@trustify-da/trustify-da-javascript-client 0.3.0-ea.b8af0f8 → 0.3.0-ea.bbe2094

package/README.md

@@ -224,7 +224,8 @@ $ trustify-da-javascript-client license /path/to/package.json
 <li><a href="https://www.javascript.com/">JavaScript</a> - <a href="https://pnpm.io/">pnpm</a></li>
 <li><a href="https://www.javascript.com/">JavaScript</a> - <a href="https://classic.yarnpkg.com/">Yarn Classic</a> /  <a href="https://yarnpkg.com/">Yarn Berry</a></li>
 <li><a href="https://go.dev/">Golang</a> - <a href="https://go.dev/blog/using-go-modules/">Go Modules</a></li>
-<li><a href="https://www.python.org/">Python</a> - <a href="https://pypi.org/project/pip/">pip Installer</a></li>
+<li><a href="https://www.python.org/">Python</a> - <a href="https://pypi.org/project/pip/">pip Installer</a> (<code>requirements.txt</code>)</li>
+<li><a href="https://www.python.org/">Python</a> - <a href="https://python-poetry.org/">Poetry</a> / <a href="https://docs.astral.sh/uv/">uv</a> (<code>pyproject.toml</code>)</li>
 <li><a href="https://gradle.org/">Gradle (Groovy and Kotlin DSL)</a> - <a href="https://gradle.org/install/">Gradle Installation</a></li>
 <li><a href="https://www.rust-lang.org/">Rust</a> - <a href="https://doc.rust-lang.org/cargo/">Cargo</a></li>
 </ul>
@@ -287,8 +288,11 @@ Excluding a package from any analysis can be achieved by marking the package for
   ]
 }
 ```
+</li>
+
+<li>
+<em>Golang</em> users can add in go.mod a comment with <code>// exhortignore</code> next to the package to be ignored, or to "piggyback" on existing comment ( e.g - <code>// indirect</code>), for example:
 
-<em>Golang</em> users can add in go.mod a comment with //exhortignore next to the package to be ignored, or to "piggyback" on existing comment ( e.g - //indirect) , for example:
 ```go
 module github.com/trustify-da/SaaSi/deployer
 
@@ -297,7 +301,7 @@ go 1.19
 require (
         github.com/gin-gonic/gin v1.9.1
         github.com/google/uuid v1.1.2
-        github.com/jessevdk/go-flags v1.5.0 //exhortignore
+        github.com/jessevdk/go-flags v1.5.0 // exhortignore
         github.com/kr/pretty v0.3.1
         gopkg.in/yaml.v2 v2.4.0
         k8s.io/apimachinery v0.26.1
@@ -305,14 +309,20 @@ require (
 )
 
 require (
-        github.com/davecgh/go-spew v1.1.1 // indirect exhortignore
+        github.com/davecgh/go-spew v1.1.1 // indirect; exhortignore
         github.com/emicklei/go-restful/v3 v3.9.0 // indirect
-        github.com/go-logr/logr v1.2.3 // indirect //exhortignore
+        github.com/go-logr/logr v1.2.3 // indirect; exhortignore
 
 )
 ```
 
+<b>NOTE</b>: It is important to format <code>exhortignore</code> markers on indirect dependencies as shown above, otherwise the Go tooling (as well as this library) may incorrectly parse dependencies marked as indirect as being direct dependencies instead.
+</li>
+
+
+<li>
 <em>Python pip</em> users can add in requirements.txt a comment with #exhortignore(or # exhortignore) to the right of the same artifact to be ignored, for example:
+
 ```properties
 anyio==3.6.2
 asgiref==3.4.1
@@ -343,11 +353,14 @@ Werkzeug==2.0.3
 zipp==3.6.0
 
 ```
+</li>
 
+<li>
 <em>Gradle</em> users can add in build.gradle a comment with //exhortignore next to the package to be ignored:
+
 ```build.gradle
 plugins {
-id 'java'
+    id 'java'
 }
 
 group = 'groupName'
@@ -379,9 +392,31 @@ version = "1.10"
 log = "0.4" # trustify-da-ignore
 ```
 
-All of the 6 above examples are valid for marking a package to be ignored
-</li>
 
+<em>Python pyproject.toml</em> users can add a comment with <code>#exhortignore</code> (or <code># trustify-da-ignore</code>) next to the dependency in <code>pyproject.toml</code>.
+
+PEP 621 style (<code>[project]</code> dependencies):
+```toml
+[project]
+dependencies = [
+    "flask>=2.0.3",
+    "requests>=2.25.1",
+    "uvicorn>=0.17.0", #exhortignore
+    "click>=8.0.4", # trustify-da-ignore
+]
+```
+
+Poetry style (<code>[tool.poetry.dependencies]</code>):
+```toml
+[tool.poetry.dependencies]
+flask = "^2.0.3"
+requests = "^2.25.1"
+uvicorn = "^0.17.0" #exhortignore
+click = "^8.0.4" # trustify-da-ignore
+```
+
+All of the above examples are valid for marking a package to be ignored
+</li>
 </ul>
 
 <h3>Customization</h3>
@@ -410,6 +445,8 @@ let options = {
   'TRUSTIFY_DA_PIP3_PATH' : '/path/to/pip3',
   'TRUSTIFY_DA_PYTHON_PATH' : '/path/to/python',
   'TRUSTIFY_DA_PIP_PATH' : '/path/to/pip',
+  'TRUSTIFY_DA_UV_PATH' : '/path/to/uv',
+  'TRUSTIFY_DA_POETRY_PATH' : '/path/to/poetry',
   'TRUSTIFY_DA_GRADLE_PATH' : '/path/to/gradle',
   'TRUSTIFY_DA_CARGO_PATH' : '/path/to/cargo',
   // Workspace root for monorepos (Cargo, npm/pnpm/yarn); lock file expected here
@@ -556,6 +593,16 @@ following keys for setting custom paths for the said executables.
 <td>TRUSTIFY_DA_CARGO_PATH</td>
 </tr>
 <tr>
+<td><a href="https://docs.astral.sh/uv/">uv</a></td>
+<td><em>uv</em></td>
+<td>TRUSTIFY_DA_UV_PATH</td>
+</tr>
+<tr>
+<td><a href="https://python-poetry.org/">Poetry</a></td>
+<td><em>poetry</em></td>
+<td>TRUSTIFY_DA_POETRY_PATH</td>
+</tr>
+<tr>
 <td>Workspace root (monorepos)</td>
 <td>—</td>
 <td>workspaceDir / TRUSTIFY_DA_WORKSPACE_DIR</td>
@@ -608,6 +655,24 @@ TRUSTIFY_DA_GO_MVS_LOGIC_ENABLED=false
 
 #### Python Support
 
+The client supports two Python manifest formats:
+
+- **`requirements.txt`** — uses pip/pip3 to resolve dependencies
+- **`pyproject.toml`** — uses [uv](https://docs.astral.sh/uv/) or [Poetry](https://python-poetry.org/) to resolve dependencies
+
+##### pyproject.toml
+
+For `pyproject.toml` projects, the client detects which tool manages the project by checking for lock files:
+- If `poetry.lock` is present and `[tool.poetry]` is defined, **Poetry** is used (`poetry show --tree` and `poetry show --all`)
+- If `uv.lock` is present, **uv** is used (`uv export --format requirements.txt --frozen --no-hashes`)
+- If neither lock file is found, an error is thrown
+
+Both PEP 621 (`[project]` dependencies) and Poetry-style (`[tool.poetry.dependencies]`) are supported.
+
+Custom executable paths can be set via `TRUSTIFY_DA_UV_PATH` and `TRUSTIFY_DA_POETRY_PATH`.
+
+##### requirements.txt
+
 By default, For python support, the api assumes that the package is installed using the pip/pip3 binary on the system PATH, or using the customized
 Binaries passed to environment variables. In any case, If the package is not installed , then an error will be thrown.
 

package/dist/package.json

@@ -38,31 +38,32 @@
         "lint": "eslint src test --ext js",
         "lint:fix": "eslint src test --ext js --fix",
         "test": "c8 npm run tests",
-        "tests": "mocha --config .mocharc.json --grep \".*analysis module.*\" --invert",
+        "tests": "mocha --config .mocharc.json",
         "tests:rep": "mocha --reporter-option maxDiffSize=0 --reporter json > unit-tests-result.json",
-        "pretest": "cp node_modules/tree-sitter-requirements/tree-sitter-requirements.wasm src/providers/tree-sitter-requirements.wasm",
+        "pretest": "cp node_modules/tree-sitter-requirements/tree-sitter-requirements.wasm src/providers/tree-sitter-requirements.wasm && cp node_modules/tree-sitter-gomod/tree-sitter-gomod.wasm src/providers/tree-sitter-gomod.wasm",
         "precompile": "rm -rf dist",
         "compile": "tsc -p tsconfig.json",
         "compile:dev": "tsc -p tsconfig.dev.json",
-        "postcompile": "cp node_modules/tree-sitter-requirements/tree-sitter-requirements.wasm dist/src/providers/tree-sitter-requirements.wasm"
+        "postcompile": "cp node_modules/tree-sitter-requirements/tree-sitter-requirements.wasm dist/src/providers/tree-sitter-requirements.wasm && cp node_modules/tree-sitter-gomod/tree-sitter-gomod.wasm dist/src/providers/tree-sitter-gomod.wasm"
     },
     "dependencies": {
         "@babel/core": "^7.23.2",
         "@cyclonedx/cyclonedx-library": "^6.13.0",
         "eslint-import-resolver-typescript": "^4.4.4",
         "fast-glob": "^3.3.3",
-        "fast-toml": "^0.5.4",
         "fast-xml-parser": "^5.3.4",
         "help": "^3.0.2",
         "https-proxy-agent": "^7.0.6",
         "js-yaml": "^4.1.1",
+        "jsonc-parser": "^3.3.1",
         "micromatch": "^4.0.8",
         "node-fetch": "^3.3.2",
         "p-limit": "^4.0.0",
         "packageurl-js": "~1.0.2",
         "smol-toml": "^1.6.0",
+        "tree-sitter-gomod": "github:strum355/tree-sitter-go-mod#56326f2ad478892ace58ff247a97d492a3cbcdda",
         "tree-sitter-requirements": "github:Strum355/tree-sitter-requirements#d0261ee76b84253997fe70d7d397e78c006c3801",
-        "web-tree-sitter": "^0.26.6",
+        "web-tree-sitter": "^0.26.7",
         "yargs": "^18.0.0"
     },
     "devDependencies": {

package/dist/src/analysis.js

@@ -189,7 +189,7 @@ async function requestImages(imageRefs, url, html = false, opts = {}) {
     if (opts['TRUSTIFY_DA_RECOMMENDATIONS_ENABLED'] === 'false') {
         finalUrl.searchParams.append('recommend', 'false');
     }
-    const resp = await fetch(finalUrl, {
+    const fetchOptions = addProxyAgent({
         method: 'POST',
         headers: {
             'Accept': html ? 'text/html' : 'application/json',
@@ -197,7 +197,8 @@ async function requestImages(imageRefs, url, html = false, opts = {}) {
             ...getTokenHeaders(opts)
         },
         body: JSON.stringify(imageSboms),
-    });
+    }, opts);
+    const resp = await fetch(finalUrl, fetchOptions);
     if (resp.status === 200) {
         let result;
         if (!html) {

package/dist/src/cli.js

@@ -1,9 +1,10 @@
 #!/usr/bin/env node
+import fs from 'node:fs';
 import * as path from "path";
 import yargs from 'yargs';
 import { hideBin } from 'yargs/helpers';
 import { getProjectLicense, getLicenseDetails } from './license/index.js';
-import client, { selectTrustifyDABackend } from './index.js';
+import client, { selectTrustifyDABackend, generateSbom } from './index.js';
 // command for component analysis take manifest type and content
 const component = {
     command: 'component </path/to/manifest>',
@@ -325,15 +326,63 @@ const license = {
         console.log(JSON.stringify(output, null, 2));
     }
 };
+const sbom = {
+    command: 'sbom </path/to/manifest> [--output]',
+    desc: 'generate a CycloneDX SBOM from a manifest file',
+    builder: yargs => yargs.positional('/path/to/manifest', {
+        desc: 'manifest path for SBOM generation',
+        type: 'string',
+        normalize: true,
+    }).options({
+        output: {
+            alias: 'o',
+            desc: 'Write SBOM JSON to a file instead of stdout',
+            type: 'string',
+            normalize: true,
+        },
+        workspaceDir: {
+            alias: 'w',
+            desc: 'Workspace root directory (for monorepos; lock file is expected here)',
+            type: 'string',
+            normalize: true,
+        }
+    }),
+    handler: async (args) => {
+        let manifest = args['/path/to/manifest'];
+        const opts = args.workspaceDir ? { TRUSTIFY_DA_WORKSPACE_DIR: args.workspaceDir } : {};
+        let result;
+        try {
+            result = await generateSbom(manifest, opts);
+        }
+        catch (err) {
+            console.error(JSON.stringify({ error: `Failed to generate SBOM: ${err.message}` }, null, 2));
+            process.exit(1);
+        }
+        const json = JSON.stringify(result, null, 2);
+        if (args.output) {
+            try {
+                fs.writeFileSync(args.output, json);
+            }
+            catch (err) {
+                console.error(JSON.stringify({ error: `Failed to write output file: ${err.message}` }, null, 2));
+                process.exit(1);
+            }
+        }
+        else {
+            console.log(json);
+        }
+    }
+};
 // parse and invoke the command
 yargs(hideBin(process.argv))
-    .usage(`Usage: ${process.argv[0].includes("node") ? path.parse(process.argv[1]).base : path.parse(process.argv[0]).base} {component|stack|stack-batch|image|validate-token|license}`)
+    .usage(`Usage: ${process.argv[0].includes("node") ? path.parse(process.argv[1]).base : path.parse(process.argv[0]).base} {component|stack|stack-batch|image|validate-token|license|sbom}`)
     .command(stack)
     .command(stackBatch)
     .command(component)
     .command(image)
     .command(validateToken)
     .command(license)
+    .command(sbom)
     .scriptName('')
     .version(false)
     .demandCommand(1)

package/dist/src/cyclone_dx_sbom.d.ts

@@ -18,9 +18,14 @@ export default class CycloneDxSbom {
      * Adds a dependency relationship between two components in the SBOM
      * @param {PackageURL} sourceRef - The source component (parent)
      * @param {PackageURL} targetRef - The target component (dependency)
+     * @param {string} [scope] - Scope of the dependency
+     * @param {Array<{alg: string, content: string}>} [targetHashes] - Optional hashes for the target component
      * @return {CycloneDxSbom} The updated SBOM
      */
-    addDependency(sourceRef: PackageURL, targetRef: PackageURL, scope: any): CycloneDxSbom;
+    addDependency(sourceRef: PackageURL, targetRef: PackageURL, scope?: string, targetHashes?: Array<{
+        alg: string;
+        content: string;
+    }>): CycloneDxSbom;
     /** @param {{}} opts - various options, settings and configuration of application.
      * @return String CycloneDx Sbom json object in a string format
      */
@@ -50,6 +55,7 @@ export default class CycloneDxSbom {
         version: any;
         scope: any;
         licenses?: any;
+        hashes?: any;
     };
     /**
      * This method gets an array of dependencies to be ignored, and remove all of them from CycloneDx Sbom
@@ -70,6 +76,13 @@ export default class CycloneDxSbom {
      * @return {boolean}
      */
     checkIfPackageInsideDependsOnList(component: any, name: string): boolean;
+    /**
+     * Checks if any entry in the dependsOn list of sourceRef starts with the given purl prefix.
+     * @param {PackageURL} sourceRef - The source component
+     * @param {string} purlPrefix - The purl prefix to match (e.g. "pkg:npm/minimist@")
+     * @return {boolean}
+     */
+    checkDependsOnByPurlPrefix(sourceRef: PackageURL, purlPrefix: string): boolean;
     /** Removes the root component from the sbom
      */
     removeRootComponent(): void;

package/dist/src/cyclone_dx_sbom.js

@@ -6,10 +6,11 @@ import { PackageURL } from "packageurl-js";
  * @param type type of package - application or library
  * @param scope scope of the component - runtime or compile
  * @param licenses optional license string or array of licenses for the component
- * @return {{"bom-ref": string, name, purl: string, type, version, scope, licenses?}}
+ * @param hashes optional array of hash objects for the component, e.g. [{alg: "SHA-256", content: "..."}]
+ * @return {{"bom-ref": string, name, purl: string, type, version, scope, licenses?, hashes?}}
  * @private
  */
-function getComponent(component, type, scope, licenses) {
+function getComponent(component, type, scope, licenses, hashes) {
     let componentObject;
     if (component instanceof PackageURL) {
         if (component.namespace) {
@@ -47,6 +48,10 @@ function getComponent(component, type, scope, licenses) {
             return lic;
         });
     }
+    // Add hashes if provided (CycloneDX 1.4 format).
+    if (hashes && hashes.length > 0) {
+        componentObject.hashes = hashes;
+    }
     return componentObject;
 }
 function createDependency(dependency) {
@@ -86,16 +91,24 @@ export default class CycloneDxSbom {
      * Adds a dependency relationship between two components in the SBOM
      * @param {PackageURL} sourceRef - The source component (parent)
      * @param {PackageURL} targetRef - The target component (dependency)
+     * @param {string} [scope] - Scope of the dependency
+     * @param {Array<{alg: string, content: string}>} [targetHashes] - Optional hashes for the target component
      * @return {CycloneDxSbom} The updated SBOM
      */
-    addDependency(sourceRef, targetRef, scope) {
+    addDependency(sourceRef, targetRef, scope, targetHashes) {
         const sourcePurl = sourceRef.toString();
         const targetPurl = targetRef.toString();
         // Ensure both components exist in the components list
         [sourceRef, targetRef].forEach((ref, index) => {
             const purl = index === 0 ? sourcePurl : targetPurl;
-            if (this.getComponentIndex(purl) < 0) {
-                this.components.push(getComponent(ref, "library", scope));
+            const existingIndex = this.getComponentIndex(purl);
+            if (existingIndex < 0) {
+                const hashes = index === 1 ? targetHashes : undefined;
+                this.components.push(getComponent(ref, "library", scope, undefined, hashes));
+            }
+            else if (index === 1 && targetHashes && targetHashes.length > 0 && !this.components[existingIndex].hashes) {
+                // Update hashes if the component was first seen without them (e.g. as a source)
+                this.components[existingIndex].hashes = targetHashes;
             }
         });
         // Ensure source dependency exists
@@ -242,6 +255,20 @@ export default class CycloneDxSbom {
             return false;
         }
     }
+    /**
+     * Checks if any entry in the dependsOn list of sourceRef starts with the given purl prefix.
+     * @param {PackageURL} sourceRef - The source component
+     * @param {string} purlPrefix - The purl prefix to match (e.g. "pkg:npm/minimist@")
+     * @return {boolean}
+     */
+    checkDependsOnByPurlPrefix(sourceRef, purlPrefix) {
+        const sourcePurl = sourceRef.toString();
+        const depIndex = this.getDependencyIndex(sourcePurl);
+        if (depIndex < 0) {
+            return false;
+        }
+        return this.dependencies[depIndex].dependsOn.some(dep => dep.startsWith(purlPrefix));
+    }
     /** Removes the root component from the sbom
      */
     removeRootComponent() {

package/dist/src/index.d.ts

@@ -13,6 +13,15 @@ export function selectTrustifyDABackend(opts?: {
     TRUSTIFY_DA_DEBUG?: string | undefined;
     TRUSTIFY_DA_BACKEND_URL?: string | undefined;
 }): string;
+/**
+ * Generate a CycloneDX SBOM from a manifest file. No backend HTTP request is made.
+ *
+ * @param {string} manifestPath - path to the manifest file (e.g. pom.xml, package.json)
+ * @param {Options} [opts={}] - optional options (e.g. workspace dir, tool paths)
+ * @returns {Promise<object>} parsed CycloneDX SBOM JSON object
+ * @throws {Error} if the manifest is unsupported or SBOM generation fails
+ */
+export function generateSbom(manifestPath: string, opts?: Options): Promise<object>;
 export { parseImageRef } from "./oci_image/utils.js";
 export { ImageRef } from "./oci_image/images.js";
 declare namespace _default {
@@ -21,6 +30,7 @@ declare namespace _default {
     export { stackAnalysisBatch };
     export { imageAnalysis };
     export { validateToken };
+    export { generateSbom };
 }
 export default _default;
 export type Options = {
@@ -64,11 +74,13 @@ export type Options = {
     TRUSTIFY_DA_CONTINUE_ON_ERROR?: string | undefined;
     batchMetadata?: boolean | undefined;
     TRUSTIFY_DA_BATCH_METADATA?: string | undefined;
+    TRUSTIFY_DA_UV_PATH?: string | undefined;
+    TRUSTIFY_DA_POETRY_PATH?: string | undefined;
     [key: string]: string | number | boolean | string[] | undefined;
 };
 export type BatchAnalysisMetadata = {
     workspaceRoot: string;
-    ecosystem: "javascript" | "cargo" | "unknown";
+    ecosystem: "javascript" | "cargo" | "pyproject" | "unknown";
     total: number;
     successful: number;
     failed: number;
@@ -124,19 +136,74 @@ declare function stackAnalysis(manifest: string, html: false, opts?: Options | u
  * 		or backend request failed
  */
 declare function stackAnalysis(manifest: string, html?: boolean | undefined, opts?: Options | undefined): Promise<string | import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport>;
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {true} html
+ * @param {Options & { batchMetadata: true }} opts
+ * @returns {Promise<{ analysis: string, metadata: BatchAnalysisMetadata }>}
+ * @throws {Error}
+ */
+declare function stackAnalysisBatch(workspaceRoot: string, html: true, opts: Options & {
+    batchMetadata: true;
+}): Promise<{
+    analysis: string;
+    metadata: BatchAnalysisMetadata;
+}>;
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {true} html
+ * @param {Options & { batchMetadata?: false }} [opts={}]
+ * @returns {Promise<string>}
+ * @throws {Error}
+ */
+declare function stackAnalysisBatch(workspaceRoot: string, html: true, opts?: (Options & {
+    batchMetadata?: false;
+}) | undefined): Promise<string>;
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {false} html
+ * @param {Options & { batchMetadata: true }} opts
+ * @returns {Promise<{ analysis: Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>, metadata: BatchAnalysisMetadata }>}
+ * @throws {Error}
+ */
+declare function stackAnalysisBatch(workspaceRoot: string, html: false, opts: Options & {
+    batchMetadata: true;
+}): Promise<{
+    analysis: {
+        [x: string]: import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport;
+    };
+    metadata: BatchAnalysisMetadata;
+}>;
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {false} html
+ * @param {Options & { batchMetadata?: false }} [opts={}]
+ * @returns {Promise<Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>>}
+ * @throws {Error}
+ */
+declare function stackAnalysisBatch(workspaceRoot: string, html: false, opts?: (Options & {
+    batchMetadata?: false;
+}) | undefined): Promise<{
+    [x: string]: import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport;
+}>;
 /**
  * Get stack analysis for all workspace packages/crates (batch).
  * Detects ecosystem from workspace root: Cargo (Cargo.toml + Cargo.lock) or JS/TS (package.json + lock file).
  * SBOMs are generated in parallel (see `batchConcurrency`) unless `continueOnError: false` (fail-fast sequential).
  * With `opts.batchMetadata` / `TRUSTIFY_DA_BATCH_METADATA`, returns `{ analysis, metadata }` including validation and SBOM errors.
  *
+ * @overload
  * @param {string} workspaceRoot - Path to workspace root (containing lock file and workspace config)
  * @param {boolean} [html=false] - true returns HTML, false returns JSON report
  * @param {Options} [opts={}] - `batchConcurrency`, discovery ignores, `continueOnError` (default true), `batchMetadata` (default false)
  * @returns {Promise<string|Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>|{ analysis: string|Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>, metadata: BatchAnalysisMetadata }>}
  * @throws {Error} if workspace root invalid, no manifests found, no packages pass validation, no SBOMs produced, or backend request failed. When `opts.batchMetadata` is set, `error.batchMetadata` may be set on thrown errors.
  */
-declare function stackAnalysisBatch(workspaceRoot: string, html?: boolean, opts?: Options): Promise<string | {
+declare function stackAnalysisBatch(workspaceRoot: string, html?: boolean | undefined, opts?: Options | undefined): Promise<string | {
     [x: string]: import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport;
 } | {
     analysis: string | {
@@ -184,6 +251,10 @@ declare function imageAnalysis(imageRefs: Array<string>, html?: boolean | undefi
  * @throws {Error} if the backend request failed.
  */
 declare function validateToken(opts?: Options): Promise<object>;
+import { discoverMavenModules } from './providers/java_maven.js';
+import { discoverGradleSubprojects } from './providers/java_gradle.js';
+import { discoverGoWorkspaceModules } from './providers/golang_gomodules.js';
+import { discoverUvWorkspaceMembers } from './providers/python_uv.js';
 import { discoverWorkspacePackages } from './workspace.js';
 import { discoverWorkspaceCrates } from './workspace.js';
 import { validatePackageJson } from './workspace.js';
@@ -191,5 +262,5 @@ import { resolveWorkspaceDiscoveryIgnore } from './workspace.js';
 import { filterManifestPathsByDiscoveryIgnore } from './workspace.js';
 import { resolveContinueOnError } from './batch_opts.js';
 import { resolveBatchMetadata } from './batch_opts.js';
-export { discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson, resolveWorkspaceDiscoveryIgnore, filterManifestPathsByDiscoveryIgnore, resolveContinueOnError, resolveBatchMetadata };
+export { discoverMavenModules, discoverGradleSubprojects, discoverGoWorkspaceModules, discoverUvWorkspaceMembers, discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson, resolveWorkspaceDiscoveryIgnore, filterManifestPathsByDiscoveryIgnore, resolveContinueOnError, resolveBatchMetadata };
 export { getProjectLicense, findLicenseFilePath, identifyLicense, getLicenseDetails, licensesFromReport, normalizeLicensesResponse, runLicenseCheck, getCompatibility } from "./license/index.js";