@trustify-da/trustify-da-javascript-client 0.3.0-ea.d349baa → 0.3.0-ea.d71f957

package/README.md

@@ -32,6 +32,11 @@ let stackAnalysis = await client.stackAnalysis('/path/to/pom.xml')
 let stackAnalysisHtml = await client.stackAnalysis('/path/to/pom.xml', true)
 // Get component analysis in JSON format
 let componentAnalysis = await client.componentAnalysis('/path/to/pom.xml')
+// For monorepos, pass workspace root so the client finds the lock file
+let monorepoOpts = { workspaceDir: '/path/to/workspace-root' }
+let stackAnalysisMonorepo = await client.stackAnalysis('/path/to/package.json', false, monorepoOpts)
+// Batch analysis for entire workspace (Cargo or JS/TS); optional parallel SBOM generation
+let batchReport = await client.stackAnalysisBatch('/path/to/workspace-root', false, { batchConcurrency: 10 })
 // Get image analysis in JSON format
 let imageAnalysis = await client.imageAnalysis(['docker.io/library/node:18'])
 // Get image analysis in HTML format (string)
@@ -43,6 +48,21 @@ let imageAnalysisWithArch = await client.imageAnalysis(['httpd:2.4.49^^amd64'])
 ```
 </li>
 </ul>
+
+<h3>License Detection</h3>
+<p>
+The client automatically detects your project's license with intelligent fallback:
+</p>
+<ul>
+<li><strong>Manifest-first:</strong> For ecosystems with license support (Maven, JavaScript, Rust Cargo), reads from manifest file (<code>pom.xml</code>, <code>package.json</code>, <code>Cargo.toml</code>)</li>
+<li><strong>LICENSE file fallback:</strong> If no license in manifest, or for ecosystems without license support (Gradle, Go, Python), automatically reads from <code>LICENSE</code>, <code>LICENSE.md</code>, or <code>LICENSE.txt</code></li>
+<li><strong>SBOM integration:</strong> Detected licenses are included in generated SBOMs for all ecosystems</li>
+<li><strong>SPDX support:</strong> Automatically detects common licenses (Apache-2.0, MIT, GPL, BSD) from LICENSE file content</li>
+</ul>
+<p>
+See <a href="./docs/license-resolution-and-compliance.md">License Resolution and Compliance</a> for detailed documentation.
+</p>
+
 <ul>
 <li>
 Use as ESM Module from Common-JS module
@@ -83,12 +103,14 @@ Use as CLI Script
 ```shell
 $ npx @trustify-da/trustify-da-javascript-client help
 
-Usage: trustify-da-javascript-client {component|stack|image|validate-token}
+Usage: trustify-da-javascript-client {component|stack|image|validate-token|license}
 
 Commands:
-  trustify-da-javascript-client stack </path/to/manifest> [--html|--summary]               produce stack report for manifest path
-  trustify-da-javascript-client component <path/to/manifest> [--summary]   produce component report for a manifest type and content
+  trustify-da-javascript-client stack </path/to/manifest> [--workspace-dir <path>] [--html|--summary]               produce stack report for manifest path
+  trustify-da-javascript-client stack-batch </path/to/workspace-root> [--html|--summary]   produce stack report for all packages/crates in workspace
+  trustify-da-javascript-client component <path/to/manifest> [--workspace-dir <path>]   produce component report for a manifest type and content
   trustify-da-javascript-client image <image-refs..> [--html|--summary]               produce image analysis report for OCI image references
+  trustify-da-javascript-client license </path/to/manifest>               display project license information from manifest and LICENSE file in JSON format
 
 Options:
   --help  Show help                                                    [boolean]
@@ -105,9 +127,21 @@ $ npx @trustify-da/trustify-da-javascript-client stack /path/to/pom.xml --summar
 # get stack analysis in html format format
 $ npx @trustify-da/trustify-da-javascript-client stack /path/to/pom.xml --html
 
+# get stack analysis for monorepo (lock file at workspace root)
+$ npx @trustify-da/trustify-da-javascript-client stack /path/to/package.json --workspace-dir /path/to/workspace-root
+
 # get component analysis
 $ npx @trustify-da/trustify-da-javascript-client component /path/to/pom.xml
 
+# get component analysis for monorepo
+$ npx @trustify-da/trustify-da-javascript-client component /path/to/package.json -w /path/to/workspace-root
+
+# batch stack analysis for entire workspace (Cargo or JS/TS)
+$ npx @trustify-da/trustify-da-javascript-client stack-batch /path/to/workspace-root
+
+# optional: extra discovery excludes (merged with defaults); repeat --ignore or use TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE
+$ npx @trustify-da/trustify-da-javascript-client stack-batch /path/to/workspace-root --ignore '**/fixtures/**'
+
 # get image analysis in json format
 $ npx @trustify-da/trustify-da-javascript-client image docker.io/library/node:18
 
@@ -123,6 +157,9 @@ $ npx @trustify-da/trustify-da-javascript-client image docker.io/library/node:18
 
 # specify architecture using ^^ notation (e.g., httpd:2.4.49^^amd64)
 $ npx @trustify-da/trustify-da-javascript-client image httpd:2.4.49^^amd64
+
+# get project license information
+$ npx @trustify-da/trustify-da-javascript-client license /path/to/package.json
 ```
 </li>
 
@@ -143,9 +180,21 @@ $ trustify-da-javascript-client stack /path/to/pom.xml --summary
 # get stack analysis in html format format
 $ trustify-da-javascript-client stack /path/to/pom.xml --html
 
+# get stack analysis for monorepo (lock file at workspace root)
+$ trustify-da-javascript-client stack /path/to/package.json --workspace-dir /path/to/workspace-root
+
 # get component analysis
 $ trustify-da-javascript-client component /path/to/pom.xml
 
+# get component analysis for monorepo
+$ trustify-da-javascript-client component /path/to/package.json -w /path/to/workspace-root
+
+# batch stack analysis for entire workspace
+$ trustify-da-javascript-client stack-batch /path/to/workspace-root
+
+# with extra discovery excludes
+$ trustify-da-javascript-client stack-batch /path/to/workspace-root -i '**/vendor/**'
+
 # get image analysis in json format
 $ trustify-da-javascript-client image docker.io/library/node:18
 
@@ -161,6 +210,9 @@ $ trustify-da-javascript-client image docker.io/library/node:18 docker.io/librar
 
 # specify architecture using ^^ notation (e.g., httpd:2.4.49^^amd64)
 $ trustify-da-javascript-client image httpd:2.4.49^^amd64
+
+# get project license information
+$ trustify-da-javascript-client license /path/to/package.json
 ```
 </li>
 </ul>
@@ -174,8 +226,24 @@ $ trustify-da-javascript-client image httpd:2.4.49^^amd64
 <li><a href="https://go.dev/">Golang</a> - <a href="https://go.dev/blog/using-go-modules/">Go Modules</a></li>
 <li><a href="https://www.python.org/">Python</a> - <a href="https://pypi.org/project/pip/">pip Installer</a></li>
 <li><a href="https://gradle.org/">Gradle (Groovy and Kotlin DSL)</a> - <a href="https://gradle.org/install/">Gradle Installation</a></li>
+<li><a href="https://www.rust-lang.org/">Rust</a> - <a href="https://doc.rust-lang.org/cargo/">Cargo</a></li>
 </ul>
 
+<h3>License Detection</h3>
+<p>
+The client automatically detects your project's license with intelligent fallback:
+</p>
+<ul>
+<li><strong>Manifest-first:</strong> For ecosystems with license support (Maven, JavaScript, Rust Cargo), reads from manifest file (<code>pom.xml</code>, <code>package.json</code>, <code>Cargo.toml</code>)</li>
+<li><strong>LICENSE file fallback:</strong> If no license in manifest, or for ecosystems without license support (Gradle, Go, Python), automatically reads from <code>LICENSE</code>, <code>LICENSE.md</code>, or <code>LICENSE.txt</code></li>
+<li><strong>SBOM integration:</strong> Detected licenses are included in generated SBOMs for all ecosystems</li>
+<li><strong>SPDX support:</strong> Automatically detects common licenses (Apache-2.0, MIT, GPL, BSD) from LICENSE file content</li>
+</ul>
+<p>
+See <a href="./docs/license-resolution-and-compliance.md">License Resolution and Compliance</a> for detailed documentation.
+</p>
+
+
 <h3>Excluding Packages</h3>
 <p>
 Excluding a package from any analysis can be achieved by marking the package for exclusion.
@@ -219,8 +287,11 @@ Excluding a package from any analysis can be achieved by marking the package for
   ]
 }
 ```
+</li>
+
+<li>
+<em>Golang</em> users can add in go.mod a comment with <code>// exhortignore</code> next to the package to be ignored, or to "piggyback" on existing comment ( e.g - <code>// indirect</code>), for example:
 
-<em>Golang</em> users can add in go.mod a comment with //exhortignore next to the package to be ignored, or to "piggyback" on existing comment ( e.g - //indirect) , for example:
 ```go
 module github.com/trustify-da/SaaSi/deployer
 
@@ -229,7 +300,7 @@ go 1.19
 require (
         github.com/gin-gonic/gin v1.9.1
         github.com/google/uuid v1.1.2
-        github.com/jessevdk/go-flags v1.5.0 //exhortignore
+        github.com/jessevdk/go-flags v1.5.0 // exhortignore
         github.com/kr/pretty v0.3.1
         gopkg.in/yaml.v2 v2.4.0
         k8s.io/apimachinery v0.26.1
@@ -237,14 +308,20 @@ require (
 )
 
 require (
-        github.com/davecgh/go-spew v1.1.1 // indirect exhortignore
+        github.com/davecgh/go-spew v1.1.1 // indirect; exhortignore
         github.com/emicklei/go-restful/v3 v3.9.0 // indirect
-        github.com/go-logr/logr v1.2.3 // indirect //exhortignore
+        github.com/go-logr/logr v1.2.3 // indirect; exhortignore
 
 )
 ```
 
+<b>NOTE</b>: It is important to format <code>exhortignore</code> markers on indirect dependencies as shown above, otherwise the Go tooling (as well as this library) may incorrectly parse dependencies marked as indirect as being direct dependencies instead.
+</li>
+
+
+<li>
 <em>Python pip</em> users can add in requirements.txt a comment with #exhortignore(or # exhortignore) to the right of the same artifact to be ignored, for example:
+
 ```properties
 anyio==3.6.2
 asgiref==3.4.1
@@ -275,11 +352,14 @@ Werkzeug==2.0.3
 zipp==3.6.0
 
 ```
+</li>
 
+<li>
 <em>Gradle</em> users can add in build.gradle a comment with //exhortignore next to the package to be ignored:
+
 ```build.gradle
 plugins {
-id 'java'
+    id 'java'
 }
 
 group = 'groupName'
@@ -297,9 +377,22 @@ test {
 }
 ```
 
-All of the 5 above examples are valid for marking a package to be ignored
-</li>
+<em>Rust Cargo</em> users can add a comment with <code># trustify-da-ignore</code> (or <code># exhortignore</code>) in <em>Cargo.toml</em> next to the dependency to be ignored. This works for inline declarations, table-based declarations, and workspace-level dependency sections:
 
+```toml
+[dependencies]
+serde = "1.0" # trustify-da-ignore
+tokio = { version = "1.35", features = ["full"] }
+
+[dependencies.regex] # trustify-da-ignore
+version = "1.10"
+
+[workspace.dependencies]
+log = "0.4" # trustify-da-ignore
+```
+
+All of the 6 above examples are valid for marking a package to be ignored
+</li>
 </ul>
 
 <h3>Customization</h3>
@@ -329,6 +422,9 @@ let options = {
   'TRUSTIFY_DA_PYTHON_PATH' : '/path/to/python',
   'TRUSTIFY_DA_PIP_PATH' : '/path/to/pip',
   'TRUSTIFY_DA_GRADLE_PATH' : '/path/to/gradle',
+  'TRUSTIFY_DA_CARGO_PATH' : '/path/to/cargo',
+  // Workspace root for monorepos (Cargo, npm/pnpm/yarn); lock file expected here
+  'workspaceDir': '/path/to/workspace-root',
   // Configure proxy for all requests
   'TRUSTIFY_DA_PROXY_URL': 'http://proxy.example.com:8080'
 }
@@ -351,6 +447,21 @@ let imageAnalysisWithArch = await client.imageAnalysis(['httpd:2.4.49^^amd64'],
  **_Environment variables takes precedence._**
 </p>
 
+<h4>Monorepo / Workspace Support</h4>
+<p>
+For monorepos (Cargo workspaces, npm/pnpm/yarn workspaces) where the lock file lives at the workspace root rather than next to the manifest, pass the workspace root via <code>workspaceDir</code> or <code>TRUSTIFY_DA_WORKSPACE_DIR</code>:
+</p>
+<ul>
+<li><strong>Cargo:</strong> When set, the client checks only the given directory for <code>Cargo.lock</code> instead of walking up from the manifest.</li>
+<li><strong>JavaScript (npm, pnpm, yarn):</strong> When set, the client looks for the lock file (<code>package-lock.json</code>, <code>pnpm-lock.yaml</code>, <code>yarn.lock</code>) at the workspace root.</li>
+</ul>
+<p>
+Use <code>stackAnalysisBatch(workspaceRoot, html, opts)</code> to analyze all packages/crates in a workspace in one request. Supports Cargo workspaces and JS/TS workspaces (pnpm, npm, yarn). Optional <code>batchConcurrency</code> (or <code>TRUSTIFY_DA_BATCH_CONCURRENCY</code>) limits parallel SBOM generation (default 10). For JS/TS, each <code>package.json</code> must have non-empty <code>name</code> and <code>version</code>; invalid manifests are skipped (warnings). Per-manifest SBOM failures are skipped if at least one SBOM succeeds (unless <code>continueOnError: false</code>). Set <code>batchMetadata: true</code> (or <code>TRUSTIFY_DA_BATCH_METADATA</code>) to receive <code>{ analysis, metadata }</code> with <code>errors[]</code>. CLI: <code>stack-batch --metadata</code>, <code>--fail-fast</code>. See <a href="./docs/monorepo-implementation-plan.md">monorepo implementation plan</a> §2.3 and §3.5.
+</p>
+<p>
+See <a href="./docs/vscode-extension-integration-requirements.md">VS Code Extension Integration Requirements</a> for integration details.
+</p>
+
 <h4>Proxy Configuration</h4>
 <p>
 You can configure a proxy for all HTTP/HTTPS requests made by the API. This is useful when your environment requires going through a proxy to access external services.
@@ -372,6 +483,11 @@ const options = {
 The proxy URL should be in the format: `http://host:port` or `https://host:port`. The API will automatically use the appropriate protocol (HTTP or HTTPS) based on the proxy URL provided.
 </p>
 
+<h4>License resolution and dependency license compliance</h4>
+<p>
+The client can resolve the <strong>project license</strong> from the manifest (e.g. <code>package.json</code> <code>license</code>, <code>pom.xml</code> <code>&lt;licenses&gt;</code>, <code>Cargo.toml</code> <code>license</code>) and from a <code>LICENSE</code> or <code>LICENSE.md</code> file in the project, and report when they differ. For <strong>component analysis</strong>, you can optionally run a license check: the client fetches dependency licenses from the backend (by purl) and reports dependencies whose licenses are incompatible with the project license. See <a href="docs/license-resolution-and-compliance.md">License resolution and compliance</a> for design and behavior. To disable the check on component analysis, set <code>TRUSTIFY_DA_LICENSE_CHECK=false</code> or pass <code>licenseCheck: false</code> in the options.
+</p>
+
 <h4>Customizing Executables</h4>
 <p>
 This project uses each ecosystem's executable for creating dependency trees. These executables are expected to be
@@ -445,6 +561,16 @@ following keys for setting custom paths for the said executables.
 <td><em>gradle</em></td>
 <td>TRUSTIFY_DA_PREFER_GRADLEW</td>
 </tr>
+<tr>
+<td><a href="https://www.rust-lang.org/">Rust Cargo</a></td>
+<td><em>cargo</em></td>
+<td>TRUSTIFY_DA_CARGO_PATH</td>
+</tr>
+<tr>
+<td>Workspace root (monorepos)</td>
+<td>—</td>
+<td>workspaceDir / TRUSTIFY_DA_WORKSPACE_DIR</td>
+</tr>
 </table>
 
 #### Match Manifest Versions Feature

package/dist/package.json

@@ -40,29 +40,42 @@
         "test": "c8 npm run tests",
         "tests": "mocha --config .mocharc.json --grep \".*analysis module.*\" --invert",
         "tests:rep": "mocha --reporter-option maxDiffSize=0 --reporter json > unit-tests-result.json",
+        "pretest": "cp node_modules/tree-sitter-requirements/tree-sitter-requirements.wasm src/providers/tree-sitter-requirements.wasm && cp node_modules/tree-sitter-gomod/tree-sitter-gomod.wasm src/providers/tree-sitter-gomod.wasm",
         "precompile": "rm -rf dist",
-        "compile": "tsc -p tsconfig.json"
+        "compile": "tsc -p tsconfig.json",
+        "compile:dev": "tsc -p tsconfig.dev.json",
+        "postcompile": "cp node_modules/tree-sitter-requirements/tree-sitter-requirements.wasm dist/src/providers/tree-sitter-requirements.wasm && cp node_modules/tree-sitter-gomod/tree-sitter-gomod.wasm dist/src/providers/tree-sitter-gomod.wasm"
     },
     "dependencies": {
         "@babel/core": "^7.23.2",
         "@cyclonedx/cyclonedx-library": "^6.13.0",
+        "eslint-import-resolver-typescript": "^4.4.4",
+        "fast-glob": "^3.3.3",
         "fast-toml": "^0.5.4",
         "fast-xml-parser": "^5.3.4",
         "help": "^3.0.2",
         "https-proxy-agent": "^7.0.6",
-        "node-fetch": "^2.7.0",
+        "js-yaml": "^4.1.1",
+        "micromatch": "^4.0.8",
+        "node-fetch": "^3.3.2",
+        "p-limit": "^4.0.0",
         "packageurl-js": "~1.0.2",
-        "yargs": "^17.7.2"
+        "smol-toml": "^1.6.0",
+        "tree-sitter-gomod": "github:strum355/tree-sitter-go-mod#56326f2ad478892ace58ff247a97d492a3cbcdda",
+        "tree-sitter-requirements": "github:Strum355/tree-sitter-requirements#d0261ee76b84253997fe70d7d397e78c006c3801",
+        "web-tree-sitter": "^0.26.7",
+        "yargs": "^18.0.0"
     },
     "devDependencies": {
         "@babel/core": "^7.23.2",
-        "@trustify-da/trustify-da-api-model": "^2.0.1",
+        "@trustify-da/trustify-da-api-model": "^2.0.7",
         "@types/node": "^20.17.30",
         "@types/which": "^3.0.4",
         "babel-plugin-rewire": "^1.2.0",
-        "c8": "^10.1.3",
+        "c8": "^11.0.0",
         "chai": "^4.3.7",
         "eslint": "^8.42.0",
+        "eslint-import-resolver-typescript": "^4.4.4",
         "eslint-plugin-editorconfig": "^4.0.3",
         "eslint-plugin-import": "^2.29.1",
         "esmock": "^2.6.2",

package/dist/src/analysis.d.ts

@@ -1,6 +1,9 @@
+/** Media type for CycloneDX JSON batch payloads (batch-analysis API). */
+export const CYCLONEDX_JSON_MEDIA_TYPE: "application/vnd.cyclonedx+json";
 declare namespace _default {
     export { requestComponent };
     export { requestStack };
+    export { requestStackBatch };
     export { requestImages };
     export { validateToken };
 }
@@ -24,6 +27,19 @@ declare function requestComponent(provider: import("./provider").Provider, manif
  * @returns {Promise<string|import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>}
  */
 declare function requestStack(provider: import("./provider").Provider, manifest: string, url: string, html?: boolean, opts?: import("index.js").Options): Promise<string | import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport>;
+/**
+ * Send a batch stack analysis request for multiple manifests (SBOMs keyed by purl).
+ * @param {Object.<string, object>} sbomByPurl - Map of root purl to CycloneDX SBOM object
+ * @param {string} url - the backend url
+ * @param {boolean} [html=false] - true returns HTML, false returns JSON
+ * @param {import("index.js").Options} [opts={}]
+ * @returns {Promise<string|Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>>}
+ */
+declare function requestStackBatch(sbomByPurl: {
+    [x: string]: any;
+}, url: string, html?: boolean, opts?: import("index.js").Options): Promise<string | {
+    [x: string]: import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport;
+}>;
 /**
  *
  * @param {Array<string>} imageRefs

package/dist/src/analysis.js

@@ -1,28 +1,12 @@
 import fs from "node:fs";
 import path from "node:path";
 import { EOL } from "os";
-import { HttpsProxyAgent } from "https-proxy-agent";
+import { runLicenseCheck } from "./license/index.js";
 import { generateImageSBOM, parseImageRef } from "./oci_image/utils.js";
-import { RegexNotToBeLogged, getCustom } from "./tools.js";
-export default { requestComponent, requestStack, requestImages, validateToken };
-const rhdaTokenHeader = "rhda-token";
-const rhdaTelemetryId = "rhda-telemetry-id";
-const rhdaSourceHeader = "rhda-source";
-const rhdaOperationTypeHeader = "rhda-operation-type";
-const rhdaPackageManagerHeader = "rhda-pkg-manager";
-/**
- * Adds proxy agent configuration to fetch options if a proxy URL is specified
- * @param {RequestInit} options - The base fetch options
- * @param {import("index.js").Options} opts - The trustify DA options that may contain proxy configuration
- * @returns {RequestInit} The fetch options with proxy agent if applicable
- */
-function addProxyAgent(options, opts) {
-    const proxyUrl = getCustom('TRUSTIFY_DA_PROXY_URL', null, opts);
-    if (proxyUrl) {
-        options.agent = new HttpsProxyAgent(proxyUrl);
-    }
-    return options;
-}
+import { addProxyAgent, getCustom, getTokenHeaders, TRUSTIFY_DA_OPERATION_TYPE_HEADER, TRUSTIFY_DA_PACKAGE_MANAGER_HEADER } from "./tools.js";
+/** Media type for CycloneDX JSON batch payloads (batch-analysis API). */
+export const CYCLONEDX_JSON_MEDIA_TYPE = 'application/vnd.cyclonedx+json';
+export default { requestComponent, requestStack, requestStackBatch, requestImages, validateToken };
 /**
  * Send a stack analysis request and get the report as 'text/html' or 'application/json'.
  * @param {import('./provider').Provider} provider - the provided data for constructing the request
@@ -35,15 +19,15 @@ function addProxyAgent(options, opts) {
 async function requestStack(provider, manifest, url, html = false, opts = {}) {
     opts["source-manifest"] = Buffer.from(fs.readFileSync(manifest).toString()).toString('base64');
     opts["manifest-type"] = path.parse(manifest).base;
-    let provided = provider.provideStack(manifest, opts); // throws error if content providing failed
+    let provided = await provider.provideStack(manifest, opts); // throws error if content providing failed
     opts["source-manifest"] = "";
-    opts[rhdaOperationTypeHeader.toUpperCase().replaceAll("-", "_")] = "stack-analysis";
+    opts[TRUSTIFY_DA_OPERATION_TYPE_HEADER.toUpperCase().replaceAll("-", "_")] = "stack-analysis";
     let startTime = new Date();
     let endTime;
     if (process.env["TRUSTIFY_DA_DEBUG"] === "true") {
         console.log("Starting time of sending stack analysis request to the dependency analytics server= " + startTime);
     }
-    opts[rhdaPackageManagerHeader.toUpperCase().replaceAll("-", "_")] = provided.ecosystem;
+    opts[TRUSTIFY_DA_PACKAGE_MANAGER_HEADER.toUpperCase().replaceAll("-", "_")] = provided.ecosystem;
     const fetchOptions = addProxyAgent({
         method: 'POST',
         headers: {
@@ -53,7 +37,7 @@ async function requestStack(provider, manifest, url, html = false, opts = {}) {
         },
         body: provided.content
     }, opts);
-    const finalUrl = new URL(`${url}/api/v4/analysis`);
+    const finalUrl = new URL(`${url}/api/v5/analysis`);
     if (opts['TRUSTIFY_DA_RECOMMENDATIONS_ENABLED'] === 'false') {
         finalUrl.searchParams.append('recommend', 'false');
     }
@@ -94,13 +78,13 @@ async function requestStack(provider, manifest, url, html = false, opts = {}) {
  */
 async function requestComponent(provider, manifest, url, opts = {}) {
     opts["source-manifest"] = Buffer.from(fs.readFileSync(manifest).toString()).toString('base64');
-    let provided = provider.provideComponent(manifest, opts); // throws error if content providing failed
+    let provided = await provider.provideComponent(manifest, opts); // throws error if content providing failed
     opts["source-manifest"] = "";
-    opts[rhdaOperationTypeHeader.toUpperCase().replaceAll("-", "_")] = "component-analysis";
+    opts[TRUSTIFY_DA_OPERATION_TYPE_HEADER.toUpperCase().replaceAll("-", "_")] = "component-analysis";
     if (process.env["TRUSTIFY_DA_DEBUG"] === "true") {
         console.log("Starting time of sending component analysis request to Trustify DA backend server= " + new Date());
     }
-    opts[rhdaPackageManagerHeader.toUpperCase().replaceAll("-", "_")] = provided.ecosystem;
+    opts[TRUSTIFY_DA_PACKAGE_MANAGER_HEADER.toUpperCase().replaceAll("-", "_")] = provided.ecosystem;
     const fetchOptions = addProxyAgent({
         method: 'POST',
         headers: {
@@ -110,7 +94,7 @@ async function requestComponent(provider, manifest, url, opts = {}) {
         },
         body: provided.content
     }, opts);
-    const finalUrl = new URL(`${url}/api/v4/analysis`);
+    const finalUrl = new URL(`${url}/api/v5/analysis`);
     if (opts['TRUSTIFY_DA_RECOMMENDATIONS_ENABLED'] === 'false') {
         finalUrl.searchParams.append('recommend', 'false');
     }
@@ -127,12 +111,67 @@ async function requestComponent(provider, manifest, url, opts = {}) {
             console.log(JSON.stringify(result, null, 4));
             console.log("Ending time of sending component analysis request to Trustify DA backend server= " + new Date());
         }
+        const licenseCheckEnabled = getCustom('TRUSTIFY_DA_LICENSE_CHECK', 'true', opts) !== 'false' && opts.licenseCheck !== false;
+        if (licenseCheckEnabled) {
+            try {
+                result.licenseSummary = await runLicenseCheck(provided.content, manifest, url, opts, result);
+            }
+            catch (licenseErr) {
+                result.licenseSummary = { error: licenseErr.message };
+            }
+        }
     }
     else {
         throw new Error(`Got error response from Trustify DA backend - http return code : ${resp.status}, ex-request-id: ${resp.headers.get("ex-request-id")}  error message =>  ${await resp.text()}`);
     }
     return Promise.resolve(result);
 }
+/**
+ * Send a batch stack analysis request for multiple manifests (SBOMs keyed by purl).
+ * @param {Object.<string, object>} sbomByPurl - Map of root purl to CycloneDX SBOM object
+ * @param {string} url - the backend url
+ * @param {boolean} [html=false] - true returns HTML, false returns JSON
+ * @param {import("index.js").Options} [opts={}]
+ * @returns {Promise<string|Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>>}
+ */
+async function requestStackBatch(sbomByPurl, url, html = false, opts = {}) {
+    const finalUrl = new URL(`${url}/api/v5/batch-analysis`);
+    if (opts['TRUSTIFY_DA_RECOMMENDATIONS_ENABLED'] === 'false') {
+        finalUrl.searchParams.append('recommend', 'false');
+    }
+    const fetchOptions = addProxyAgent({
+        method: 'POST',
+        headers: {
+            'Accept': html ? 'text/html' : 'application/json',
+            'Content-Type': CYCLONEDX_JSON_MEDIA_TYPE,
+            ...getTokenHeaders(opts)
+        },
+        body: JSON.stringify(sbomByPurl)
+    }, opts);
+    const resp = await fetch(finalUrl, fetchOptions);
+    if (resp.status === 200) {
+        let result;
+        if (!html) {
+            result = await resp.json();
+        }
+        else {
+            result = await resp.text();
+        }
+        if (process.env["TRUSTIFY_DA_DEBUG"] === "true") {
+            const exRequestId = resp.headers.get("ex-request-id");
+            if (exRequestId) {
+                console.log("Unique Identifier associated with this request - ex-request-id=" + exRequestId);
+            }
+            console.log("Response body received from Trustify DA backend server : " + EOL + EOL);
+            console.log(JSON.stringify(result, null, 4));
+            console.log("Ending time of sending batch stack analysis request to Trustify DA backend server= " + new Date());
+        }
+        return result;
+    }
+    else {
+        throw new Error(`Got error response from Trustify DA backend - http return code : ${resp.status}, ex-request-id: ${resp.headers.get("ex-request-id")}  error message =>  ${await resp.text()}`);
+    }
+}
 /**
  *
  * @param {Array<string>} imageRefs
@@ -146,7 +185,7 @@ async function requestImages(imageRefs, url, html = false, opts = {}) {
         const parsedImageRef = parseImageRef(image, opts);
         imageSboms[parsedImageRef.getPackageURL().toString()] = generateImageSBOM(parsedImageRef, opts);
     }
-    const finalUrl = new URL(`${url}/api/v4/batch-analysis`);
+    const finalUrl = new URL(`${url}/api/v5/batch-analysis`);
     if (opts['TRUSTIFY_DA_RECOMMENDATIONS_ENABLED'] === 'false') {
         finalUrl.searchParams.append('recommend', 'false');
     }
@@ -154,7 +193,7 @@ async function requestImages(imageRefs, url, html = false, opts = {}) {
         method: 'POST',
         headers: {
             'Accept': html ? 'text/html' : 'application/json',
-            'Content-Type': 'application/vnd.cyclonedx+json',
+            'Content-Type': CYCLONEDX_JSON_MEDIA_TYPE,
             ...getTokenHeaders(opts)
         },
         body: JSON.stringify(imageSboms),
@@ -195,7 +234,7 @@ async function validateToken(url, opts = {}) {
             ...getTokenHeaders(opts),
         }
     }, opts);
-    let resp = await fetch(`${url}/api/v4/token`, fetchOptions);
+    let resp = await fetch(`${url}/api/v5/token`, fetchOptions);
     if (process.env["TRUSTIFY_DA_DEBUG"] === "true") {
         let exRequestId = resp.headers.get("ex-request-id");
         if (exRequestId) {
@@ -204,49 +243,3 @@ async function validateToken(url, opts = {}) {
     }
     return resp.status;
 }
-/**
- *
- * @param {string} headerName - the header name to populate in request
- * @param headers
- * @param {import("index.js").Options} [opts={}] - optional various options to pass along the application
- * @private
- */
-function setRhdaHeader(headerName, headers, opts) {
-    let rhdaHeaderValue = getCustom(headerName.toUpperCase().replaceAll("-", "_"), null, opts);
-    if (rhdaHeaderValue) {
-        headers[headerName] = rhdaHeaderValue;
-    }
-}
-/**
- * Utility function for fetching vendor tokens
- * @param {import("index.js").Options} [opts={}] - optional various options to pass along the application
- * @returns {{}}
- */
-function getTokenHeaders(opts = {}) {
-    let supportedTokens = ['snyk', 'oss-index'];
-    let headers = {};
-    supportedTokens.forEach(vendor => {
-        let token = getCustom(`TRUSTIFY_DA_${vendor.replace("-", "_").toUpperCase()}_TOKEN`, null, opts);
-        if (token) {
-            headers[`ex-${vendor}-token`] = token;
-        }
-        let user = getCustom(`TRUSTIFY_DA_${vendor.replace("-", "_").toUpperCase()}_USER`, null, opts);
-        if (user) {
-            headers[`ex-${vendor}-user`] = user;
-        }
-    });
-    setRhdaHeader(rhdaTokenHeader, headers, opts);
-    setRhdaHeader(rhdaSourceHeader, headers, opts);
-    setRhdaHeader(rhdaOperationTypeHeader, headers, opts);
-    setRhdaHeader(rhdaPackageManagerHeader, headers, opts);
-    setRhdaHeader(rhdaTelemetryId, headers, opts);
-    if (process.env["TRUSTIFY_DA_DEBUG"] === "true") {
-        console.log("Headers Values to be sent to Trustify DA backend:" + EOL);
-        for (const headerKey in headers) {
-            if (!headerKey.match(RegexNotToBeLogged)) {
-                console.log(`${headerKey}: ${headers[headerKey]}`);
-            }
-        }
-    }
-    return headers;
-}

package/dist/src/batch_opts.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Whether to skip failed manifests and continue (default), or fail on first SBOM/validation error.
+ * `opts.continueOnError` overrides; env `TRUSTIFY_DA_CONTINUE_ON_ERROR=false` disables continuation.
+ *
+ * @param {{ continueOnError?: boolean, TRUSTIFY_DA_CONTINUE_ON_ERROR?: string, [key: string]: unknown }} [opts={}]
+ * @returns {boolean} true = collect errors (default), false = fail-fast
+ */
+export function resolveContinueOnError(opts?: {
+    continueOnError?: boolean;
+    TRUSTIFY_DA_CONTINUE_ON_ERROR?: string;
+    [key: string]: unknown;
+}): boolean;
+/**
+ * When true, `stackAnalysisBatch` returns `{ analysis, metadata }` instead of the backend response only.
+ * `opts.batchMetadata` overrides; env `TRUSTIFY_DA_BATCH_METADATA=true` enables.
+ *
+ * @param {{ batchMetadata?: boolean, TRUSTIFY_DA_BATCH_METADATA?: string, [key: string]: unknown }} [opts={}]
+ * @returns {boolean}
+ */
+export function resolveBatchMetadata(opts?: {
+    batchMetadata?: boolean;
+    TRUSTIFY_DA_BATCH_METADATA?: string;
+    [key: string]: unknown;
+}): boolean;

package/dist/src/batch_opts.js

@@ -0,0 +1,35 @@
+import { getCustom } from './tools.js';
+/**
+ * Whether to skip failed manifests and continue (default), or fail on first SBOM/validation error.
+ * `opts.continueOnError` overrides; env `TRUSTIFY_DA_CONTINUE_ON_ERROR=false` disables continuation.
+ *
+ * @param {{ continueOnError?: boolean, TRUSTIFY_DA_CONTINUE_ON_ERROR?: string, [key: string]: unknown }} [opts={}]
+ * @returns {boolean} true = collect errors (default), false = fail-fast
+ */
+export function resolveContinueOnError(opts = {}) {
+    if (typeof opts.continueOnError === 'boolean') {
+        return opts.continueOnError;
+    }
+    const v = getCustom('TRUSTIFY_DA_CONTINUE_ON_ERROR', null, opts);
+    if (v != null && String(v).trim() !== '') {
+        return String(v).toLowerCase() !== 'false';
+    }
+    return true;
+}
+/**
+ * When true, `stackAnalysisBatch` returns `{ analysis, metadata }` instead of the backend response only.
+ * `opts.batchMetadata` overrides; env `TRUSTIFY_DA_BATCH_METADATA=true` enables.
+ *
+ * @param {{ batchMetadata?: boolean, TRUSTIFY_DA_BATCH_METADATA?: string, [key: string]: unknown }} [opts={}]
+ * @returns {boolean}
+ */
+export function resolveBatchMetadata(opts = {}) {
+    if (typeof opts.batchMetadata === 'boolean') {
+        return opts.batchMetadata;
+    }
+    const v = getCustom('TRUSTIFY_DA_BATCH_METADATA', null, opts);
+    if (v != null && String(v).trim() !== '') {
+        return String(v).toLowerCase() === 'true';
+    }
+    return false;
+}