@trustify-da/trustify-da-javascript-client 0.3.0-ea.b40d888 → 0.3.0-ea.c2f6c64

package/README.md

@@ -32,6 +32,11 @@ let stackAnalysis = await client.stackAnalysis('/path/to/pom.xml')
 let stackAnalysisHtml = await client.stackAnalysis('/path/to/pom.xml', true)
 // Get component analysis in JSON format
 let componentAnalysis = await client.componentAnalysis('/path/to/pom.xml')
+// For monorepos, pass workspace root so the client finds the lock file
+let monorepoOpts = { workspaceDir: '/path/to/workspace-root' }
+let stackAnalysisMonorepo = await client.stackAnalysis('/path/to/package.json', false, monorepoOpts)
+// Batch analysis for entire workspace (Cargo or JS/TS); optional parallel SBOM generation
+let batchReport = await client.stackAnalysisBatch('/path/to/workspace-root', false, { batchConcurrency: 10 })
 // Get image analysis in JSON format
 let imageAnalysis = await client.imageAnalysis(['docker.io/library/node:18'])
 // Get image analysis in HTML format (string)
@@ -43,6 +48,21 @@ let imageAnalysisWithArch = await client.imageAnalysis(['httpd:2.4.49^^amd64'])
 ```
 </li>
 </ul>
+
+<h3>License Detection</h3>
+<p>
+The client automatically detects your project's license with intelligent fallback:
+</p>
+<ul>
+<li><strong>Manifest-first:</strong> For ecosystems with license support (Maven, JavaScript, Rust Cargo), reads from manifest file (<code>pom.xml</code>, <code>package.json</code>, <code>Cargo.toml</code>)</li>
+<li><strong>LICENSE file fallback:</strong> If no license in manifest, or for ecosystems without license support (Gradle, Go, Python), automatically reads from <code>LICENSE</code>, <code>LICENSE.md</code>, or <code>LICENSE.txt</code></li>
+<li><strong>SBOM integration:</strong> Detected licenses are included in generated SBOMs for all ecosystems</li>
+<li><strong>SPDX support:</strong> Automatically detects common licenses (Apache-2.0, MIT, GPL, BSD) from LICENSE file content</li>
+</ul>
+<p>
+See <a href="./docs/license-resolution-and-compliance.md">License Resolution and Compliance</a> for detailed documentation.
+</p>
+
 <ul>
 <li>
 Use as ESM Module from Common-JS module
@@ -83,12 +103,14 @@ Use as CLI Script
 ```shell
 $ npx @trustify-da/trustify-da-javascript-client help
 
-Usage: trustify-da-javascript-client {component|stack|image|validate-token}
+Usage: trustify-da-javascript-client {component|stack|image|validate-token|license}
 
 Commands:
-  trustify-da-javascript-client stack </path/to/manifest> [--html|--summary]               produce stack report for manifest path
-  trustify-da-javascript-client component <path/to/manifest> [--summary]   produce component report for a manifest type and content
+  trustify-da-javascript-client stack </path/to/manifest> [--workspace-dir <path>] [--html|--summary]               produce stack report for manifest path
+  trustify-da-javascript-client stack-batch </path/to/workspace-root> [--html|--summary]   produce stack report for all packages/crates in workspace
+  trustify-da-javascript-client component <path/to/manifest> [--workspace-dir <path>]   produce component report for a manifest type and content
   trustify-da-javascript-client image <image-refs..> [--html|--summary]               produce image analysis report for OCI image references
+  trustify-da-javascript-client license </path/to/manifest>               display project license information from manifest and LICENSE file in JSON format
 
 Options:
   --help  Show help                                                    [boolean]
@@ -105,9 +127,21 @@ $ npx @trustify-da/trustify-da-javascript-client stack /path/to/pom.xml --summar
 # get stack analysis in html format format
 $ npx @trustify-da/trustify-da-javascript-client stack /path/to/pom.xml --html
 
+# get stack analysis for monorepo (lock file at workspace root)
+$ npx @trustify-da/trustify-da-javascript-client stack /path/to/package.json --workspace-dir /path/to/workspace-root
+
 # get component analysis
 $ npx @trustify-da/trustify-da-javascript-client component /path/to/pom.xml
 
+# get component analysis for monorepo
+$ npx @trustify-da/trustify-da-javascript-client component /path/to/package.json -w /path/to/workspace-root
+
+# batch stack analysis for entire workspace (Cargo or JS/TS)
+$ npx @trustify-da/trustify-da-javascript-client stack-batch /path/to/workspace-root
+
+# optional: extra discovery excludes (merged with defaults); repeat --ignore or use TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE
+$ npx @trustify-da/trustify-da-javascript-client stack-batch /path/to/workspace-root --ignore '**/fixtures/**'
+
 # get image analysis in json format
 $ npx @trustify-da/trustify-da-javascript-client image docker.io/library/node:18
 
@@ -123,6 +157,9 @@ $ npx @trustify-da/trustify-da-javascript-client image docker.io/library/node:18
 
 # specify architecture using ^^ notation (e.g., httpd:2.4.49^^amd64)
 $ npx @trustify-da/trustify-da-javascript-client image httpd:2.4.49^^amd64
+
+# get project license information
+$ npx @trustify-da/trustify-da-javascript-client license /path/to/package.json
 ```
 </li>
 
@@ -143,9 +180,21 @@ $ trustify-da-javascript-client stack /path/to/pom.xml --summary
 # get stack analysis in html format format
 $ trustify-da-javascript-client stack /path/to/pom.xml --html
 
+# get stack analysis for monorepo (lock file at workspace root)
+$ trustify-da-javascript-client stack /path/to/package.json --workspace-dir /path/to/workspace-root
+
 # get component analysis
 $ trustify-da-javascript-client component /path/to/pom.xml
 
+# get component analysis for monorepo
+$ trustify-da-javascript-client component /path/to/package.json -w /path/to/workspace-root
+
+# batch stack analysis for entire workspace
+$ trustify-da-javascript-client stack-batch /path/to/workspace-root
+
+# with extra discovery excludes
+$ trustify-da-javascript-client stack-batch /path/to/workspace-root -i '**/vendor/**'
+
 # get image analysis in json format
 $ trustify-da-javascript-client image docker.io/library/node:18
 
@@ -161,6 +210,9 @@ $ trustify-da-javascript-client image docker.io/library/node:18 docker.io/librar
 
 # specify architecture using ^^ notation (e.g., httpd:2.4.49^^amd64)
 $ trustify-da-javascript-client image httpd:2.4.49^^amd64
+
+# get project license information
+$ trustify-da-javascript-client license /path/to/package.json
 ```
 </li>
 </ul>
@@ -172,9 +224,26 @@ $ trustify-da-javascript-client image httpd:2.4.49^^amd64
 <li><a href="https://www.javascript.com/">JavaScript</a> - <a href="https://pnpm.io/">pnpm</a></li>
 <li><a href="https://www.javascript.com/">JavaScript</a> - <a href="https://classic.yarnpkg.com/">Yarn Classic</a> /  <a href="https://yarnpkg.com/">Yarn Berry</a></li>
 <li><a href="https://go.dev/">Golang</a> - <a href="https://go.dev/blog/using-go-modules/">Go Modules</a></li>
-<li><a href="https://www.python.org/">Python</a> - <a href="https://pypi.org/project/pip/">pip Installer</a></li>
+<li><a href="https://www.python.org/">Python</a> - <a href="https://pypi.org/project/pip/">pip Installer</a> (<code>requirements.txt</code>)</li>
+<li><a href="https://www.python.org/">Python</a> - <a href="https://python-poetry.org/">Poetry</a> / <a href="https://docs.astral.sh/uv/">uv</a> (<code>pyproject.toml</code>)</li>
 <li><a href="https://gradle.org/">Gradle (Groovy and Kotlin DSL)</a> - <a href="https://gradle.org/install/">Gradle Installation</a></li>
+<li><a href="https://www.rust-lang.org/">Rust</a> - <a href="https://doc.rust-lang.org/cargo/">Cargo</a></li>
+</ul>
+
+<h3>License Detection</h3>
+<p>
+The client automatically detects your project's license with intelligent fallback:
+</p>
+<ul>
+<li><strong>Manifest-first:</strong> For ecosystems with license support (Maven, JavaScript, Rust Cargo), reads from manifest file (<code>pom.xml</code>, <code>package.json</code>, <code>Cargo.toml</code>)</li>
+<li><strong>LICENSE file fallback:</strong> If no license in manifest, or for ecosystems without license support (Gradle, Go, Python), automatically reads from <code>LICENSE</code>, <code>LICENSE.md</code>, or <code>LICENSE.txt</code></li>
+<li><strong>SBOM integration:</strong> Detected licenses are included in generated SBOMs for all ecosystems</li>
+<li><strong>SPDX support:</strong> Automatically detects common licenses (Apache-2.0, MIT, GPL, BSD) from LICENSE file content</li>
 </ul>
+<p>
+See <a href="./docs/license-resolution-and-compliance.md">License Resolution and Compliance</a> for detailed documentation.
+</p>
+
 
 <h3>Excluding Packages</h3>
 <p>
@@ -219,8 +288,11 @@ Excluding a package from any analysis can be achieved by marking the package for
   ]
 }
 ```
+</li>
+
+<li>
+<em>Golang</em> users can add in go.mod a comment with <code>// exhortignore</code> next to the package to be ignored, or to "piggyback" on existing comment ( e.g - <code>// indirect</code>), for example:
 
-<em>Golang</em> users can add in go.mod a comment with //exhortignore next to the package to be ignored, or to "piggyback" on existing comment ( e.g - //indirect) , for example:
 ```go
 module github.com/trustify-da/SaaSi/deployer
 
@@ -229,7 +301,7 @@ go 1.19
 require (
         github.com/gin-gonic/gin v1.9.1
         github.com/google/uuid v1.1.2
-        github.com/jessevdk/go-flags v1.5.0 //exhortignore
+        github.com/jessevdk/go-flags v1.5.0 // exhortignore
         github.com/kr/pretty v0.3.1
         gopkg.in/yaml.v2 v2.4.0
         k8s.io/apimachinery v0.26.1
@@ -237,14 +309,20 @@ require (
 )
 
 require (
-        github.com/davecgh/go-spew v1.1.1 // indirect exhortignore
+        github.com/davecgh/go-spew v1.1.1 // indirect; exhortignore
         github.com/emicklei/go-restful/v3 v3.9.0 // indirect
-        github.com/go-logr/logr v1.2.3 // indirect //exhortignore
+        github.com/go-logr/logr v1.2.3 // indirect; exhortignore
 
 )
 ```
 
+<b>NOTE</b>: It is important to format <code>exhortignore</code> markers on indirect dependencies as shown above, otherwise the Go tooling (as well as this library) may incorrectly parse dependencies marked as indirect as being direct dependencies instead.
+</li>
+
+
+<li>
 <em>Python pip</em> users can add in requirements.txt a comment with #exhortignore(or # exhortignore) to the right of the same artifact to be ignored, for example:
+
 ```properties
 anyio==3.6.2
 asgiref==3.4.1
@@ -275,11 +353,14 @@ Werkzeug==2.0.3
 zipp==3.6.0
 
 ```
+</li>
 
+<li>
 <em>Gradle</em> users can add in build.gradle a comment with //exhortignore next to the package to be ignored:
+
 ```build.gradle
 plugins {
-id 'java'
+    id 'java'
 }
 
 group = 'groupName'
@@ -297,9 +378,45 @@ test {
 }
 ```
 
-All of the 5 above examples are valid for marking a package to be ignored
-</li>
+<em>Rust Cargo</em> users can add a comment with <code># trustify-da-ignore</code> (or <code># exhortignore</code>) in <em>Cargo.toml</em> next to the dependency to be ignored. This works for inline declarations, table-based declarations, and workspace-level dependency sections:
 
+```toml
+[dependencies]
+serde = "1.0" # trustify-da-ignore
+tokio = { version = "1.35", features = ["full"] }
+
+[dependencies.regex] # trustify-da-ignore
+version = "1.10"
+
+[workspace.dependencies]
+log = "0.4" # trustify-da-ignore
+```
+
+
+<em>Python pyproject.toml</em> users can add a comment with <code>#exhortignore</code> (or <code># trustify-da-ignore</code>) next to the dependency in <code>pyproject.toml</code>.
+
+PEP 621 style (<code>[project]</code> dependencies):
+```toml
+[project]
+dependencies = [
+    "flask>=2.0.3",
+    "requests>=2.25.1",
+    "uvicorn>=0.17.0", #exhortignore
+    "click>=8.0.4", # trustify-da-ignore
+]
+```
+
+Poetry style (<code>[tool.poetry.dependencies]</code>):
+```toml
+[tool.poetry.dependencies]
+flask = "^2.0.3"
+requests = "^2.25.1"
+uvicorn = "^0.17.0" #exhortignore
+click = "^8.0.4" # trustify-da-ignore
+```
+
+All of the above examples are valid for marking a package to be ignored
+</li>
 </ul>
 
 <h3>Customization</h3>
@@ -328,7 +445,12 @@ let options = {
   'TRUSTIFY_DA_PIP3_PATH' : '/path/to/pip3',
   'TRUSTIFY_DA_PYTHON_PATH' : '/path/to/python',
   'TRUSTIFY_DA_PIP_PATH' : '/path/to/pip',
+  'TRUSTIFY_DA_UV_PATH' : '/path/to/uv',
+  'TRUSTIFY_DA_POETRY_PATH' : '/path/to/poetry',
   'TRUSTIFY_DA_GRADLE_PATH' : '/path/to/gradle',
+  'TRUSTIFY_DA_CARGO_PATH' : '/path/to/cargo',
+  // Workspace root for monorepos (Cargo, npm/pnpm/yarn); lock file expected here
+  'workspaceDir': '/path/to/workspace-root',
   // Configure proxy for all requests
   'TRUSTIFY_DA_PROXY_URL': 'http://proxy.example.com:8080'
 }
@@ -351,6 +473,21 @@ let imageAnalysisWithArch = await client.imageAnalysis(['httpd:2.4.49^^amd64'],
  **_Environment variables takes precedence._**
 </p>
 
+<h4>Monorepo / Workspace Support</h4>
+<p>
+For monorepos (Cargo workspaces, npm/pnpm/yarn workspaces) where the lock file lives at the workspace root rather than next to the manifest, pass the workspace root via <code>workspaceDir</code> or <code>TRUSTIFY_DA_WORKSPACE_DIR</code>:
+</p>
+<ul>
+<li><strong>Cargo:</strong> When set, the client checks only the given directory for <code>Cargo.lock</code> instead of walking up from the manifest.</li>
+<li><strong>JavaScript (npm, pnpm, yarn):</strong> When set, the client looks for the lock file (<code>package-lock.json</code>, <code>pnpm-lock.yaml</code>, <code>yarn.lock</code>) at the workspace root.</li>
+</ul>
+<p>
+Use <code>stackAnalysisBatch(workspaceRoot, html, opts)</code> to analyze all packages/crates in a workspace in one request. Supports Cargo workspaces and JS/TS workspaces (pnpm, npm, yarn). Optional <code>batchConcurrency</code> (or <code>TRUSTIFY_DA_BATCH_CONCURRENCY</code>) limits parallel SBOM generation (default 10). For JS/TS, each <code>package.json</code> must have non-empty <code>name</code> and <code>version</code>; invalid manifests are skipped (warnings). Per-manifest SBOM failures are skipped if at least one SBOM succeeds (unless <code>continueOnError: false</code>). Set <code>batchMetadata: true</code> (or <code>TRUSTIFY_DA_BATCH_METADATA</code>) to receive <code>{ analysis, metadata }</code> with <code>errors[]</code>. CLI: <code>stack-batch --metadata</code>, <code>--fail-fast</code>. See <a href="./docs/monorepo-implementation-plan.md">monorepo implementation plan</a> §2.3 and §3.5.
+</p>
+<p>
+See <a href="./docs/vscode-extension-integration-requirements.md">VS Code Extension Integration Requirements</a> for integration details.
+</p>
+
 <h4>Proxy Configuration</h4>
 <p>
 You can configure a proxy for all HTTP/HTTPS requests made by the API. This is useful when your environment requires going through a proxy to access external services.
@@ -372,6 +509,11 @@ const options = {
 The proxy URL should be in the format: `http://host:port` or `https://host:port`. The API will automatically use the appropriate protocol (HTTP or HTTPS) based on the proxy URL provided.
 </p>
 
+<h4>License resolution and dependency license compliance</h4>
+<p>
+The client can resolve the <strong>project license</strong> from the manifest (e.g. <code>package.json</code> <code>license</code>, <code>pom.xml</code> <code>&lt;licenses&gt;</code>, <code>Cargo.toml</code> <code>license</code>) and from a <code>LICENSE</code> or <code>LICENSE.md</code> file in the project, and report when they differ. For <strong>component analysis</strong>, you can optionally run a license check: the client fetches dependency licenses from the backend (by purl) and reports dependencies whose licenses are incompatible with the project license. See <a href="docs/license-resolution-and-compliance.md">License resolution and compliance</a> for design and behavior. To disable the check on component analysis, set <code>TRUSTIFY_DA_LICENSE_CHECK=false</code> or pass <code>licenseCheck: false</code> in the options.
+</p>
+
 <h4>Customizing Executables</h4>
 <p>
 This project uses each ecosystem's executable for creating dependency trees. These executables are expected to be
@@ -445,6 +587,26 @@ following keys for setting custom paths for the said executables.
 <td><em>gradle</em></td>
 <td>TRUSTIFY_DA_PREFER_GRADLEW</td>
 </tr>
+<tr>
+<td><a href="https://www.rust-lang.org/">Rust Cargo</a></td>
+<td><em>cargo</em></td>
+<td>TRUSTIFY_DA_CARGO_PATH</td>
+</tr>
+<tr>
+<td><a href="https://docs.astral.sh/uv/">uv</a></td>
+<td><em>uv</em></td>
+<td>TRUSTIFY_DA_UV_PATH</td>
+</tr>
+<tr>
+<td><a href="https://python-poetry.org/">Poetry</a></td>
+<td><em>poetry</em></td>
+<td>TRUSTIFY_DA_POETRY_PATH</td>
+</tr>
+<tr>
+<td>Workspace root (monorepos)</td>
+<td>—</td>
+<td>workspaceDir / TRUSTIFY_DA_WORKSPACE_DIR</td>
+</tr>
 </table>
 
 #### Match Manifest Versions Feature
@@ -493,6 +655,24 @@ TRUSTIFY_DA_GO_MVS_LOGIC_ENABLED=false
 
 #### Python Support
 
+The client supports two Python manifest formats:
+
+- **`requirements.txt`** — uses pip/pip3 to resolve dependencies
+- **`pyproject.toml`** — uses [uv](https://docs.astral.sh/uv/) or [Poetry](https://python-poetry.org/) to resolve dependencies
+
+##### pyproject.toml
+
+For `pyproject.toml` projects, the client detects which tool manages the project by checking for lock files:
+- If `poetry.lock` is present and `[tool.poetry]` is defined, **Poetry** is used (`poetry show --tree` and `poetry show --all`)
+- If `uv.lock` is present, **uv** is used (`uv export --format requirements.txt --frozen --no-hashes`)
+- If neither lock file is found, an error is thrown
+
+Both PEP 621 (`[project]` dependencies) and Poetry-style (`[tool.poetry.dependencies]`) are supported.
+
+Custom executable paths can be set via `TRUSTIFY_DA_UV_PATH` and `TRUSTIFY_DA_POETRY_PATH`.
+
+##### requirements.txt
+
 By default, For python support, the api assumes that the package is installed using the pip/pip3 binary on the system PATH, or using the customized
 Binaries passed to environment variables. In any case, If the package is not installed , then an error will be thrown.
 

package/dist/package.json

@@ -38,36 +38,49 @@
         "lint": "eslint src test --ext js",
         "lint:fix": "eslint src test --ext js --fix",
         "test": "c8 npm run tests",
-        "tests": "mocha --config .mocharc.json --grep \".*analysis module.*\" --invert",
+        "tests": "mocha --config .mocharc.json",
         "tests:rep": "mocha --reporter-option maxDiffSize=0 --reporter json > unit-tests-result.json",
+        "pretest": "cp node_modules/tree-sitter-requirements/tree-sitter-requirements.wasm src/providers/tree-sitter-requirements.wasm && cp node_modules/tree-sitter-gomod/tree-sitter-gomod.wasm src/providers/tree-sitter-gomod.wasm",
         "precompile": "rm -rf dist",
-        "compile": "tsc -p tsconfig.json"
+        "compile": "tsc -p tsconfig.json",
+        "compile:dev": "tsc -p tsconfig.dev.json",
+        "postcompile": "cp node_modules/tree-sitter-requirements/tree-sitter-requirements.wasm dist/src/providers/tree-sitter-requirements.wasm && cp node_modules/tree-sitter-gomod/tree-sitter-gomod.wasm dist/src/providers/tree-sitter-gomod.wasm"
     },
     "dependencies": {
         "@babel/core": "^7.23.2",
-        "@cyclonedx/cyclonedx-library": "~1.13.3",
+        "@cyclonedx/cyclonedx-library": "^6.13.0",
+        "eslint-import-resolver-typescript": "^4.4.4",
+        "fast-glob": "^3.3.3",
         "fast-toml": "^0.5.4",
-        "fast-xml-parser": "^4.5.3",
+        "fast-xml-parser": "^5.3.4",
         "help": "^3.0.2",
         "https-proxy-agent": "^7.0.6",
-        "node-fetch": "^2.7.0",
-        "packageurl-js": "^1.0.2",
-        "yargs": "^17.7.2"
+        "js-yaml": "^4.1.1",
+        "micromatch": "^4.0.8",
+        "node-fetch": "^3.3.2",
+        "p-limit": "^4.0.0",
+        "packageurl-js": "~1.0.2",
+        "smol-toml": "^1.6.0",
+        "tree-sitter-gomod": "github:strum355/tree-sitter-go-mod#56326f2ad478892ace58ff247a97d492a3cbcdda",
+        "tree-sitter-requirements": "github:Strum355/tree-sitter-requirements#d0261ee76b84253997fe70d7d397e78c006c3801",
+        "web-tree-sitter": "^0.26.7",
+        "yargs": "^18.0.0"
     },
     "devDependencies": {
         "@babel/core": "^7.23.2",
-        "@trustify-da/trustify-da-api-model": "^2.0.1",
+        "@trustify-da/trustify-da-api-model": "^2.0.7",
         "@types/node": "^20.17.30",
         "@types/which": "^3.0.4",
         "babel-plugin-rewire": "^1.2.0",
-        "c8": "^8.0.0",
+        "c8": "^11.0.0",
         "chai": "^4.3.7",
         "eslint": "^8.42.0",
+        "eslint-import-resolver-typescript": "^4.4.4",
         "eslint-plugin-editorconfig": "^4.0.3",
         "eslint-plugin-import": "^2.29.1",
         "esmock": "^2.6.2",
         "mocha": "^10.2.0",
-        "msw": "^1.3.2",
+        "msw": "^2.12.7",
         "sinon": "^15.1.2",
         "sinon-chai": "^3.7.0",
         "typescript": "^5.1.3",

package/dist/src/analysis.d.ts

@@ -1,6 +1,9 @@
+/** Media type for CycloneDX JSON batch payloads (batch-analysis API). */
+export const CYCLONEDX_JSON_MEDIA_TYPE: "application/vnd.cyclonedx+json";
 declare namespace _default {
     export { requestComponent };
     export { requestStack };
+    export { requestStackBatch };
     export { requestImages };
     export { validateToken };
 }
@@ -13,7 +16,7 @@ export default _default;
  * @param {import("index.js").Options} [opts={}] - optional various options to pass along the application
  * @returns {Promise<import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>}
  */
-declare function requestComponent(provider: import('./provider').Provider, manifest: string, url: string, opts?: import("index.js").Options | undefined): Promise<import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>;
+declare function requestComponent(provider: import("./provider").Provider, manifest: string, url: string, opts?: import("index.js").Options): Promise<import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport>;
 /**
  * Send a stack analysis request and get the report as 'text/html' or 'application/json'.
  * @param {import('./provider').Provider} provider - the provided data for constructing the request
@@ -23,7 +26,20 @@ declare function requestComponent(provider: import('./provider').Provider, manif
  * @param {import("index.js").Options} [opts={}] - optional various options to pass along the application
  * @returns {Promise<string|import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>}
  */
-declare function requestStack(provider: import('./provider').Provider, manifest: string, url: string, html?: boolean | undefined, opts?: import("index.js").Options | undefined): Promise<string | import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>;
+declare function requestStack(provider: import("./provider").Provider, manifest: string, url: string, html?: boolean, opts?: import("index.js").Options): Promise<string | import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport>;
+/**
+ * Send a batch stack analysis request for multiple manifests (SBOMs keyed by purl).
+ * @param {Object.<string, object>} sbomByPurl - Map of root purl to CycloneDX SBOM object
+ * @param {string} url - the backend url
+ * @param {boolean} [html=false] - true returns HTML, false returns JSON
+ * @param {import("index.js").Options} [opts={}]
+ * @returns {Promise<string|Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>>}
+ */
+declare function requestStackBatch(sbomByPurl: {
+    [x: string]: any;
+}, url: string, html?: boolean, opts?: import("index.js").Options): Promise<string | {
+    [x: string]: import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport;
+}>;
 /**
  *
  * @param {Array<string>} imageRefs
@@ -31,8 +47,8 @@ declare function requestStack(provider: import('./provider').Provider, manifest:
  * @param {import("index.js").Options} [opts={}] - optional various options to pass along the application
  * @returns {Promise<string|Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>>}
  */
-declare function requestImages(imageRefs: Array<string>, url: string, html?: boolean, opts?: import("index.js").Options | undefined): Promise<string | {
-    [x: string]: import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport;
+declare function requestImages(imageRefs: Array<string>, url: string, html?: boolean, opts?: import("index.js").Options): Promise<string | {
+    [x: string]: import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport;
 }>;
 /**
  *
@@ -40,4 +56,4 @@ declare function requestImages(imageRefs: Array<string>, url: string, html?: boo
  * @param {import("index.js").Options} [opts={}] - optional various options to pass headers for t he validateToken Request
  * @return {Promise<number>} return the HTTP status Code of the response from the validate token request.
  */
-declare function validateToken(url: any, opts?: import("index.js").Options | undefined): Promise<number>;
+declare function validateToken(url: any, opts?: import("index.js").Options): Promise<number>;