npm - @trustify-da/trustify-da-javascript-client - Versions diffs - 0.3.0-ea.cdf078c → 0.3.0-ea.d2fee6b - Mend

@trustify-da/trustify-da-javascript-client 0.3.0-ea.cdf078c → 0.3.0-ea.d2fee6b

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (36) hide show

package/dist/src/cyclone_dx_sbom.d.ts +7 -1
package/dist/src/cyclone_dx_sbom.js +18 -5
package/dist/src/index.d.ts +60 -2
package/dist/src/index.js +60 -3
package/dist/src/provider.js +2 -0
package/dist/src/providers/base_java.d.ts +0 -9
package/dist/src/providers/base_java.js +2 -38
package/dist/src/providers/base_pyproject.d.ts +9 -26
package/dist/src/providers/base_pyproject.js +50 -73
package/dist/src/providers/golang_gomodules.d.ts +9 -0
package/dist/src/providers/golang_gomodules.js +49 -0
package/dist/src/providers/java_gradle.d.ts +19 -0
package/dist/src/providers/java_gradle.js +114 -0
package/dist/src/providers/java_maven.d.ts +8 -0
package/dist/src/providers/java_maven.js +93 -1
package/dist/src/providers/javascript_npm.d.ts +1 -0
package/dist/src/providers/javascript_npm.js +21 -0
package/dist/src/providers/javascript_pnpm.js +6 -2
package/dist/src/providers/marker_evaluator.d.ts +14 -0
package/dist/src/providers/marker_evaluator.js +191 -0
package/dist/src/providers/processors/yarn_berry_processor.js +6 -2
package/dist/src/providers/python_controller.d.ts +5 -1
package/dist/src/providers/python_controller.js +8 -4
package/dist/src/providers/python_pip.d.ts +4 -0
package/dist/src/providers/python_pip.js +4 -4
package/dist/src/providers/python_pip_pyproject.d.ts +61 -0
package/dist/src/providers/python_pip_pyproject.js +144 -0
package/dist/src/providers/python_poetry.d.ts +37 -4
package/dist/src/providers/python_poetry.js +82 -13
package/dist/src/providers/python_uv.d.ts +15 -0
package/dist/src/providers/python_uv.js +15 -1
package/dist/src/sbom.d.ts +7 -1
package/dist/src/sbom.js +4 -2
package/dist/src/tools.d.ts +26 -0
package/dist/src/tools.js +58 -0
package/package.json +1 -1

package/dist/src/cyclone_dx_sbom.d.ts CHANGED Viewed

@@ -18,9 +18,14 @@ export default class CycloneDxSbom {
      * Adds a dependency relationship between two components in the SBOM
      * @param {PackageURL} sourceRef - The source component (parent)
      * @param {PackageURL} targetRef - The target component (dependency)
+     * @param {string} [scope] - Scope of the dependency
+     * @param {Array<{alg: string, content: string}>} [targetHashes] - Optional hashes for the target component
      * @return {CycloneDxSbom} The updated SBOM
      */
-    addDependency(sourceRef: PackageURL, targetRef: PackageURL, scope: any): CycloneDxSbom;
+    addDependency(sourceRef: PackageURL, targetRef: PackageURL, scope?: string, targetHashes?: Array<{
+        alg: string;
+        content: string;
+    }>): CycloneDxSbom;
     /** @param {{}} opts - various options, settings and configuration of application.
      * @return String CycloneDx Sbom json object in a string format
      */
@@ -50,6 +55,7 @@ export default class CycloneDxSbom {
         version: any;
         scope: any;
         licenses?: any;
+        hashes?: any;
     };
     /**
      * This method gets an array of dependencies to be ignored, and remove all of them from CycloneDx Sbom

package/dist/src/cyclone_dx_sbom.js CHANGED Viewed

@@ -6,10 +6,11 @@ import { PackageURL } from "packageurl-js";
  * @param type type of package - application or library
  * @param scope scope of the component - runtime or compile
  * @param licenses optional license string or array of licenses for the component
- * @return {{"bom-ref": string, name, purl: string, type, version, scope, licenses?}}
+ * @param hashes optional array of hash objects for the component, e.g. [{alg: "SHA-256", content: "..."}]
+ * @return {{"bom-ref": string, name, purl: string, type, version, scope, licenses?, hashes?}}
  * @private
  */
-function getComponent(component, type, scope, licenses) {
+function getComponent(component, type, scope, licenses, hashes) {
     let componentObject;
     if (component instanceof PackageURL) {
         if (component.namespace) {
@@ -47,6 +48,10 @@ function getComponent(component, type, scope, licenses) {
             return lic;
         });
     }
+    // Add hashes if provided (CycloneDX 1.4 format).
+    if (hashes && hashes.length > 0) {
+        componentObject.hashes = hashes;
+    }
     return componentObject;
 }
 function createDependency(dependency) {
@@ -86,16 +91,24 @@ export default class CycloneDxSbom {
      * Adds a dependency relationship between two components in the SBOM
      * @param {PackageURL} sourceRef - The source component (parent)
      * @param {PackageURL} targetRef - The target component (dependency)
+     * @param {string} [scope] - Scope of the dependency
+     * @param {Array<{alg: string, content: string}>} [targetHashes] - Optional hashes for the target component
      * @return {CycloneDxSbom} The updated SBOM
      */
-    addDependency(sourceRef, targetRef, scope) {
+    addDependency(sourceRef, targetRef, scope, targetHashes) {
         const sourcePurl = sourceRef.toString();
         const targetPurl = targetRef.toString();
         // Ensure both components exist in the components list
         [sourceRef, targetRef].forEach((ref, index) => {
             const purl = index === 0 ? sourcePurl : targetPurl;
-            if (this.getComponentIndex(purl) < 0) {
-                this.components.push(getComponent(ref, "library", scope));
+            const existingIndex = this.getComponentIndex(purl);
+            if (existingIndex < 0) {
+                const hashes = index === 1 ? targetHashes : undefined;
+                this.components.push(getComponent(ref, "library", scope, undefined, hashes));
+            }
+            else if (index === 1 && targetHashes && targetHashes.length > 0 && !this.components[existingIndex].hashes) {
+                // Update hashes if the component was first seen without them (e.g. as a source)
+                this.components[existingIndex].hashes = targetHashes;
             }
         });
         // Ensure source dependency exists

package/dist/src/index.d.ts CHANGED Viewed

@@ -136,19 +136,74 @@ declare function stackAnalysis(manifest: string, html: false, opts?: Options | u
  * 		or backend request failed
  */
 declare function stackAnalysis(manifest: string, html?: boolean | undefined, opts?: Options | undefined): Promise<string | import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport>;
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {true} html
+ * @param {Options & { batchMetadata: true }} opts
+ * @returns {Promise<{ analysis: string, metadata: BatchAnalysisMetadata }>}
+ * @throws {Error}
+ */
+declare function stackAnalysisBatch(workspaceRoot: string, html: true, opts: Options & {
+    batchMetadata: true;
+}): Promise<{
+    analysis: string;
+    metadata: BatchAnalysisMetadata;
+}>;
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {true} html
+ * @param {Options & { batchMetadata?: false }} [opts={}]
+ * @returns {Promise<string>}
+ * @throws {Error}
+ */
+declare function stackAnalysisBatch(workspaceRoot: string, html: true, opts?: (Options & {
+    batchMetadata?: false;
+}) | undefined): Promise<string>;
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {false} html
+ * @param {Options & { batchMetadata: true }} opts
+ * @returns {Promise<{ analysis: Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>, metadata: BatchAnalysisMetadata }>}
+ * @throws {Error}
+ */
+declare function stackAnalysisBatch(workspaceRoot: string, html: false, opts: Options & {
+    batchMetadata: true;
+}): Promise<{
+    analysis: {
+        [x: string]: import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport;
+    };
+    metadata: BatchAnalysisMetadata;
+}>;
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {false} html
+ * @param {Options & { batchMetadata?: false }} [opts={}]
+ * @returns {Promise<Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>>}
+ * @throws {Error}
+ */
+declare function stackAnalysisBatch(workspaceRoot: string, html: false, opts?: (Options & {
+    batchMetadata?: false;
+}) | undefined): Promise<{
+    [x: string]: import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport;
+}>;
 /**
  * Get stack analysis for all workspace packages/crates (batch).
  * Detects ecosystem from workspace root: Cargo (Cargo.toml + Cargo.lock) or JS/TS (package.json + lock file).
  * SBOMs are generated in parallel (see `batchConcurrency`) unless `continueOnError: false` (fail-fast sequential).
  * With `opts.batchMetadata` / `TRUSTIFY_DA_BATCH_METADATA`, returns `{ analysis, metadata }` including validation and SBOM errors.
  *
+ * @overload
  * @param {string} workspaceRoot - Path to workspace root (containing lock file and workspace config)
  * @param {boolean} [html=false] - true returns HTML, false returns JSON report
  * @param {Options} [opts={}] - `batchConcurrency`, discovery ignores, `continueOnError` (default true), `batchMetadata` (default false)
  * @returns {Promise<string|Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>|{ analysis: string|Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>, metadata: BatchAnalysisMetadata }>}
  * @throws {Error} if workspace root invalid, no manifests found, no packages pass validation, no SBOMs produced, or backend request failed. When `opts.batchMetadata` is set, `error.batchMetadata` may be set on thrown errors.
  */
-declare function stackAnalysisBatch(workspaceRoot: string, html?: boolean, opts?: Options): Promise<string | {
+declare function stackAnalysisBatch(workspaceRoot: string, html?: boolean | undefined, opts?: Options | undefined): Promise<string | {
     [x: string]: import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport;
 } | {
     analysis: string | {
@@ -196,6 +251,9 @@ declare function imageAnalysis(imageRefs: Array<string>, html?: boolean | undefi
  * @throws {Error} if the backend request failed.
  */
 declare function validateToken(opts?: Options): Promise<object>;
+import { discoverMavenModules } from './providers/java_maven.js';
+import { discoverGradleSubprojects } from './providers/java_gradle.js';
+import { discoverGoWorkspaceModules } from './providers/golang_gomodules.js';
 import { discoverWorkspacePackages } from './workspace.js';
 import { discoverWorkspaceCrates } from './workspace.js';
 import { validatePackageJson } from './workspace.js';
@@ -203,5 +261,5 @@ import { resolveWorkspaceDiscoveryIgnore } from './workspace.js';
 import { filterManifestPathsByDiscoveryIgnore } from './workspace.js';
 import { resolveContinueOnError } from './batch_opts.js';
 import { resolveBatchMetadata } from './batch_opts.js';
-export { discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson, resolveWorkspaceDiscoveryIgnore, filterManifestPathsByDiscoveryIgnore, resolveContinueOnError, resolveBatchMetadata };
+export { discoverMavenModules, discoverGradleSubprojects, discoverGoWorkspaceModules, discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson, resolveWorkspaceDiscoveryIgnore, filterManifestPathsByDiscoveryIgnore, resolveContinueOnError, resolveBatchMetadata };
 export { getProjectLicense, findLicenseFilePath, identifyLicense, getLicenseDetails, licensesFromReport, normalizeLicensesResponse, runLicenseCheck, getCompatibility } from "./license/index.js";

package/dist/src/index.js CHANGED Viewed

@@ -6,6 +6,9 @@ import analysis from './analysis.js';
 import fs from 'node:fs';
 import { getCustom } from "./tools.js";
 import { resolveBatchMetadata, resolveContinueOnError } from './batch_opts.js';
+import { discoverMavenModules } from './providers/java_maven.js';
+import { discoverGradleSubprojects } from './providers/java_gradle.js';
+import { discoverGoWorkspaceModules } from './providers/golang_gomodules.js';
 import { discoverWorkspaceCrates, discoverWorkspacePackages, filterManifestPathsByDiscoveryIgnore, resolveWorkspaceDiscoveryIgnore, validatePackageJson, } from './workspace.js';
 import.meta.dirname;
 import * as url from 'url';
@@ -13,7 +16,7 @@ export { parseImageRef } from "./oci_image/utils.js";
 export { ImageRef } from "./oci_image/images.js";
 export { getProjectLicense, findLicenseFilePath, identifyLicense, getLicenseDetails, licensesFromReport, normalizeLicensesResponse, runLicenseCheck, getCompatibility } from "./license/index.js";
 export default { componentAnalysis, stackAnalysis, stackAnalysisBatch, imageAnalysis, validateToken, generateSbom };
-export { discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson, resolveWorkspaceDiscoveryIgnore, filterManifestPathsByDiscoveryIgnore, resolveContinueOnError, resolveBatchMetadata, };
+export { discoverMavenModules, discoverGradleSubprojects, discoverGoWorkspaceModules, discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson, resolveWorkspaceDiscoveryIgnore, filterManifestPathsByDiscoveryIgnore, resolveContinueOnError, resolveBatchMetadata, };
 /**
  * @typedef {{
  * TRUSTIFY_DA_CARGO_PATH?: string | undefined,
@@ -279,16 +282,37 @@ async function generateOneSbom(manifestPath, workspaceOpts) {
  *
  * @param {string} root - Resolved workspace root
  * @param {Options} opts
- * @returns {Promise<{ ecosystem: 'javascript' | 'cargo' | 'unknown', manifestPaths: string[] }>}
+ * @returns {Promise<{ ecosystem: 'javascript' | 'cargo' | 'maven' | 'gradle' | 'gomodules' | 'unknown', manifestPaths: string[] }>}
  * @private
  */
 async function detectWorkspaceManifests(root, opts) {
     const cargoToml = path.join(root, 'Cargo.toml');
     const cargoLock = path.join(root, 'Cargo.lock');
     const packageJson = path.join(root, 'package.json');
+    const pomXml = path.join(root, 'pom.xml');
     if (fs.existsSync(cargoToml) && fs.existsSync(cargoLock)) {
         return { ecosystem: 'cargo', manifestPaths: await discoverWorkspaceCrates(root, opts) };
     }
+    if (fs.existsSync(pomXml)) {
+        const manifestPaths = await discoverMavenModules(root, opts);
+        if (manifestPaths.length > 0) {
+            return { ecosystem: 'maven', manifestPaths };
+        }
+    }
+    const hasGradleSettings = fs.existsSync(path.join(root, 'settings.gradle'))
+        || fs.existsSync(path.join(root, 'settings.gradle.kts'));
+    if (hasGradleSettings) {
+        const manifestPaths = await discoverGradleSubprojects(root, opts);
+        if (manifestPaths.length > 0) {
+            return { ecosystem: 'gradle', manifestPaths };
+        }
+    }
+    if (fs.existsSync(path.join(root, 'go.work'))) {
+        const manifestPaths = await discoverGoWorkspaceModules(root, opts);
+        if (manifestPaths.length > 0) {
+            return { ecosystem: 'gomodules', manifestPaths };
+        }
+    }
     const hasJsLock = fs.existsSync(path.join(root, 'pnpm-lock.yaml'))
         || fs.existsSync(path.join(root, 'yarn.lock'))
         || fs.existsSync(path.join(root, 'package-lock.json'));
@@ -398,12 +422,45 @@ function batchError(message, wantMetadata, metadata) {
     }
     return err;
 }
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {true} html
+ * @param {Options & { batchMetadata: true }} opts
+ * @returns {Promise<{ analysis: string, metadata: BatchAnalysisMetadata }>}
+ * @throws {Error}
+ */
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {true} html
+ * @param {Options & { batchMetadata?: false }} [opts={}]
+ * @returns {Promise<string>}
+ * @throws {Error}
+ */
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {false} html
+ * @param {Options & { batchMetadata: true }} opts
+ * @returns {Promise<{ analysis: Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>, metadata: BatchAnalysisMetadata }>}
+ * @throws {Error}
+ */
+/**
+ * @overload
+ * @param {string} workspaceRoot
+ * @param {false} html
+ * @param {Options & { batchMetadata?: false }} [opts={}]
+ * @returns {Promise<Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>>}
+ * @throws {Error}
+ */
 /**
  * Get stack analysis for all workspace packages/crates (batch).
  * Detects ecosystem from workspace root: Cargo (Cargo.toml + Cargo.lock) or JS/TS (package.json + lock file).
  * SBOMs are generated in parallel (see `batchConcurrency`) unless `continueOnError: false` (fail-fast sequential).
  * With `opts.batchMetadata` / `TRUSTIFY_DA_BATCH_METADATA`, returns `{ analysis, metadata }` including validation and SBOM errors.
  *
+ * @overload
  * @param {string} workspaceRoot - Path to workspace root (containing lock file and workspace config)
  * @param {boolean} [html=false] - true returns HTML, false returns JSON report
  * @param {Options} [opts={}] - `batchConcurrency`, discovery ignores, `continueOnError` (default true), `batchMetadata` (default false)
@@ -434,7 +491,7 @@ async function stackAnalysisBatch(workspaceRoot, html = false, opts = {}) {
         }
     }
     if (manifestPaths.length === 0) {
-        throw new Error(`No workspace manifests found at ${root}. Ensure Cargo.toml+Cargo.lock or package.json+lock file exist.`);
+        throw new Error(`No workspace manifests found at ${root}. Ensure a supported workspace root exists (Cargo.toml+Cargo.lock, go.work, or package.json+lock file).`);
     }
     const workspaceOpts = { ...opts, TRUSTIFY_DA_WORKSPACE_DIR: root };
     const concurrency = resolveBatchConcurrency(opts);

package/dist/src/provider.js CHANGED Viewed

@@ -7,6 +7,7 @@ import Javascript_npm from './providers/javascript_npm.js';
 import Javascript_pnpm from './providers/javascript_pnpm.js';
 import Javascript_yarn from './providers/javascript_yarn.js';
 import pythonPipProvider from './providers/python_pip.js';
+import Python_pip_pyproject from './providers/python_pip_pyproject.js';
 import Python_poetry from './providers/python_poetry.js';
 import Python_uv from './providers/python_uv.js';
 import rustCargoProvider from './providers/rust_cargo.js';
@@ -27,6 +28,7 @@ export const availableProviders = [
     pythonPipProvider,
     new Python_poetry(),
     new Python_uv(),
+    new Python_pip_pyproject(),
     rustCargoProvider
 ];
 /**

package/dist/src/providers/base_java.d.ts CHANGED Viewed

@@ -57,15 +57,6 @@ export default class Base_Java {
      * @returns string
      */
     selectToolBinary(manifestPath: string, opts: {}): string | null;
-    /**
-     *
-     * @param {string} startingManifest - the path of the manifest from which to start searching for the wrapper
-     * @param {string} repoRoot - the root of the repository at which point to stop searching for mvnw, derived via git if unset and then fallsback
-     * to the root of the drive the manifest is on (assumes absolute path is given)
-     * @returns {string|undefined}
-     */
-    traverseForWrapper(startingManifest: string, repoRoot?: string): string | undefined;
-    normalizePath(thePath: any): string;
     #private;
 }
 export type Provided = import("../provider").Provided;

package/dist/src/providers/base_java.js CHANGED Viewed

@@ -1,7 +1,6 @@
-import fs from 'node:fs';
 import path from 'node:path';
 import { PackageURL } from 'packageurl-js';
-import { getCustomPath, getGitRootDir, getWrapperPreference, invokeCommand } from "../tools.js";
+import { getCustomPath, getWrapperPreference, invokeCommand, traverseForWrapper } from "../tools.js";
 /** @typedef {import('../provider').Provider} */
 /** @typedef {import('../provider').Provided} Provided */
 /** @typedef {{name: string, version: string}} Package */
@@ -131,7 +130,7 @@ export default class Base_Java {
         const toolPath = getCustomPath(this.globalBinary, opts);
         const useWrapper = getWrapperPreference(this.globalBinary, opts);
         if (useWrapper) {
-            const wrapper = this.traverseForWrapper(manifestPath);
+            const wrapper = traverseForWrapper(manifestDir, this.localWrapper);
             if (wrapper !== undefined) {
                 try {
                     this._invokeCommand(wrapper, ['--version'], { cwd: manifestDir });
@@ -156,39 +155,4 @@ export default class Base_Java {
         }
         return toolPath;
     }
-    /**
-     *
-     * @param {string} startingManifest - the path of the manifest from which to start searching for the wrapper
-     * @param {string} repoRoot - the root of the repository at which point to stop searching for mvnw, derived via git if unset and then fallsback
-     * to the root of the drive the manifest is on (assumes absolute path is given)
-     * @returns {string|undefined}
-     */
-    traverseForWrapper(startingManifest, repoRoot = undefined) {
-        const normalizedManifest = this.normalizePath(startingManifest);
-        const currentDir = this.normalizePath(path.dirname(normalizedManifest));
-        repoRoot = repoRoot || getGitRootDir(currentDir) || path.parse(normalizedManifest).root;
-        const wrapperPath = path.join(currentDir, this.localWrapper);
-        try {
-            fs.accessSync(wrapperPath, fs.constants.X_OK);
-            return wrapperPath;
-        }
-        catch (error) {
-            if (error.code === 'ENOENT') {
-                const rootDir = path.parse(currentDir).root;
-                if (currentDir === repoRoot || currentDir === rootDir) {
-                    return undefined;
-                }
-                const parentDir = path.dirname(currentDir);
-                if (parentDir === currentDir || parentDir === rootDir) {
-                    return undefined;
-                }
-                return this.traverseForWrapper(path.join(parentDir, path.basename(normalizedManifest)), repoRoot);
-            }
-            throw new Error(`failure searching for ${this.localWrapper}`, { cause: error });
-        }
-    }
-    normalizePath(thePath) {
-        const normalized = path.resolve(thePath).normalize();
-        return process.platform === 'win32' ? normalized.toLowerCase() : normalized;
-    }
 }

package/dist/src/providers/base_pyproject.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-/** @typedef {{name: string, version: string, children: string[]}} GraphEntry */
+/** @typedef {{name: string, version: string, children: string[], hashes?: Array<{alg: string, content: string}>}} GraphEntry */
 /** @typedef {{name: string, version: string, dependencies: DepTreeEntry[]}} DepTreeEntry */
 /** @typedef {{directDeps: string[], graph: Map<string, GraphEntry>}} DependencyData */
 /** @typedef {{ecosystem: string, content: string, contentType: string}} Provided */
@@ -102,26 +102,14 @@ export default class Base_pyproject {
      */
     protected _getIgnoredDeps(manifestPath: string): Set<string>;
     /**
-     * Build dependency tree from graph, starting from direct deps.
+     * Compute the set of graph nodes reachable from direct deps, excluding ignored.
      * @param {Map<string, GraphEntry>} graph
-     * @param {string[]} directDeps - canonical names of direct deps
+     * @param {string[]} directDeps
      * @param {Set<string>} ignoredDeps
-     * @param {boolean} includeTransitive
-     * @returns {DepTreeEntry[]}
-     * @protected
-     */
-    protected _buildDependencyTree(graph: Map<string, GraphEntry>, directDeps: string[], ignoredDeps: Set<string>, includeTransitive: boolean): DepTreeEntry[];
-    /**
-     * Recursively collect transitive dependencies.
-     * @param {Map<string, GraphEntry>} graph
-     * @param {string[]} childKeys
-     * @param {DepTreeEntry[]} result - mutated in place
-     * @param {Set<string>} ignoredDeps
-     * @param {Set<string>} visited
-     * @returns {void}
+     * @returns {Set<string>}
      * @protected
      */
-    protected _collectTransitive(graph: Map<string, GraphEntry>, childKeys: string[], result: DepTreeEntry[], ignoredDeps: Set<string>, visited: Set<string>): void;
+    protected _reachableNodes(graph: Map<string, GraphEntry>, directDeps: string[], ignoredDeps: Set<string>): Set<string>;
     /**
      * @param {string} name
      * @param {string} version
@@ -129,15 +117,6 @@ export default class Base_pyproject {
      * @protected
      */
     protected _toPurl(name: string, version: string): PackageURL;
-    /**
-     * Recursively add a dependency and its transitive deps to the SBOM.
-     * @param {PackageURL} source
-     * @param {DepTreeEntry} dep
-     * @param {Sbom} sbom
-     * @returns {void}
-     * @private
-     */
-    private _addAllDependencies;
     /**
      * Create SBOM json string for a pyproject.toml project.
      * @param {string} manifest - path to pyproject.toml
@@ -152,6 +131,10 @@ export type GraphEntry = {
     name: string;
     version: string;
     children: string[];
+    hashes?: Array<{
+        alg: string;
+        content: string;
+    }>;
 };
 export type DepTreeEntry = {
     name: string;

package/dist/src/providers/base_pyproject.js CHANGED Viewed

@@ -7,9 +7,10 @@ import Sbom from '../sbom.js';
 import { getCustom } from '../tools.js';
 const ecosystem = 'pip';
 const IGNORE_MARKERS = ['exhortignore', 'trustify-da-ignore'];
+const NO_SCOPE = undefined;
 const DEFAULT_ROOT_NAME = 'default-pip-root';
 const DEFAULT_ROOT_VERSION = '0.0.0';
-/** @typedef {{name: string, version: string, children: string[]}} GraphEntry */
+/** @typedef {{name: string, version: string, children: string[], hashes?: Array<{alg: string, content: string}>}} GraphEntry */
 /** @typedef {{name: string, version: string, dependencies: DepTreeEntry[]}} DepTreeEntry */
 /** @typedef {{directDeps: string[], graph: Map<string, GraphEntry>}} DependencyData */
 /** @typedef {{ecosystem: string, content: string, contentType: string}} Provided */
@@ -220,64 +221,29 @@ export default class Base_pyproject {
         return ignored;
     }
     /**
-     * Build dependency tree from graph, starting from direct deps.
+     * Compute the set of graph nodes reachable from direct deps, excluding ignored.
      * @param {Map<string, GraphEntry>} graph
-     * @param {string[]} directDeps - canonical names of direct deps
+     * @param {string[]} directDeps
      * @param {Set<string>} ignoredDeps
-     * @param {boolean} includeTransitive
-     * @returns {DepTreeEntry[]}
-     * @protected
-     */
-    _buildDependencyTree(graph, directDeps, ignoredDeps, includeTransitive) {
-        let result = [];
-        for (let key of directDeps) {
-            if (ignoredDeps.has(key)) {
-                continue;
-            }
-            let entry = graph.get(key);
-            if (!entry) {
-                continue;
-            }
-            let depTree = [];
-            if (includeTransitive) {
-                let visited = new Set();
-                visited.add(key);
-                this._collectTransitive(graph, entry.children, depTree, ignoredDeps, visited);
-            }
-            result.push({ name: entry.name, version: entry.version, dependencies: depTree });
-        }
-        result.sort((a, b) => a.name.toLowerCase().localeCompare(b.name.toLowerCase()));
-        return result;
-    }
-    /**
-     * Recursively collect transitive dependencies.
-     * @param {Map<string, GraphEntry>} graph
-     * @param {string[]} childKeys
-     * @param {DepTreeEntry[]} result - mutated in place
-     * @param {Set<string>} ignoredDeps
-     * @param {Set<string>} visited
-     * @returns {void}
+     * @returns {Set<string>}
      * @protected
      */
-    _collectTransitive(graph, childKeys, result, ignoredDeps, visited) {
-        for (let childKey of childKeys) {
-            let canonKey = this._canonicalize(childKey);
-            if (ignoredDeps.has(canonKey)) {
-                continue;
-            }
-            if (visited.has(canonKey)) {
+    _reachableNodes(graph, directDeps, ignoredDeps) {
+        let reachable = new Set();
+        let queue = directDeps.filter(k => !ignoredDeps.has(k) && graph.has(k));
+        while (queue.length > 0) {
+            let key = queue.shift();
+            if (reachable.has(key)) {
                 continue;
             }
-            visited.add(canonKey);
-            let entry = graph.get(canonKey);
-            if (!entry) {
-                continue;
+            reachable.add(key);
+            for (let child of graph.get(key).children) {
+                if (!ignoredDeps.has(child) && graph.has(child) && !reachable.has(child)) {
+                    queue.push(child);
+                }
             }
-            let childDeps = [];
-            this._collectTransitive(graph, entry.children, childDeps, ignoredDeps, visited);
-            result.push({ name: entry.name, version: entry.version, dependencies: childDeps });
         }
-        result.sort((a, b) => a.name.toLowerCase().localeCompare(b.name.toLowerCase()));
+        return reachable;
     }
     /**
      * @param {string} name
@@ -288,21 +254,6 @@ export default class Base_pyproject {
     _toPurl(name, version) {
         return new PackageURL('pypi', undefined, name, version, undefined, undefined);
     }
-    /**
-     * Recursively add a dependency and its transitive deps to the SBOM.
-     * @param {PackageURL} source
-     * @param {DepTreeEntry} dep
-     * @param {Sbom} sbom
-     * @returns {void}
-     * @private
-     */
-    _addAllDependencies(source, dep, sbom) {
-        let targetPurl = this._toPurl(dep.name, dep.version);
-        sbom.addDependency(source, targetPurl);
-        if (dep.dependencies && dep.dependencies.length > 0) {
-            dep.dependencies.forEach(child => this._addAllDependencies(this._toPurl(dep.name, dep.version), child, sbom));
-        }
-    }
     /**
      * Create SBOM json string for a pyproject.toml project.
      * @param {string} manifest - path to pyproject.toml
@@ -318,21 +269,47 @@ export default class Base_pyproject {
         let workspaceDir = this._findLockFileDir(manifestDir, opts) || manifestDir;
         let { directDeps, graph } = await this._getDependencyData(manifestDir, workspaceDir, parsed, opts);
         let ignoredDeps = this._getIgnoredDeps(manifest);
-        let dependencies = this._buildDependencyTree(graph, directDeps, ignoredDeps, includeTransitive);
         let sbom = new Sbom();
         let rootName = this._getProjectName(parsed) || DEFAULT_ROOT_NAME;
         let rootVersion = this._getProjectVersion(parsed) || DEFAULT_ROOT_VERSION;
         let rootPurl = this._toPurl(rootName, rootVersion);
         let license = this.readLicenseFromManifest(manifest);
         sbom.addRoot(rootPurl, license);
-        dependencies.forEach(dep => {
-            if (includeTransitive) {
-                this._addAllDependencies(rootPurl, dep, sbom);
+        if (includeTransitive) {
+            let reachable = this._reachableNodes(graph, directDeps, ignoredDeps);
+            for (let key of directDeps) {
+                if (!reachable.has(key)) {
+                    continue;
+                }
+                let entry = graph.get(key);
+                sbom.addDependency(rootPurl, this._toPurl(entry.name, entry.version), NO_SCOPE, entry.hashes);
             }
-            else {
-                sbom.addDependency(rootPurl, this._toPurl(dep.name, dep.version));
+            for (let [key, entry] of graph) {
+                if (!reachable.has(key)) {
+                    continue;
+                }
+                let parentPurl = this._toPurl(entry.name, entry.version);
+                for (let child of entry.children) {
+                    if (!reachable.has(child)) {
+                        continue;
+                    }
+                    let childEntry = graph.get(child);
+                    sbom.addDependency(parentPurl, this._toPurl(childEntry.name, childEntry.version), NO_SCOPE, childEntry.hashes);
+                }
             }
-        });
+        }
+        else {
+            for (let key of directDeps) {
+                if (ignoredDeps.has(key)) {
+                    continue;
+                }
+                let entry = graph.get(key);
+                if (!entry) {
+                    continue;
+                }
+                sbom.addDependency(rootPurl, this._toPurl(entry.name, entry.version), NO_SCOPE, entry.hashes);
+            }
+        }
         return sbom.getAsJsonString(opts);
     }
 }

package/dist/src/providers/golang_gomodules.d.ts CHANGED Viewed

@@ -1,3 +1,12 @@
+/**
+ * Discover all go.mod manifest paths in a Go workspace.
+ * Uses `go work edit -json` to get workspace members.
+ *
+ * @param {string} workspaceRoot - Absolute or relative path to workspace root (must contain go.work)
+ * @param {import('../index.js').Options} [opts={}]
+ * @returns {Promise<string[]>} Paths to go.mod files (absolute)
+ */
+export function discoverGoWorkspaceModules(workspaceRoot: string, opts?: import("../index.js").Options): Promise<string[]>;
 declare namespace _default {
     export { isSupported };
     export { validateLockFile };