@trustify-da/trustify-da-javascript-client 0.3.0-ea.b8af0f8 → 0.3.0-ea.bbe2094

package/dist/src/index.js

@@ -6,14 +6,18 @@ import analysis from './analysis.js';
 import fs from 'node:fs';
 import { getCustom } from "./tools.js";
 import { resolveBatchMetadata, resolveContinueOnError } from './batch_opts.js';
+import { discoverMavenModules } from './providers/java_maven.js';
+import { discoverGradleSubprojects } from './providers/java_gradle.js';
+import { discoverGoWorkspaceModules } from './providers/golang_gomodules.js';
+import { discoverUvWorkspaceMembers } from './providers/python_uv.js';
 import { discoverWorkspaceCrates, discoverWorkspacePackages, filterManifestPathsByDiscoveryIgnore, resolveWorkspaceDiscoveryIgnore, validatePackageJson, } from './workspace.js';
 import.meta.dirname;
 import * as url from 'url';
 export { parseImageRef } from "./oci_image/utils.js";
 export { ImageRef } from "./oci_image/images.js";
 export { getProjectLicense, findLicenseFilePath, identifyLicense, getLicenseDetails, licensesFromReport, normalizeLicensesResponse, runLicenseCheck, getCompatibility } from "./license/index.js";
-export default { componentAnalysis, stackAnalysis, stackAnalysisBatch, imageAnalysis, validateToken };
-export { discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson, resolveWorkspaceDiscoveryIgnore, filterManifestPathsByDiscoveryIgnore, resolveContinueOnError, resolveBatchMetadata, };
+export default { componentAnalysis, stackAnalysis, stackAnalysisBatch, imageAnalysis, validateToken, generateSbom };
+export { discoverMavenModules, discoverGradleSubprojects, discoverGoWorkspaceModules, discoverUvWorkspaceMembers, discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson, resolveWorkspaceDiscoveryIgnore, filterManifestPathsByDiscoveryIgnore, resolveContinueOnError, resolveBatchMetadata, };
 /**
  * @typedef {{
  * TRUSTIFY_DA_CARGO_PATH?: string | undefined,
@@ -56,13 +60,15 @@ export { discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson
  * TRUSTIFY_DA_CONTINUE_ON_ERROR?: string | undefined,
  * batchMetadata?: boolean | undefined,
  * TRUSTIFY_DA_BATCH_METADATA?: string | undefined,
+ * TRUSTIFY_DA_UV_PATH?: string | undefined,
+ * TRUSTIFY_DA_POETRY_PATH?: string | undefined,
  * [key: string]: string | number | boolean | string[] | undefined,
  * }} Options
  */
 /**
  * @typedef {{
  *   workspaceRoot: string,
- *   ecosystem: 'javascript' | 'cargo' | 'unknown',
+ *   ecosystem: 'javascript' | 'cargo' | 'pyproject' | 'unknown',
  *   total: number,
  *   successful: number,
  *   failed: number,
@@ -235,6 +241,22 @@ function buildBatchAnalysisMetadata(root, ecosystem, totalSbomAttempts, successf
         errors: [...errors],
     };
 }
+/**
+ * Generate a CycloneDX SBOM from a manifest file. No backend HTTP request is made.
+ *
+ * @param {string} manifestPath - path to the manifest file (e.g. pom.xml, package.json)
+ * @param {Options} [opts={}] - optional options (e.g. workspace dir, tool paths)
+ * @returns {Promise<object>} parsed CycloneDX SBOM JSON object
+ * @throws {Error} if the manifest is unsupported or SBOM generation fails
+ */
+export async function generateSbom(manifestPath, opts = {}) {
+    fs.accessSync(manifestPath, fs.constants.R_OK);
+    const result = await generateOneSbom(manifestPath, opts);
+    if (!result.ok) {
+        throw new Error(`Failed to generate SBOM for ${result.manifestPath}: ${result.reason}`);
+    }
+    return result.sbom;
+}
 /**
  * @typedef {{ ok: true, purl: string, sbom: object } | { ok: false, manifestPath: string, reason: string }} SbomResult
  */
@@ -261,17 +283,45 @@ async function generateOneSbom(manifestPath, workspaceOpts) {
  *
  * @param {string} root - Resolved workspace root
  * @param {Options} opts
- * @returns {Promise<{ ecosystem: 'javascript' | 'cargo' | 'unknown', manifestPaths: string[] }>}
+ * @returns {Promise<{ ecosystem: 'javascript' | 'cargo' | 'maven' | 'gradle' | 'gomodules' | 'pyproject' | 'unknown', manifestPaths: string[] }>}
  * @private
  */
 async function detectWorkspaceManifests(root, opts) {
     const cargoToml = path.join(root, 'Cargo.toml');
     const cargoLock = path.join(root, 'Cargo.lock');
     const packageJson = path.join(root, 'package.json');
+    const pomXml = path.join(root, 'pom.xml');
     if (fs.existsSync(cargoToml) && fs.existsSync(cargoLock)) {
         return { ecosystem: 'cargo', manifestPaths: await discoverWorkspaceCrates(root, opts) };
     }
-    const hasJsLock = fs.existsSync(path.join(root, 'pnpm-lock.yaml'))
+    if (fs.existsSync(pomXml)) {
+        const manifestPaths = await discoverMavenModules(root, opts);
+        if (manifestPaths.length > 0) {
+            return { ecosystem: 'maven', manifestPaths };
+        }
+    }
+    const hasGradleSettings = fs.existsSync(path.join(root, 'settings.gradle'))
+        || fs.existsSync(path.join(root, 'settings.gradle.kts'));
+    if (hasGradleSettings) {
+        const manifestPaths = await discoverGradleSubprojects(root, opts);
+        if (manifestPaths.length > 0) {
+            return { ecosystem: 'gradle', manifestPaths };
+        }
+    }
+    if (fs.existsSync(path.join(root, 'go.work'))) {
+        const manifestPaths = await discoverGoWorkspaceModules(root, opts);
+        if (manifestPaths.length > 0) {
+            return { ecosystem: 'gomodules', manifestPaths };
+        }
+    }
+    if (fs.existsSync(path.join(root, 'pyproject.toml')) && fs.existsSync(path.join(root, 'uv.lock'))) {
+        const manifestPaths = await discoverUvWorkspaceMembers(root, opts);
+        if (manifestPaths.length > 0) {
+            return { ecosystem: 'pyproject', manifestPaths };
+        }
+    }
+    const hasJsLock = fs.existsSync(path.join(root, 'bun.lock'))
+        || fs.existsSync(path.join(root, 'pnpm-lock.yaml'))
         || fs.existsSync(path.join(root, 'yarn.lock'))
         || fs.existsSync(path.join(root, 'package-lock.json'));
     if (fs.existsSync(packageJson) && hasJsLock) {
@@ -380,12 +430,45 @@ function batchError(message, wantMetadata, metadata) {
     }
     return err;
 }
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {true} html
+ * @param {Options & { batchMetadata: true }} opts
+ * @returns {Promise<{ analysis: string, metadata: BatchAnalysisMetadata }>}
+ * @throws {Error}
+ */
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {true} html
+ * @param {Options & { batchMetadata?: false }} [opts={}]
+ * @returns {Promise<string>}
+ * @throws {Error}
+ */
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {false} html
+ * @param {Options & { batchMetadata: true }} opts
+ * @returns {Promise<{ analysis: Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>, metadata: BatchAnalysisMetadata }>}
+ * @throws {Error}
+ */
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {false} html
+ * @param {Options & { batchMetadata?: false }} [opts={}]
+ * @returns {Promise<Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>>}
+ * @throws {Error}
+ */
 /**
  * Get stack analysis for all workspace packages/crates (batch).
  * Detects ecosystem from workspace root: Cargo (Cargo.toml + Cargo.lock) or JS/TS (package.json + lock file).
  * SBOMs are generated in parallel (see `batchConcurrency`) unless `continueOnError: false` (fail-fast sequential).
  * With `opts.batchMetadata` / `TRUSTIFY_DA_BATCH_METADATA`, returns `{ analysis, metadata }` including validation and SBOM errors.
  *
+ * @overload
  * @param {string} workspaceRoot - Path to workspace root (containing lock file and workspace config)
  * @param {boolean} [html=false] - true returns HTML, false returns JSON report
  * @param {Options} [opts={}] - `batchConcurrency`, discovery ignores, `continueOnError` (default true), `batchMetadata` (default false)
@@ -416,7 +499,7 @@ async function stackAnalysisBatch(workspaceRoot, html = false, opts = {}) {
         }
     }
     if (manifestPaths.length === 0) {
-        throw new Error(`No workspace manifests found at ${root}. Ensure Cargo.toml+Cargo.lock or package.json+lock file exist.`);
+        throw new Error(`No workspace manifests found at ${root}. Ensure a supported workspace root exists (Cargo.toml+Cargo.lock, pom.xml, build.gradle, go.work, pyproject.toml+uv.lock, or package.json+lock file).`);
     }
     const workspaceOpts = { ...opts, TRUSTIFY_DA_WORKSPACE_DIR: root };
     const concurrency = resolveBatchConcurrency(opts);

package/dist/src/oci_image/utils.js

@@ -135,7 +135,7 @@ function execSyft(imageRef, opts = {}) {
 function getSyftEnvs(dockerPath, podmanPath) {
     let path = null;
     if (dockerPath && podmanPath) {
-        path = `${dockerPath}${File.pathSeparator}${podmanPath}`;
+        path = `${dockerPath}${delimiter}${podmanPath}`;
     }
     else if (dockerPath) {
         path = dockerPath;
@@ -276,7 +276,16 @@ function podmanGetVariant(opts = {}) {
  * @returns {string} - The information
  */
 function dockerPodmanInfo(dockerSupplier, podmanSupplier, opts = {}) {
-    return dockerSupplier(opts) || podmanSupplier(opts);
+    try {
+        const result = dockerSupplier(opts);
+        if (result) {
+            return result;
+        }
+    }
+    catch (_) {
+        // docker not available, fall through to podman
+    }
+    return podmanSupplier(opts);
 }
 /**
  * Gets the digests for an image

package/dist/src/provider.js

@@ -3,10 +3,14 @@ import golangGomodulesProvider from './providers/golang_gomodules.js';
 import Java_gradle_groovy from "./providers/java_gradle_groovy.js";
 import Java_gradle_kotlin from "./providers/java_gradle_kotlin.js";
 import Java_maven from "./providers/java_maven.js";
+import Javascript_bun from './providers/javascript_bun.js';
 import Javascript_npm from './providers/javascript_npm.js';
 import Javascript_pnpm from './providers/javascript_pnpm.js';
 import Javascript_yarn from './providers/javascript_yarn.js';
 import pythonPipProvider from './providers/python_pip.js';
+import Python_pip_pyproject from './providers/python_pip_pyproject.js';
+import Python_poetry from './providers/python_poetry.js';
+import Python_uv from './providers/python_uv.js';
 import rustCargoProvider from './providers/rust_cargo.js';
 /** @typedef {{ecosystem: string, contentType: string, content: string}} Provided */
 /** @typedef {{isSupported: function(string): boolean, validateLockFile: function(string, Object): void, provideComponent: function(string, {}): Provided | Promise<Provided>, provideStack: function(string, {}): Provided | Promise<Provided>, readLicenseFromManifest: function(string): string | null}} Provider */
@@ -18,11 +22,15 @@ export const availableProviders = [
     new Java_maven(),
     new Java_gradle_groovy(),
     new Java_gradle_kotlin(),
+    new Javascript_bun(),
     new Javascript_pnpm(),
     new Javascript_yarn(),
     new Javascript_npm(),
     golangGomodulesProvider,
     pythonPipProvider,
+    new Python_poetry(),
+    new Python_uv(),
+    new Python_pip_pyproject(),
     rustCargoProvider
 ];
 /**

package/dist/src/providers/base_java.d.ts

@@ -57,15 +57,6 @@ export default class Base_Java {
      * @returns string
      */
     selectToolBinary(manifestPath: string, opts: {}): string | null;
-    /**
-     *
-     * @param {string} startingManifest - the path of the manifest from which to start searching for the wrapper
-     * @param {string} repoRoot - the root of the repository at which point to stop searching for mvnw, derived via git if unset and then fallsback
-     * to the root of the drive the manifest is on (assumes absolute path is given)
-     * @returns {string|undefined}
-     */
-    traverseForWrapper(startingManifest: string, repoRoot?: string): string | undefined;
-    normalizePath(thePath: any): string;
     #private;
 }
 export type Provided = import("../provider").Provided;

package/dist/src/providers/base_java.js

@@ -1,7 +1,6 @@
-import fs from 'node:fs';
 import path from 'node:path';
 import { PackageURL } from 'packageurl-js';
-import { getCustomPath, getGitRootDir, getWrapperPreference, invokeCommand } from "../tools.js";
+import { getCustomPath, getWrapperPreference, invokeCommand, traverseForWrapper } from "../tools.js";
 /** @typedef {import('../provider').Provider} */
 /** @typedef {import('../provider').Provided} Provided */
 /** @typedef {{name: string, version: string}} Package */
@@ -131,7 +130,7 @@ export default class Base_Java {
         const toolPath = getCustomPath(this.globalBinary, opts);
         const useWrapper = getWrapperPreference(this.globalBinary, opts);
         if (useWrapper) {
-            const wrapper = this.traverseForWrapper(manifestPath);
+            const wrapper = traverseForWrapper(manifestDir, this.localWrapper);
             if (wrapper !== undefined) {
                 try {
                     this._invokeCommand(wrapper, ['--version'], { cwd: manifestDir });
@@ -156,39 +155,4 @@ export default class Base_Java {
         }
         return toolPath;
     }
-    /**
-     *
-     * @param {string} startingManifest - the path of the manifest from which to start searching for the wrapper
-     * @param {string} repoRoot - the root of the repository at which point to stop searching for mvnw, derived via git if unset and then fallsback
-     * to the root of the drive the manifest is on (assumes absolute path is given)
-     * @returns {string|undefined}
-     */
-    traverseForWrapper(startingManifest, repoRoot = undefined) {
-        const normalizedManifest = this.normalizePath(startingManifest);
-        const currentDir = this.normalizePath(path.dirname(normalizedManifest));
-        repoRoot = repoRoot || getGitRootDir(currentDir) || path.parse(normalizedManifest).root;
-        const wrapperPath = path.join(currentDir, this.localWrapper);
-        try {
-            fs.accessSync(wrapperPath, fs.constants.X_OK);
-            return wrapperPath;
-        }
-        catch (error) {
-            if (error.code === 'ENOENT') {
-                const rootDir = path.parse(currentDir).root;
-                if (currentDir === repoRoot || currentDir === rootDir) {
-                    return undefined;
-                }
-                const parentDir = path.dirname(currentDir);
-                if (parentDir === currentDir || parentDir === rootDir) {
-                    return undefined;
-                }
-                return this.traverseForWrapper(path.join(parentDir, path.basename(normalizedManifest)), repoRoot);
-            }
-            throw new Error(`failure searching for ${this.localWrapper}`, { cause: error });
-        }
-    }
-    normalizePath(thePath) {
-        const normalized = path.resolve(thePath).normalize();
-        return process.platform === 'win32' ? normalized.toLowerCase() : normalized;
-    }
 }

package/dist/src/providers/base_javascript.d.ts

@@ -136,6 +136,12 @@ export default class Base_javascript {
    */
     protected _version(): string;
     /**
+   * Creates or updates the lock file for the package manager
+   * @param {string} manifestDir - Directory containing the manifest file
+   * @protected
+   */
+    protected _createLockFile(manifestDir: string): void;
+    /**
    * Parses the dependency tree output
    * @param {string} output - The output to parse
    * @returns {string} The parsed output

package/dist/src/providers/base_javascript.js

@@ -217,7 +217,7 @@ export default class Base_javascript {
         this._version();
         const manifestDir = path.dirname(this.#manifest.manifestPath);
         const cmdDir = this._findLockFileDir(manifestDir, opts) || manifestDir;
-        this.#createLockFile(cmdDir);
+        this._createLockFile(cmdDir);
         let output = this.#executeListCmd(includeTransitive, cmdDir);
         output = this._parseDepTreeOutput(output);
         return JSON.parse(output);
@@ -235,9 +235,32 @@ export default class Base_javascript {
         let sbom = new Sbom();
         sbom.addRoot(mainComponent, license);
         this._addDependenciesToSbom(sbom, depsObject);
+        this.#ensurePeerAndOptionalDeps(sbom);
         sbom.filterIgnoredDeps(this.#manifest.ignored);
         return sbom.getAsJsonString(opts);
     }
+    /**
+     * Ensures peer and optional dependencies declared in the manifest are
+     * present in the SBOM, even when the package manager does not resolve them
+     * (e.g. yarn does not include peer deps in its dependency listing).
+     * @param {Sbom} sbom - The SBOM to supplement
+     * @private
+     */
+    #ensurePeerAndOptionalDeps(sbom) {
+        const rootPurl = toPurl(purlType, this.#manifest.name, this.#manifest.version);
+        const depSources = [this.#manifest.peerDependencies, this.#manifest.optionalDependencies];
+        for (const source of depSources) {
+            for (const [name, version] of Object.entries(source)) {
+                // Build the purl prefix for exact matching (e.g. "pkg:npm/minimist@"
+                // or "pkg:npm/%40hapi/joi@") to avoid substring false positives
+                const probe = toPurl(purlType, name, version);
+                const purlPrefix = probe.toString().replace(/@[^@]*$/, '@');
+                if (!sbom.checkDependsOnByPurlPrefix(rootPurl, purlPrefix)) {
+                    sbom.addDependency(rootPurl, probe);
+                }
+            }
+        }
+    }
     /**
    * Recursively builds the Sbom from the JSON that npm listing returns
    * @param {Sbom} sbom - The SBOM object to add dependencies to
@@ -245,7 +268,10 @@ export default class Base_javascript {
    * @protected
    */
     _addDependenciesToSbom(sbom, depTree) {
-        const dependencies = depTree["dependencies"] || {};
+        const dependencies = {
+            ...depTree["dependencies"],
+            ...depTree["optionalDependencies"],
+        };
         Object.entries(dependencies)
             .forEach(entry => {
             const [name, artifact] = entry;
@@ -295,6 +321,7 @@ export default class Base_javascript {
             const rootPurl = toPurlFromString(sbom.getRoot().purl);
             sbom.addDependency(rootPurl, rootDeps.get(key));
         }
+        this.#ensurePeerAndOptionalDeps(sbom);
         sbom.filterIgnoredDeps(this.#manifest.ignored);
         return sbom.getAsJsonString(opts);
     }
@@ -305,10 +332,14 @@ export default class Base_javascript {
    * @protected
    */
     _getRootDependencies(depTree) {
-        if (!depTree.dependencies) {
+        const allDeps = {
+            ...depTree.dependencies,
+            ...depTree.optionalDependencies,
+        };
+        if (Object.keys(allDeps).length === 0) {
             return new Map();
         }
-        return new Map(Object.entries(depTree.dependencies).map(([key, value]) => [key, toPurl(purlType, key, value.version)]));
+        return new Map(Object.entries(allDeps).map(([key, value]) => [key, toPurl(purlType, key, value.version)]));
     }
     /**
    * Executes the list command to get dependencies
@@ -332,9 +363,9 @@ export default class Base_javascript {
     /**
    * Creates or updates the lock file for the package manager
    * @param {string} manifestDir - Directory containing the manifest file
-   * @private
+   * @protected
    */
-    #createLockFile(manifestDir) {
+    _createLockFile(manifestDir) {
         const originalDir = process.cwd();
         const isWindows = os.platform() === 'win32';
         if (isWindows) {

package/dist/src/providers/base_pyproject.d.ts

@@ -0,0 +1,153 @@
+/** @typedef {{name: string, version: string, children: string[], hashes?: Array<{alg: string, content: string}>}} GraphEntry */
+/** @typedef {{name: string, version: string, dependencies: DepTreeEntry[]}} DepTreeEntry */
+/** @typedef {{directDeps: string[], graph: Map<string, GraphEntry>}} DependencyData */
+/** @typedef {{ecosystem: string, content: string, contentType: string}} Provided */
+export default class Base_pyproject {
+    /**
+     * @param {string} manifestName
+     * @returns {boolean}
+     */
+    isSupported(manifestName: string): boolean;
+    /**
+     * @param {string} manifestDir
+     * @param {Object} [opts={}]
+     * @returns {boolean}
+     */
+    validateLockFile(manifestDir: string, opts?: any): boolean;
+    /**
+     * Walk up from manifestDir to find the directory containing the lock file.
+     * Follows the same pattern as Base_javascript._findLockFileDir().
+     * @param {string} manifestDir
+     * @param {Object} [opts={}]
+     * @returns {string|null}
+     * @protected
+     */
+    protected _findLockFileDir(manifestDir: string, opts?: any): string | null;
+    /**
+     * Detect workspace root boundaries.
+     * Currently only uv has native workspace support ([tool.uv.workspace] in pyproject.toml).
+     * Poetry has no workspace/monorepo support (python-poetry/poetry#2270), so each
+     * poetry project is treated independently — see Python_poetry._findLockFileDir().
+     * @param {string} dir
+     * @returns {boolean}
+     * @protected
+     */
+    protected _isWorkspaceRoot(dir: string): boolean;
+    /**
+     * Read project license from pyproject.toml, with fallback to LICENSE file.
+     * @param {string} manifestPath
+     * @returns {string|null}
+     */
+    readLicenseFromManifest(manifestPath: string): string | null;
+    /**
+     * @param {string} manifest - path to pyproject.toml
+     * @param {Object} [opts={}]
+     * @returns {Promise<Provided>}
+     */
+    provideStack(manifest: string, opts?: any): Promise<Provided>;
+    /**
+     * @param {string} manifest - path to pyproject.toml
+     * @param {Object} [opts={}]
+     * @returns {Promise<Provided>}
+     */
+    provideComponent(manifest: string, opts?: any): Promise<Provided>;
+    /**
+     * @returns {string}
+     * @protected
+     */
+    protected _lockFileName(): string;
+    /**
+     * @returns {string}
+     * @protected
+     */
+    protected _cmdName(): string;
+    /**
+     * Resolve dependencies using the tool-specific command and parser.
+     *
+     * @param {string} manifestDir - directory containing the target pyproject.toml
+     * @param {string} workspaceDir - workspace root (where the lock file lives);
+     *   only used by providers that need workspace-level resolution (e.g. uv)
+     * @param {object} parsed - parsed pyproject.toml
+     * @param {Object} opts
+     * @returns {Promise<DependencyData>}
+     * @protected
+     */
+    protected _getDependencyData(manifestDir: string, workspaceDir: string, parsed: object, opts: any): Promise<DependencyData>;
+    /**
+     * Canonicalize a Python package name per PEP 503.
+     * @param {string} name
+     * @returns {string}
+     * @protected
+     */
+    protected _canonicalize(name: string): string;
+    /**
+     * Get the project name from pyproject.toml.
+     * @param {object} parsed
+     * @returns {string|null}
+     * @protected
+     */
+    protected _getProjectName(parsed: object): string | null;
+    /**
+     * Get the project version from pyproject.toml.
+     * @param {object} parsed
+     * @returns {string|null}
+     * @protected
+     */
+    protected _getProjectVersion(parsed: object): string | null;
+    /**
+     * Scan raw pyproject.toml text for dependencies with ignore markers.
+     * @param {string} manifestPath
+     * @returns {Set<string>}
+     * @protected
+     */
+    protected _getIgnoredDeps(manifestPath: string): Set<string>;
+    /**
+     * Compute the set of graph nodes reachable from direct deps, excluding ignored.
+     * @param {Map<string, GraphEntry>} graph
+     * @param {string[]} directDeps
+     * @param {Set<string>} ignoredDeps
+     * @returns {Set<string>}
+     * @protected
+     */
+    protected _reachableNodes(graph: Map<string, GraphEntry>, directDeps: string[], ignoredDeps: Set<string>): Set<string>;
+    /**
+     * @param {string} name
+     * @param {string} version
+     * @returns {PackageURL}
+     * @protected
+     */
+    protected _toPurl(name: string, version: string): PackageURL;
+    /**
+     * Create SBOM json string for a pyproject.toml project.
+     * @param {string} manifest - path to pyproject.toml
+     * @param {Object} opts
+     * @param {boolean} includeTransitive
+     * @returns {Promise<string>}
+     * @private
+     */
+    private _createSbom;
+}
+export type GraphEntry = {
+    name: string;
+    version: string;
+    children: string[];
+    hashes?: Array<{
+        alg: string;
+        content: string;
+    }>;
+};
+export type DepTreeEntry = {
+    name: string;
+    version: string;
+    dependencies: DepTreeEntry[];
+};
+export type DependencyData = {
+    directDeps: string[];
+    graph: Map<string, GraphEntry>;
+};
+export type Provided = {
+    ecosystem: string;
+    content: string;
+    contentType: string;
+};
+import { PackageURL } from 'packageurl-js';