@trustify-da/trustify-da-javascript-client 0.3.0-ea.c9a9877 → 0.3.0-ea.cb4ae28

package/dist/src/provider.js

@@ -8,7 +8,7 @@ import Javascript_pnpm from './providers/javascript_pnpm.js';
 import Javascript_yarn from './providers/javascript_yarn.js';
 import pythonPipProvider from './providers/python_pip.js';
 /** @typedef {{ecosystem: string, contentType: string, content: string}} Provided */
-/** @typedef {{isSupported: function(string): boolean, validateLockFile: function(string): void, provideComponent: function(string, {}): Provided, provideStack: function(string, {}): Provided}} Provider */
+/** @typedef {{isSupported: function(string): boolean, validateLockFile: function(string): void, provideComponent: function(string, {}): Provided | Promise<Provided>, provideStack: function(string, {}): Provided | Promise<Provided>, readLicenseFromManifest: function(string): string | null}} Provider */
 /**
  * MUST include all providers here.
  * @type {[Provider]}
@@ -23,6 +23,21 @@ export const availableProviders = [
     golangGomodulesProvider,
     pythonPipProvider
 ];
+/**
+ * Match a provider by manifest type only (no lock file check). Used for license reading.
+ * @param {string} manifestPath - path or name of the manifest
+ * @param {[Provider]} providers - list of providers to iterate over
+ * @returns {Provider}
+ * @throws {Error} when the manifest is not supported and no provider was matched
+ */
+export function matchForLicense(manifestPath, providers) {
+    const base = path.parse(manifestPath).base;
+    const provider = providers.find(prov => prov.isSupported(base));
+    if (!provider) {
+        throw new Error(`${base} is not supported`);
+    }
+    return provider;
+}
 /**
  * Match a provider from a list or providers based on file type.
  * Each provider MUST export 'isSupported' taking a file name-type and returning true if supported.

package/dist/src/providers/base_java.d.ts

@@ -1,6 +1,4 @@
-/// <reference types="node" />
-/// <reference types="packageurl-js/src/package-url.js" />
-export type ecosystem_maven = import('../provider').Provider;
+export type ecosystem_maven = import("../provider").Provider;
 /** @typedef {import('../provider').Provider} */
 /** @typedef {import('../provider').Provided} Provided */
 /** @typedef {{name: string, version: string}} Package */
@@ -51,7 +49,7 @@ export default class Base_Java {
      * @param {import('child_process').ExecFileOptionsWithStringEncoding} [opts={}]
      * @protected
      */
-    protected _invokeCommand(bin: any, args: any, opts?: import("child_process").ExecFileOptionsWithStringEncoding | undefined): string;
+    protected _invokeCommand(bin: any, args: any, opts?: import("child_process").ExecFileOptionsWithStringEncoding): string;
     /**
      *
      * @param {string} manifestPath
@@ -70,7 +68,7 @@ export default class Base_Java {
     normalizePath(thePath: any): string;
     #private;
 }
-export type Provided = import('../provider').Provided;
+export type Provided = import("../provider").Provided;
 export type Package = {
     name: string;
     version: string;

package/dist/src/providers/base_javascript.d.ts

@@ -1,5 +1,6 @@
-/** @typedef {import('../provider.js').Provider} Provider */
-/** @typedef {import('../provider.js').Provided} Provided */
+export type purlType = import("../provider").Provider;
+/** @typedef {import('../provider').Provider} */
+/** @typedef {import('../provider').Provided} Provided */
 /**
  * The ecosystem identifier for JavaScript/npm packages
  * @type {string}
@@ -85,6 +86,12 @@ export default class Base_javascript {
    * @returns {Provided} The provided data for component analysis
    */
     provideComponent(manifestPath: string, opts?: any): Provided;
+    /**
+     * Read license from manifest (package.json). Reused by npm, pnpm, yarn.
+     * @param {string} manifestPath - path to package.json
+     * @returns {string|null}
+     */
+    readLicenseFromManifest(manifestPath: string): string | null;
     /**
    * Builds the dependency tree for the project
    * @param {boolean} includeTransitive - Whether to include transitive dependencies
@@ -121,7 +128,6 @@ export default class Base_javascript {
     protected _parseDepTreeOutput(output: string): string;
     #private;
 }
-export type Provider = import('../provider.js').Provider;
-export type Provided = import('../provider.js').Provided;
+export type Provided = import("../provider").Provided;
 import Manifest from './manifest.js';
 import Sbom from '../sbom.js';

package/dist/src/providers/base_javascript.js

@@ -1,11 +1,12 @@
 import fs from 'node:fs';
 import os from "node:os";
 import path from 'node:path';
+import { getLicense } from '../license/license_utils.js';
 import Sbom from '../sbom.js';
 import { getCustom, getCustomPath, invokeCommand, toPurl, toPurlFromString } from "../tools.js";
 import Manifest from './manifest.js';
-/** @typedef {import('../provider.js').Provider} Provider */
-/** @typedef {import('../provider.js').Provided} Provided */
+/** @typedef {import('../provider').Provider} */
+/** @typedef {import('../provider').Provided} Provided */
 /**
  * The ecosystem identifier for JavaScript/npm packages
  * @type {string}
@@ -132,6 +133,29 @@ export default class Base_javascript {
             contentType: 'application/vnd.cyclonedx+json'
         };
     }
+    /**
+     * Read license from manifest (package.json). Reused by npm, pnpm, yarn.
+     * @param {string} manifestPath - path to package.json
+     * @returns {string|null}
+     */
+    readLicenseFromManifest(manifestPath) {
+        let manifestLicense;
+        try {
+            const content = JSON.parse(fs.readFileSync(manifestPath, 'utf-8'));
+            if (typeof content.license === 'string') {
+                manifestLicense = content.license.trim() || null;
+            }
+            else if (Array.isArray(content.licenses) && content.licenses.length > 0) {
+                const first = content.licenses[0];
+                const name = first.type || first.name;
+                manifestLicense = (typeof name === 'string' ? name.trim() : null);
+            }
+        }
+        catch {
+            manifestLicense = null;
+        }
+        return getLicense(manifestLicense, manifestPath);
+    }
     /**
    * Builds the dependency tree for the project
    * @param {boolean} includeTransitive - Whether to include transitive dependencies
@@ -155,8 +179,9 @@ export default class Base_javascript {
     #getSBOM(opts = {}) {
         const depsObject = this._buildDependencyTree(true);
         let mainComponent = toPurl(purlType, this.#manifest.name, this.#manifest.version);
+        const license = this.readLicenseFromManifest(this.#manifest.manifestPath);
         let sbom = new Sbom();
-        sbom.addRoot(mainComponent);
+        sbom.addRoot(mainComponent, license);
         this._addDependenciesToSbom(sbom, depsObject);
         sbom.filterIgnoredDeps(this.#manifest.ignored);
         return sbom.getAsJsonString(opts);
@@ -206,8 +231,9 @@ export default class Base_javascript {
     #getDirectDependencySbom(opts = {}) {
         const depTree = this._buildDependencyTree(false);
         let mainComponent = toPurl(purlType, this.#manifest.name, this.#manifest.version);
+        const license = this.readLicenseFromManifest(this.#manifest.manifestPath);
         let sbom = new Sbom();
-        sbom.addRoot(mainComponent);
+        sbom.addRoot(mainComponent, license);
         const rootDeps = this._getRootDependencies(depTree);
         const sortedDepsKeys = Array
             .from(rootDeps.keys())

package/dist/src/providers/golang_gomodules.d.ts

@@ -3,9 +3,10 @@ declare namespace _default {
     export { validateLockFile };
     export { provideComponent };
     export { provideStack };
+    export { readLicenseFromManifest };
 }
 export default _default;
-export type Provided = import('../provider').Provided;
+export type Provided = import("../provider").Provided;
 export type Package = {
     name: string;
     version: string;
@@ -20,7 +21,7 @@ export type Dependency = {
 /**
  * @param {string} manifestName - the subject manifest name-type
  * @returns {boolean} - return true if `pom.xml` is the manifest name-type
- */
+*/
 declare function isSupported(manifestName: string): boolean;
 /**
  * @param {string} manifestDir - the directory where the manifest lies
@@ -32,11 +33,17 @@ declare function validateLockFile(): boolean;
  * @param {{}} [opts={}] - optional various options to pass along the application
  * @returns {Provided}
  */
-declare function provideComponent(manifest: string, opts?: {} | undefined): Provided;
+declare function provideComponent(manifest: string, opts?: {}): Provided;
 /**
  * Provide content and content type for maven-maven stack analysis.
  * @param {string} manifest - the manifest path or name
  * @param {{}} [opts={}] - optional various options to pass along the application
  * @returns {Provided}
  */
-declare function provideStack(manifest: string, opts?: {} | undefined): Provided;
+declare function provideStack(manifest: string, opts?: {}): Provided;
+/**
+ * Go modules have no standard license field in go.mod
+ * @param {string} manifestPath - path to go.mod
+ * @returns {string|null}
+*/
+declare function readLicenseFromManifest(manifestPath: string): string | null;

package/dist/src/providers/golang_gomodules.js

@@ -2,9 +2,10 @@ import fs from 'node:fs';
 import path from 'node:path';
 import { EOL } from "os";
 import { PackageURL } from 'packageurl-js';
+import { readLicenseFile } from '../license/license_utils.js';
 import Sbom from '../sbom.js';
 import { getCustom, getCustomPath, invokeCommand } from "../tools.js";
-export default { isSupported, validateLockFile, provideComponent, provideStack };
+export default { isSupported, validateLockFile, provideComponent, provideStack, readLicenseFromManifest };
 /** @typedef {import('../provider').Provider} */
 /** @typedef {import('../provider').Provided} Provided */
 /** @typedef {{name: string, version: string}} Package */
@@ -12,16 +13,23 @@ export default { isSupported, validateLockFile, provideComponent, provideStack }
 /**
  * @type {string} ecosystem for npm-npm is 'maven'
  * @private
- */
+*/
 const ecosystem = 'golang';
 const defaultMainModuleVersion = "v0.0.0";
 /**
  * @param {string} manifestName - the subject manifest name-type
  * @returns {boolean} - return true if `pom.xml` is the manifest name-type
- */
+*/
 function isSupported(manifestName) {
     return 'go.mod' === manifestName;
 }
+/**
+ * Go modules have no standard license field in go.mod
+ * @param {string} manifestPath - path to go.mod
+ * @returns {string|null}
+*/
+// eslint-disable-next-line no-unused-vars
+function readLicenseFromManifest(manifestPath) { return readLicenseFile(manifestPath); }
 /**
  * @param {string} manifestDir - the directory where the manifest lies
  */
@@ -250,7 +258,8 @@ function getSBOM(manifest, opts = {}, includeTransitive) {
         performManifestVersionsCheck(root, rows, manifest);
     }
     const mainModule = toPurl(root, "@");
-    sbom.addRoot(mainModule);
+    const license = readLicenseFromManifest(manifest);
+    sbom.addRoot(mainModule, license);
     const exhortGoMvsLogicEnabled = getCustom("TRUSTIFY_DA_GO_MVS_LOGIC_ENABLED", "true", opts);
     if (includeTransitive && exhortGoMvsLogicEnabled === "true") {
         rows = getFinalPackagesVersionsForModule(rows, manifest, goBin);

package/dist/src/providers/java_gradle.d.ts

@@ -15,21 +15,27 @@ export default class Java_gradle extends Base_java {
      * @param {string} manifestDir - the directory where the manifest lies
      */
     validateLockFile(): boolean;
+    /**
+     * Gradle manifests (build.gradle, build.gradle.kts) have no standard license field.
+     * @param {string} manifestPath - path to manifest
+     * @returns {null}
+     */
+    readLicenseFromManifest(manifestPath: string): null;
     /**
      * Provide content and content type for stack analysis.
      * @param {string} manifest - the manifest path or name
      * @param {{}} [opts={}] - optional various options to pass along the application
      * @returns {Provided}
      */
-    provideStack(manifest: string, opts?: {} | undefined): Provided;
+    provideStack(manifest: string, opts?: {}): Provided;
     /**
      * Provide content and content type for maven-maven component analysis.
      * @param {string} manifest - path to pom.xml for component report
      * @param {{}} [opts={}] - optional various options to pass along the application
      * @returns {Provided}
      */
-    provideComponent(manifest: string, opts?: {} | undefined): Provided;
+    provideComponent(manifest: string, opts?: {}): Provided;
     #private;
 }
-export type Provided = import('../provider.js').Provided;
+export type Provided = import("../provider.js").Provided;
 import Base_java from "./base_java.js";

package/dist/src/providers/java_gradle.js

@@ -2,6 +2,7 @@ import fs from 'node:fs';
 import path from 'node:path';
 import { EOL } from 'os';
 import TOML from 'fast-toml';
+import { readLicenseFile } from '../license/license_utils.js';
 import Sbom from '../sbom.js';
 import Base_java, { ecosystem_gradle } from "./base_java.js";
 /** @typedef {import('../provider.js').Provider} */
@@ -49,6 +50,13 @@ export default class Java_gradle extends Base_java {
      * @param {string} manifestDir - the directory where the manifest lies
      */
     validateLockFile() { return true; }
+    /**
+     * Gradle manifests (build.gradle, build.gradle.kts) have no standard license field.
+     * @param {string} manifestPath - path to manifest
+     * @returns {null}
+     */
+    // eslint-disable-next-line no-unused-vars
+    readLicenseFromManifest(manifestPath) { return readLicenseFile(manifestPath); }
     /**
      * Provide content and content type for stack analysis.
      * @param {string} manifest - the manifest path or name
@@ -158,7 +166,8 @@ export default class Java_gradle extends Base_java {
         let sbom = new Sbom();
         let root = `${properties.group}:${properties[ROOT_PROJECT_KEY_NAME].match(/Root project '(.+)'/)[1]}:jar:${properties.version}`;
         let rootPurl = this.parseDep(root);
-        sbom.addRoot(rootPurl);
+        const license = this.readLicenseFromManifest(manifestPath);
+        sbom.addRoot(rootPurl, license);
         let ignoredDeps = this.#getIgnoredDeps(manifestPath);
         const [runtimeConfig, compileConfig] = this.#extractConfigurations(content);
         const processedDeps = new Set();
@@ -298,7 +307,8 @@ export default class Java_gradle extends Base_java {
         let sbom = new Sbom();
         let root = `${properties.group}:${properties[ROOT_PROJECT_KEY_NAME].match(/Root project '(.+)'/)[1]}:jar:${properties.version}`;
         let rootPurl = this.parseDep(root);
-        sbom.addRoot(rootPurl);
+        const license = this.readLicenseFromManifest(manifestPath);
+        sbom.addRoot(rootPurl, license);
         let ignoredDeps = this.#getIgnoredDeps(manifestPath);
         const [runtimeConfig, compileConfig] = this.#extractConfigurations(content);
         let directDependencies = new Map();

package/dist/src/providers/java_gradle_groovy.d.ts

@@ -3,5 +3,5 @@ export default class Java_gradle_groovy extends Java_gradle {
     _parseAliasForLibsNotation(alias: any): any;
     _extractDepToBeIgnored(dep: any): any;
 }
-export type Provided = import('../provider').Provided;
+export type Provided = import("../provider").Provided;
 import Java_gradle from './java_gradle.js';

package/dist/src/providers/java_gradle_kotlin.d.ts

@@ -7,5 +7,5 @@ export default class Java_gradle_kotlin extends Java_gradle {
     _parseAliasForLibsNotation(alias: any): any;
     _extractDepToBeIgnored(dep: any): string | null;
 }
-export type Provided = import('../provider').Provided;
+export type Provided = import("../provider").Provided;
 import Java_gradle from './java_gradle.js';

package/dist/src/providers/java_maven.d.ts

@@ -19,25 +19,32 @@ export default class Java_maven extends Base_java {
      * @param {{}} [opts={}] - optional various options to pass along the application
      * @returns {Provided}
      */
-    provideStack(manifest: string, opts?: {} | undefined): Provided;
+    provideStack(manifest: string, opts?: {}): Provided;
     /**
      * Provide content and content type for maven-maven component analysis.
      * @param {string} manifest - path to the manifest file
      * @param {{}} [opts={}] - optional various options to pass along the application
      * @returns {Provided}
      */
-    provideComponent(manifest: string, opts?: {} | undefined): Provided;
+    provideComponent(manifest: string, opts?: {}): Provided;
+    /**
+     * Read license from pom.xml manifest, with fallback to LICENSE file
+     * @param {string} manifestPath - path to pom.xml
+     * @returns {string|null}
+     */
+    readLicenseFromManifest(manifestPath: string): string | null;
     /**
      *
      * @param {String} textGraphList Text graph String of the manifest
      * @param {[String]} ignoredDeps List of ignored dependencies to be omitted from sbom
+     * @param {String} manifestPath Path to the pom.xml manifest
      * @return {String} formatted sbom Json String with all dependencies
      */
-    createSbomFileFromTextFormat(textGraphList: string, ignoredDeps: [string], opts: any): string;
+    createSbomFileFromTextFormat(textGraphList: string, ignoredDeps: [string], opts: any, manifestPath: string): string;
     #private;
 }
-export type Java_maven = import('../provider').Provider;
-export type Provided = import('../provider').Provided;
+export type Java_maven = import("../provider").Provider;
+export type Provided = import("../provider").Provided;
 export type Package = {
     name: string;
     version: string;

package/dist/src/providers/java_maven.js

@@ -3,6 +3,7 @@ import os from 'node:os';
 import path from 'node:path';
 import { EOL } from 'os';
 import { XMLParser } from 'fast-xml-parser';
+import { getLicense } from '../license/license_utils.js';
 import Sbom from '../sbom.js';
 import { getCustom } from '../tools.js';
 import Base_java, { ecosystem_maven } from "./base_java.js";
@@ -51,6 +52,30 @@ export default class Java_maven extends Base_java {
             contentType: 'application/vnd.cyclonedx+json'
         };
     }
+    /**
+     * Read license from pom.xml manifest, with fallback to LICENSE file
+     * @param {string} manifestPath - path to pom.xml
+     * @returns {string|null}
+     */
+    readLicenseFromManifest(manifestPath) {
+        let fromPom = null;
+        try {
+            const xml = fs.readFileSync(manifestPath, 'utf-8');
+            const parser = new XMLParser({ ignoreAttributes: false });
+            const obj = parser.parse(xml);
+            const project = obj?.project;
+            if (project?.licenses?.license) {
+                const license = Array.isArray(project.licenses.license)
+                    ? project.licenses.license[0]
+                    : project.licenses.license;
+                fromPom = (license?.name && license.name.trim()) || null;
+            }
+        }
+        catch {
+            // leave fromPom as null
+        }
+        return getLicense(fromPom, manifestPath);
+    }
     /**
      * Create a Dot Graph dependency tree for a manifest path.
      * @param {string} manifest - path for pom.xml
@@ -105,7 +130,7 @@ export default class Java_maven extends Base_java {
         if (process.env["TRUSTIFY_DA_DEBUG"] === "true") {
             console.error("Dependency tree that will be used as input for creating the BOM =>" + EOL + EOL + content.toString());
         }
-        let sbom = this.createSbomFileFromTextFormat(content.toString(), ignoredDeps, opts);
+        let sbom = this.createSbomFileFromTextFormat(content.toString(), ignoredDeps, opts, manifest);
         // delete temp file and directory
         fs.rmSync(tmpDir, { recursive: true, force: true });
         // return dependency graph as string
@@ -115,15 +140,17 @@ export default class Java_maven extends Base_java {
      *
      * @param {String} textGraphList Text graph String of the manifest
      * @param {[String]} ignoredDeps List of ignored dependencies to be omitted from sbom
+     * @param {String} manifestPath Path to the pom.xml manifest
      * @return {String} formatted sbom Json String with all dependencies
      */
-    createSbomFileFromTextFormat(textGraphList, ignoredDeps, opts) {
+    createSbomFileFromTextFormat(textGraphList, ignoredDeps, opts, manifestPath) {
         let lines = textGraphList.split(EOL);
         // get root component
         let root = lines[0];
         let rootPurl = this.parseDep(root);
+        const license = this.readLicenseFromManifest(manifestPath);
         let sbom = new Sbom();
-        sbom.addRoot(rootPurl);
+        sbom.addRoot(rootPurl, license);
         this.parseDependencyTree(root, 0, lines.slice(1), sbom);
         return sbom.filterIgnoredDeps(ignoredDeps).getAsJsonString(opts);
     }
@@ -156,7 +183,8 @@ export default class Java_maven extends Base_java {
         let sbom = new Sbom();
         let rootDependency = this.#getRootFromPom(tmpEffectivePom, manifestPath);
         let purlRoot = this.toPurl(rootDependency.groupId, rootDependency.artifactId, rootDependency.version);
-        sbom.addRoot(purlRoot);
+        const license = this.readLicenseFromManifest(manifestPath);
+        sbom.addRoot(purlRoot, license);
         dependencies.forEach(dep => {
             let currentPurl = this.toPurl(dep.groupId, dep.artifactId, dep.version);
             sbom.addDependency(purlRoot, currentPurl);
@@ -209,7 +237,7 @@ export default class Java_maven extends Base_java {
         let ignored = [];
         // build xml parser with options
         let parser = new XMLParser({
-            commentPropName: '#comment',
+            commentPropName: '#comment', // mark comments with #comment
             isArray: (_, jpath) => 'project.dependencies.dependency' === jpath,
             parseTagValue: false
         });

package/dist/src/providers/python_controller.d.ts

@@ -15,13 +15,16 @@ export default class Python_controller {
     realEnvironment: boolean;
     pathToRequirements: string;
     options: {};
+    parser: Promise<import("web-tree-sitter").Parser>;
+    requirementsQuery: Promise<import("web-tree-sitter").Query>;
+    pinnedVersionQuery: Promise<import("web-tree-sitter").Query>;
     prepareEnvironment(): void;
     /**
      *
      * @param {boolean} includeTransitive - whether to return include in returned object transitive dependencies or not
-     * @return {[DependencyEntry]}
+     * @return {Promise<[DependencyEntry]>}
      */
-    getDependencies(includeTransitive: boolean): [DependencyEntry];
+    getDependencies(includeTransitive: boolean): Promise<[DependencyEntry]>;
     #private;
 }
 export type DependencyEntry = {