ts

@@ -25,9 +25,14 @@ export default class Sbom {
     /**
      * @param {component} sourceRef current source Component ( Starting from root component by clients)
      * @param {PackageURL} targetRef current dependency to add to Dependencies list of component sourceRef
+     * @param {string} [scope] - Scope of the dependency
+     * @param {Array<{alg: string, content: string}>} [targetHashes] - Optional hashes for the target component
      * @return Sbom
      */
-    addDependency(sourceRef: component, targetRef: PackageURL, scope: any): CycloneDxSbom;
+    addDependency(sourceRef: component, targetRef: PackageURL, scope?: string, targetHashes?: Array<{
+        alg: string;
+        content: string;
+    }>): CycloneDxSbom;
     /**
      * @return String sbom json in a string format
      */
@@ -45,6 +50,7 @@ export default class Sbom {
         version: any;
         scope: any;
         licenses?: any;
+        hashes?: any;
     };
     /** This method gets a component object, and a string name, and checks if the name is a substring of the component' purl.
      * @param {} component to search in its dependencies

package/dist/src/sbom.js

@@ -43,10 +43,12 @@ export default class Sbom {
     /**
      * @param {component} sourceRef current source Component ( Starting from root component by clients)
      * @param {PackageURL} targetRef current dependency to add to Dependencies list of component sourceRef
+     * @param {string} [scope] - Scope of the dependency
+     * @param {Array<{alg: string, content: string}>} [targetHashes] - Optional hashes for the target component
      * @return Sbom
      */
-    addDependency(sourceRef, targetRef, scope) {
-        return this.sbomModel.addDependency(sourceRef, targetRef, scope);
+    addDependency(sourceRef, targetRef, scope, targetHashes) {
+        return this.sbomModel.addDependency(sourceRef, targetRef, scope, targetHashes);
     }
     /**
      * @return String sbom json in a string format

package/dist/src/tools.d.ts

@@ -61,6 +61,32 @@ export function toPurlFromString(strPurl: any): PackageURL | null;
  * @param {string} cwd - directory for which to find the root of the git repository.
  */
 export function getGitRootDir(cwd: string): string | undefined;
+/**
+ * Normalize a filesystem path, lowercasing on Windows for case-insensitive comparison.
+ *
+ * @param {string} thePath
+ * @returns {string}
+ */
+export function normalizePath(thePath: string): string;
+/**
+ * Walk up from `startDir` to `repoRoot` looking for an executable wrapper script.
+ *
+ * @param {string} startDir - Absolute directory to start from
+ * @param {string} wrapperName - Wrapper filename (e.g. `mvnw`, `gradlew`)
+ * @param {string} [repoRoot] - Stop boundary (defaults to git root or filesystem root)
+ * @returns {string | undefined}
+ */
+export function traverseForWrapper(startDir: string, wrapperName: string, repoRoot?: string): string | undefined;
+/**
+ * Resolve a build-tool binary, preferring a wrapper when configured.
+ *
+ * @param {string} globalBinary - Global binary name (e.g. `mvn`, `gradle`)
+ * @param {string} localWrapper - Wrapper filename (e.g. `mvnw`, `gradlew.bat`)
+ * @param {string} startDir - Directory from which to start the wrapper search
+ * @param {import('./index.js').Options} [opts={}]
+ * @returns {string} Path to the resolved binary
+ */
+export function resolveBinary(globalBinary: string, localWrapper: string, startDir: string, opts?: import("./index.js").Options): string;
 /** this method invokes command string in a process in a synchronous way.
  * @param {string} bin - the command to be invoked
  * @param {Array<string>} args - the args to pass to the binary

package/dist/src/tools.js

@@ -1,4 +1,6 @@
 import { execFileSync } from "child_process";
+import fs from 'node:fs';
+import path from 'node:path';
 import { EOL } from "os";
 import { HttpsProxyAgent } from "https-proxy-agent";
 import { PackageURL } from "packageurl-js";
@@ -128,6 +130,62 @@ export function getGitRootDir(cwd) {
         return undefined;
     }
 }
+/**
+ * Normalize a filesystem path, lowercasing on Windows for case-insensitive comparison.
+ *
+ * @param {string} thePath
+ * @returns {string}
+ */
+export function normalizePath(thePath) {
+    const normalized = path.resolve(thePath).normalize();
+    return process.platform === 'win32' ? normalized.toLowerCase() : normalized;
+}
+/**
+ * Walk up from `startDir` to `repoRoot` looking for an executable wrapper script.
+ *
+ * @param {string} startDir - Absolute directory to start from
+ * @param {string} wrapperName - Wrapper filename (e.g. `mvnw`, `gradlew`)
+ * @param {string} [repoRoot] - Stop boundary (defaults to git root or filesystem root)
+ * @returns {string | undefined}
+ */
+export function traverseForWrapper(startDir, wrapperName, repoRoot = undefined) {
+    const currentDir = normalizePath(startDir);
+    repoRoot = repoRoot || getGitRootDir(currentDir) || path.parse(currentDir).root;
+    const wrapperPath = path.join(currentDir, wrapperName);
+    try {
+        fs.accessSync(wrapperPath, fs.constants.X_OK);
+        return wrapperPath;
+    }
+    catch {
+        const rootDir = path.parse(currentDir).root;
+        if (currentDir === repoRoot || currentDir === rootDir) {
+            return undefined;
+        }
+        const parentDir = path.dirname(currentDir);
+        if (parentDir === currentDir || parentDir === rootDir) {
+            return undefined;
+        }
+        return traverseForWrapper(parentDir, wrapperName, repoRoot);
+    }
+}
+/**
+ * Resolve a build-tool binary, preferring a wrapper when configured.
+ *
+ * @param {string} globalBinary - Global binary name (e.g. `mvn`, `gradle`)
+ * @param {string} localWrapper - Wrapper filename (e.g. `mvnw`, `gradlew.bat`)
+ * @param {string} startDir - Directory from which to start the wrapper search
+ * @param {import('./index.js').Options} [opts={}]
+ * @returns {string} Path to the resolved binary
+ */
+export function resolveBinary(globalBinary, localWrapper, startDir, opts = {}) {
+    if (getWrapperPreference(globalBinary, opts)) {
+        const wrapper = traverseForWrapper(startDir, localWrapper);
+        if (wrapper !== undefined) {
+            return wrapper;
+        }
+    }
+    return getCustomPath(globalBinary, opts);
+}
 /** this method invokes command string in a process in a synchronous way.
  * @param {string} bin - the command to be invoked
  * @param {Array<string>} args - the args to pass to the binary

package/dist/src/workspace.d.ts

@@ -42,6 +42,15 @@ export function discoverWorkspacePackages(workspaceRoot: string, opts?: {
     TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE?: string;
     [key: string]: unknown;
 }): Promise<string[]>;
+/**
+ * Convert workspace glob patterns to manifest-file glob patterns,
+ * correctly handling negation prefixes.
+ *
+ * @param {string[]} patterns - Workspace glob patterns (may include negations)
+ * @param {string} manifestFileName - e.g. 'package.json' or 'Cargo.toml'
+ * @returns {string[]}
+ */
+export function toManifestGlobPatterns(patterns: string[], manifestFileName: string): string[];
 /**
  * Discover all Cargo.toml manifest paths in a Cargo workspace.
  * Uses `cargo metadata` to get workspace members.

package/dist/src/workspace.js

@@ -172,7 +172,7 @@ function parsePnpmPackages(content) {
  * @param {string} manifestFileName - e.g. 'package.json' or 'Cargo.toml'
  * @returns {string[]}
  */
-function toManifestGlobPatterns(patterns, manifestFileName) {
+export function toManifestGlobPatterns(patterns, manifestFileName) {
     return patterns.map(p => {
         if (p.startsWith('!')) {
             return `!${p.slice(1)}/${manifestFileName}`;

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@trustify-da/trustify-da-javascript-client",
-	"version": "0.3.0-ea.a783c26",
+	"version": "0.3.0-ea.a8c3942",
 	"description": "Code-Ready Dependency Analytics JavaScript API.",
 	"license": "Apache-2.0",
 	"homepage": "https://github.com/guacsec/trustify-da-javascript-client#README.md",
@@ -51,7 +51,6 @@
 		"@cyclonedx/cyclonedx-library": "^6.13.0",
 		"eslint-import-resolver-typescript": "^4.4.4",
 		"fast-glob": "^3.3.3",
-		"fast-toml": "^0.5.4",
 		"fast-xml-parser": "^5.3.4",
 		"help": "^3.0.2",
 		"https-proxy-agent": "^7.0.6",