@trustify-da/trustify-da-javascript-client 0.3.0-ea.d349baa → 0.3.0-ea.d84439a

package/dist/src/cyclone_dx_sbom.js

@@ -5,10 +5,11 @@ import { PackageURL } from "packageurl-js";
  * @param component {PackageURL}
  * @param type type of package - application or library
  * @param scope scope of the component - runtime or compile
- * @return {{"bom-ref": string, name, purl: string, type, version, scope}}
+ * @param licenses optional license string or array of licenses for the component
+ * @return {{"bom-ref": string, name, purl: string, type, version, scope, licenses?}}
  * @private
  */
-function getComponent(component, type, scope) {
+function getComponent(component, type, scope, licenses) {
     let componentObject;
     if (component instanceof PackageURL) {
         if (component.namespace) {
@@ -36,6 +37,16 @@ function getComponent(component, type, scope) {
     else {
         componentObject = component;
     }
+    // Add licenses if provided (CycloneDX format). Callers must provide valid SPDX identifiers.
+    if (licenses) {
+        const licenseArray = Array.isArray(licenses) ? licenses : [licenses];
+        componentObject.licenses = licenseArray.map(lic => {
+            if (typeof lic === 'string') {
+                return { license: { id: lic } };
+            }
+            return lic;
+        });
+    }
     return componentObject;
 }
 function createDependency(dependency) {
@@ -56,11 +67,12 @@ export default class CycloneDxSbom {
     }
     /**
      * @param {PackageURL} root - add main/root component for sbom
+     * @param {string|Array} [licenses] - optional license(s) for the root component
      * @return {CycloneDxSbom} the CycloneDxSbom Sbom Object
      */
-    addRoot(root) {
+    addRoot(root, licenses) {
         this.rootComponent =
-            getComponent(root, "application");
+            getComponent(root, "application", undefined, licenses);
         this.components.push(this.rootComponent);
         return this;
     }
@@ -108,6 +120,7 @@ export default class CycloneDxSbom {
     getAsJsonString(opts) {
         let manifestType = opts["manifest-type"];
         this.setSourceManifest(opts["source-manifest"]);
+        const rootPurl = this.rootComponent?.purl;
         this.sbomObject = {
             "bomFormat": "CycloneDX",
             "specVersion": "1.4",
@@ -117,7 +130,7 @@ export default class CycloneDxSbom {
                 "component": this.rootComponent,
                 "properties": new Array()
             },
-            "components": this.components,
+            "components": this.components.filter(c => c.purl !== rootPurl),
             "dependencies": this.dependencies
         };
         if (this.rootComponent === undefined) {
@@ -229,6 +242,20 @@ export default class CycloneDxSbom {
             return false;
         }
     }
+    /**
+     * Checks if any entry in the dependsOn list of sourceRef starts with the given purl prefix.
+     * @param {PackageURL} sourceRef - The source component
+     * @param {string} purlPrefix - The purl prefix to match (e.g. "pkg:npm/minimist@")
+     * @return {boolean}
+     */
+    checkDependsOnByPurlPrefix(sourceRef, purlPrefix) {
+        const sourcePurl = sourceRef.toString();
+        const depIndex = this.getDependencyIndex(sourcePurl);
+        if (depIndex < 0) {
+            return false;
+        }
+        return this.dependencies[depIndex].dependsOn.some(dep => dep.startsWith(purlPrefix));
+    }
     /** Removes the root component from the sbom
      */
     removeRootComponent() {

package/dist/src/index.d.ts

@@ -13,16 +13,28 @@ export function selectTrustifyDABackend(opts?: {
     TRUSTIFY_DA_DEBUG?: string | undefined;
     TRUSTIFY_DA_BACKEND_URL?: string | undefined;
 }): string;
+/**
+ * Generate a CycloneDX SBOM from a manifest file. No backend HTTP request is made.
+ *
+ * @param {string} manifestPath - path to the manifest file (e.g. pom.xml, package.json)
+ * @param {Options} [opts={}] - optional options (e.g. workspace dir, tool paths)
+ * @returns {Promise<object>} parsed CycloneDX SBOM JSON object
+ * @throws {Error} if the manifest is unsupported or SBOM generation fails
+ */
+export function generateSbom(manifestPath: string, opts?: Options): Promise<object>;
 export { parseImageRef } from "./oci_image/utils.js";
 export { ImageRef } from "./oci_image/images.js";
 declare namespace _default {
     export { componentAnalysis };
     export { stackAnalysis };
+    export { stackAnalysisBatch };
     export { imageAnalysis };
     export { validateToken };
+    export { generateSbom };
 }
 export default _default;
 export type Options = {
+    TRUSTIFY_DA_CARGO_PATH?: string | undefined;
     TRUSTIFY_DA_DOCKER_PATH?: string | undefined;
     TRUSTIFY_DA_GO_MVS_LOGIC_ENABLED?: string | undefined;
     TRUSTIFY_DA_GO_PATH?: string | undefined;
@@ -47,11 +59,45 @@ export type Options = {
     TRUSTIFY_DA_SYFT_CONFIG_PATH?: string | undefined;
     TRUSTIFY_DA_SYFT_PATH?: string | undefined;
     TRUSTIFY_DA_YARN_PATH?: string | undefined;
+    TRUSTIFY_DA_WORKSPACE_DIR?: string | undefined;
+    TRUSTIFY_DA_LICENSE_CHECK?: string | undefined;
     MATCH_MANIFEST_VERSIONS?: string | undefined;
-    RHDA_SOURCE?: string | undefined;
-    RHDA_TOKEN?: string | undefined;
-    RHDA_TELEMETRY_ID?: string | undefined;
-    [key: string]: string | undefined;
+    TRUSTIFY_DA_SOURCE?: string | undefined;
+    TRUSTIFY_DA_TOKEN?: string | undefined;
+    TRUSTIFY_DA_TELEMETRY_ID?: string | undefined;
+    TRUSTIFY_DA_WORKSPACE_DIR?: string | undefined;
+    batchConcurrency?: number | undefined;
+    TRUSTIFY_DA_BATCH_CONCURRENCY?: string | undefined;
+    workspaceDiscoveryIgnore?: string[] | undefined;
+    TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE?: string | undefined;
+    continueOnError?: boolean | undefined;
+    TRUSTIFY_DA_CONTINUE_ON_ERROR?: string | undefined;
+    batchMetadata?: boolean | undefined;
+    TRUSTIFY_DA_BATCH_METADATA?: string | undefined;
+    TRUSTIFY_DA_UV_PATH?: string | undefined;
+    TRUSTIFY_DA_POETRY_PATH?: string | undefined;
+    [key: string]: string | number | boolean | string[] | undefined;
+};
+export type BatchAnalysisMetadata = {
+    workspaceRoot: string;
+    ecosystem: "javascript" | "cargo" | "unknown";
+    total: number;
+    successful: number;
+    failed: number;
+    errors: Array<{
+        manifestPath: string;
+        phase: "validation" | "sbom";
+        reason: string;
+    }>;
+};
+export type SbomResult = {
+    ok: true;
+    purl: string;
+    sbom: object;
+} | {
+    ok: false;
+    manifestPath: string;
+    reason: string;
 };
 /**
  * Get component analysis report for a manifest content.
@@ -90,6 +136,26 @@ declare function stackAnalysis(manifest: string, html: false, opts?: Options | u
  * 		or backend request failed
  */
 declare function stackAnalysis(manifest: string, html?: boolean | undefined, opts?: Options | undefined): Promise<string | import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport>;
+/**
+ * Get stack analysis for all workspace packages/crates (batch).
+ * Detects ecosystem from workspace root: Cargo (Cargo.toml + Cargo.lock) or JS/TS (package.json + lock file).
+ * SBOMs are generated in parallel (see `batchConcurrency`) unless `continueOnError: false` (fail-fast sequential).
+ * With `opts.batchMetadata` / `TRUSTIFY_DA_BATCH_METADATA`, returns `{ analysis, metadata }` including validation and SBOM errors.
+ *
+ * @param {string} workspaceRoot - Path to workspace root (containing lock file and workspace config)
+ * @param {boolean} [html=false] - true returns HTML, false returns JSON report
+ * @param {Options} [opts={}] - `batchConcurrency`, discovery ignores, `continueOnError` (default true), `batchMetadata` (default false)
+ * @returns {Promise<string|Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>|{ analysis: string|Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>, metadata: BatchAnalysisMetadata }>}
+ * @throws {Error} if workspace root invalid, no manifests found, no packages pass validation, no SBOMs produced, or backend request failed. When `opts.batchMetadata` is set, `error.batchMetadata` may be set on thrown errors.
+ */
+declare function stackAnalysisBatch(workspaceRoot: string, html?: boolean, opts?: Options): Promise<string | {
+    [x: string]: import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport;
+} | {
+    analysis: string | {
+        [x: string]: import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport;
+    };
+    metadata: BatchAnalysisMetadata;
+}>;
 /**
  * @overload
  * @param {Array<string>} imageRefs
@@ -130,3 +196,12 @@ declare function imageAnalysis(imageRefs: Array<string>, html?: boolean | undefi
  * @throws {Error} if the backend request failed.
  */
 declare function validateToken(opts?: Options): Promise<object>;
+import { discoverWorkspacePackages } from './workspace.js';
+import { discoverWorkspaceCrates } from './workspace.js';
+import { validatePackageJson } from './workspace.js';
+import { resolveWorkspaceDiscoveryIgnore } from './workspace.js';
+import { filterManifestPathsByDiscoveryIgnore } from './workspace.js';
+import { resolveContinueOnError } from './batch_opts.js';
+import { resolveBatchMetadata } from './batch_opts.js';
+export { discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson, resolveWorkspaceDiscoveryIgnore, filterManifestPathsByDiscoveryIgnore, resolveContinueOnError, resolveBatchMetadata };
+export { getProjectLicense, findLicenseFilePath, identifyLicense, getLicenseDetails, licensesFromReport, normalizeLicensesResponse, runLicenseCheck, getCompatibility } from "./license/index.js";

package/dist/src/index.js

@@ -1,16 +1,22 @@
 import path from "node:path";
 import { EOL } from "os";
+import pLimit from 'p-limit';
 import { availableProviders, match } from './provider.js';
 import analysis from './analysis.js';
 import fs from 'node:fs';
 import { getCustom } from "./tools.js";
+import { resolveBatchMetadata, resolveContinueOnError } from './batch_opts.js';
+import { discoverWorkspaceCrates, discoverWorkspacePackages, filterManifestPathsByDiscoveryIgnore, resolveWorkspaceDiscoveryIgnore, validatePackageJson, } from './workspace.js';
 import.meta.dirname;
 import * as url from 'url';
 export { parseImageRef } from "./oci_image/utils.js";
 export { ImageRef } from "./oci_image/images.js";
-export default { componentAnalysis, stackAnalysis, imageAnalysis, validateToken };
+export { getProjectLicense, findLicenseFilePath, identifyLicense, getLicenseDetails, licensesFromReport, normalizeLicensesResponse, runLicenseCheck, getCompatibility } from "./license/index.js";
+export default { componentAnalysis, stackAnalysis, stackAnalysisBatch, imageAnalysis, validateToken, generateSbom };
+export { discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson, resolveWorkspaceDiscoveryIgnore, filterManifestPathsByDiscoveryIgnore, resolveContinueOnError, resolveBatchMetadata, };
 /**
  * @typedef {{
+ * TRUSTIFY_DA_CARGO_PATH?: string | undefined,
  * TRUSTIFY_DA_DOCKER_PATH?: string | undefined,
  * TRUSTIFY_DA_GO_MVS_LOGIC_ENABLED?: string | undefined,
  * TRUSTIFY_DA_GO_PATH?: string | undefined,
@@ -35,13 +41,36 @@ export default { componentAnalysis, stackAnalysis, imageAnalysis, validateToken
  * TRUSTIFY_DA_SYFT_CONFIG_PATH?: string | undefined,
  * TRUSTIFY_DA_SYFT_PATH?: string | undefined,
  * TRUSTIFY_DA_YARN_PATH?: string | undefined,
+ * TRUSTIFY_DA_WORKSPACE_DIR?: string | undefined,
+ * TRUSTIFY_DA_LICENSE_CHECK?: string | undefined,
  * MATCH_MANIFEST_VERSIONS?: string | undefined,
- * RHDA_SOURCE?: string | undefined,
- * RHDA_TOKEN?: string | undefined,
- * RHDA_TELEMETRY_ID?: string | undefined,
- * [key: string]: string | undefined,
+ * TRUSTIFY_DA_SOURCE?: string | undefined,
+ * TRUSTIFY_DA_TOKEN?: string | undefined,
+ * TRUSTIFY_DA_TELEMETRY_ID?: string | undefined,
+ * TRUSTIFY_DA_WORKSPACE_DIR?: string | undefined,
+ * batchConcurrency?: number | undefined,
+ * TRUSTIFY_DA_BATCH_CONCURRENCY?: string | undefined,
+ * workspaceDiscoveryIgnore?: string[] | undefined,
+ * TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE?: string | undefined,
+ * continueOnError?: boolean | undefined,
+ * TRUSTIFY_DA_CONTINUE_ON_ERROR?: string | undefined,
+ * batchMetadata?: boolean | undefined,
+ * TRUSTIFY_DA_BATCH_METADATA?: string | undefined,
+ * TRUSTIFY_DA_UV_PATH?: string | undefined,
+ * TRUSTIFY_DA_POETRY_PATH?: string | undefined,
+ * [key: string]: string | number | boolean | string[] | undefined,
  * }} Options
  */
+/**
+ * @typedef {{
+ *   workspaceRoot: string,
+ *   ecosystem: 'javascript' | 'cargo' | 'unknown',
+ *   total: number,
+ *   successful: number,
+ *   failed: number,
+ *   errors: Array<{ manifestPath: string, phase: 'validation' | 'sbom', reason: string }>
+ * }} BatchAnalysisMetadata
+ */
 /**
  * Logs messages to the console if the TRUSTIFY_DA_DEBUG environment variable is set to "true".
  * @param {string} alongsideText - The text to prepend to the log message.
@@ -127,7 +156,7 @@ export function selectTrustifyDABackend(opts = {}) {
 async function stackAnalysis(manifest, html = false, opts = {}) {
     const theUrl = selectTrustifyDABackend(opts);
     fs.accessSync(manifest, fs.constants.R_OK); // throws error if file unreadable
-    let provider = match(manifest, availableProviders); // throws error if no matching provider
+    let provider = match(manifest, availableProviders, opts); // throws error if no matching provider
     return await analysis.requestStack(provider, manifest, theUrl, html, opts); // throws error request sending failed
 }
 /**
@@ -141,7 +170,7 @@ async function componentAnalysis(manifest, opts = {}) {
     const theUrl = selectTrustifyDABackend(opts);
     fs.accessSync(manifest, fs.constants.R_OK);
     opts["manifest-type"] = path.basename(manifest);
-    let provider = match(manifest, availableProviders); // throws error if no matching provider
+    let provider = match(manifest, availableProviders, opts); // throws error if no matching provider
     return await analysis.requestComponent(provider, manifest, theUrl, opts); // throws error request sending failed
 }
 /**
@@ -174,6 +203,258 @@ async function imageAnalysis(imageRefs, html = false, opts = {}) {
     const theUrl = selectTrustifyDABackend(opts);
     return await analysis.requestImages(imageRefs, theUrl, html, opts);
 }
+/**
+ * Max concurrent SBOM generations for batch workspace analysis. Env/opts override default 10.
+ * @param {Options} opts
+ * @returns {number}
+ * @private
+ */
+function resolveBatchConcurrency(opts) {
+    const fromEnv = getCustom('TRUSTIFY_DA_BATCH_CONCURRENCY', null, opts);
+    const raw = opts.batchConcurrency ?? fromEnv ?? '10';
+    const n = typeof raw === 'number' ? raw : parseInt(String(raw), 10);
+    if (!Number.isFinite(n) || n < 1) {
+        return 10;
+    }
+    return Math.min(256, n);
+}
+/**
+ * @param {string} root
+ * @param {'javascript' | 'cargo' | 'unknown'} ecosystem
+ * @param {number} totalSbomAttempts
+ * @param {number} successfulSbomCount
+ * @param {Array<{ manifestPath: string, phase: 'validation' | 'sbom', reason: string }>} errors
+ * @returns {BatchAnalysisMetadata}
+ * @private
+ */
+function buildBatchAnalysisMetadata(root, ecosystem, totalSbomAttempts, successfulSbomCount, errors) {
+    return {
+        workspaceRoot: root,
+        ecosystem,
+        total: totalSbomAttempts,
+        successful: successfulSbomCount,
+        failed: errors.length,
+        errors: [...errors],
+    };
+}
+/**
+ * Generate a CycloneDX SBOM from a manifest file. No backend HTTP request is made.
+ *
+ * @param {string} manifestPath - path to the manifest file (e.g. pom.xml, package.json)
+ * @param {Options} [opts={}] - optional options (e.g. workspace dir, tool paths)
+ * @returns {Promise<object>} parsed CycloneDX SBOM JSON object
+ * @throws {Error} if the manifest is unsupported or SBOM generation fails
+ */
+export async function generateSbom(manifestPath, opts = {}) {
+    fs.accessSync(manifestPath, fs.constants.R_OK);
+    const result = await generateOneSbom(manifestPath, opts);
+    if (!result.ok) {
+        throw new Error(`Failed to generate SBOM for ${result.manifestPath}: ${result.reason}`);
+    }
+    return result.sbom;
+}
+/**
+ * @typedef {{ ok: true, purl: string, sbom: object } | { ok: false, manifestPath: string, reason: string }} SbomResult
+ */
+/**
+ * Generate an SBOM for a single manifest, returning a normalized result.
+ *
+ * @param {string} manifestPath
+ * @param {Options} workspaceOpts - opts with `TRUSTIFY_DA_WORKSPACE_DIR` set
+ * @returns {Promise<SbomResult>}
+ * @private
+ */
+async function generateOneSbom(manifestPath, workspaceOpts) {
+    const provider = match(manifestPath, availableProviders, workspaceOpts);
+    const provided = await provider.provideStack(manifestPath, workspaceOpts);
+    const sbom = JSON.parse(provided.content);
+    const purl = sbom?.metadata?.component?.purl || sbom?.metadata?.component?.['bom-ref'];
+    if (!purl) {
+        return { ok: false, manifestPath, reason: 'missing purl in SBOM' };
+    }
+    return { ok: true, purl, sbom };
+}
+/**
+ * Detect the workspace ecosystem and discover manifest paths.
+ *
+ * @param {string} root - Resolved workspace root
+ * @param {Options} opts
+ * @returns {Promise<{ ecosystem: 'javascript' | 'cargo' | 'unknown', manifestPaths: string[] }>}
+ * @private
+ */
+async function detectWorkspaceManifests(root, opts) {
+    const cargoToml = path.join(root, 'Cargo.toml');
+    const cargoLock = path.join(root, 'Cargo.lock');
+    const packageJson = path.join(root, 'package.json');
+    if (fs.existsSync(cargoToml) && fs.existsSync(cargoLock)) {
+        return { ecosystem: 'cargo', manifestPaths: await discoverWorkspaceCrates(root, opts) };
+    }
+    const hasJsLock = fs.existsSync(path.join(root, 'pnpm-lock.yaml'))
+        || fs.existsSync(path.join(root, 'yarn.lock'))
+        || fs.existsSync(path.join(root, 'package-lock.json'));
+    if (fs.existsSync(packageJson) && hasJsLock) {
+        let manifestPaths = await discoverWorkspacePackages(root, opts);
+        if (manifestPaths.length === 0) {
+            manifestPaths = [packageJson];
+        }
+        return { ecosystem: 'javascript', manifestPaths };
+    }
+    return { ecosystem: 'unknown', manifestPaths: [] };
+}
+/**
+ * Validate discovered JS package.json manifests, collecting errors.
+ *
+ * @param {string[]} manifestPaths
+ * @param {boolean} continueOnError
+ * @param {Array<{ manifestPath: string, phase: 'validation' | 'sbom', reason: string }>} collectedErrors - mutated in place
+ * @returns {{ validPaths: string[] }}
+ * @throws {Error} on first invalid manifest when `continueOnError` is false
+ * @private
+ */
+function validateJsManifests(manifestPaths, continueOnError, collectedErrors) {
+    const validPaths = [];
+    for (const p of manifestPaths) {
+        const v = validatePackageJson(p);
+        if (v.valid) {
+            validPaths.push(p);
+        }
+        else {
+            collectedErrors.push({ manifestPath: p, phase: 'validation', reason: v.error });
+            console.warn(`Skipping invalid package.json (${v.error}): ${p}`);
+            if (!continueOnError) {
+                throw new Error(`Invalid package.json (${v.error}): ${p}`);
+            }
+        }
+    }
+    return { validPaths };
+}
+/**
+ * Generate SBOMs for all manifests. In fail-fast mode, stops on first error.
+ * In continue-on-error mode, runs concurrently and collects failures.
+ *
+ * @param {string[]} manifestPaths
+ * @param {Options} workspaceOpts
+ * @param {boolean} continueOnError
+ * @param {number} concurrency
+ * @param {Array<{ manifestPath: string, phase: 'validation' | 'sbom', reason: string }>} collectedErrors - mutated in place
+ * @returns {Promise<Object.<string, object>>} sbomByPurl map
+ * @throws {Error} on first SBOM failure when `continueOnError` is false
+ * @private
+ */
+async function generateSboms(manifestPaths, workspaceOpts, continueOnError, concurrency, collectedErrors) {
+    /** @type {SbomResult[]} */
+    const results = [];
+    if (!continueOnError) {
+        for (const manifestPath of manifestPaths) {
+            const result = await generateOneSbom(manifestPath, workspaceOpts);
+            if (!result.ok) {
+                collectedErrors.push({ manifestPath: result.manifestPath, phase: 'sbom', reason: result.reason });
+                throw new Error(`${result.manifestPath}: ${result.reason}`);
+            }
+            results.push(result);
+        }
+    }
+    else {
+        const limit = pLimit(concurrency);
+        const settled = await Promise.all(manifestPaths.map(manifestPath => limit(async () => {
+            try {
+                return await generateOneSbom(manifestPath, workspaceOpts);
+            }
+            catch (err) {
+                const msg = err instanceof Error ? err.message : String(err);
+                if (process.env["TRUSTIFY_DA_DEBUG"] === "true") {
+                    console.log(`Skipping ${manifestPath}: ${msg}`);
+                }
+                return { ok: false, manifestPath, reason: msg };
+            }
+        })));
+        for (const r of settled) {
+            results.push(r);
+            if (!r.ok) {
+                collectedErrors.push({ manifestPath: r.manifestPath, phase: 'sbom', reason: r.reason });
+            }
+        }
+    }
+    const sbomByPurl = {};
+    for (const r of results) {
+        if (r.ok) {
+            sbomByPurl[r.purl] = r.sbom;
+        }
+    }
+    return sbomByPurl;
+}
+/**
+ * Create an Error with optional `batchMetadata` attached.
+ * @param {string} message
+ * @param {boolean} wantMetadata
+ * @param {BatchAnalysisMetadata} [metadata]
+ * @returns {Error}
+ * @private
+ */
+function batchError(message, wantMetadata, metadata) {
+    const err = new Error(message);
+    if (wantMetadata && metadata) {
+        err.batchMetadata = metadata;
+    }
+    return err;
+}
+/**
+ * Get stack analysis for all workspace packages/crates (batch).
+ * Detects ecosystem from workspace root: Cargo (Cargo.toml + Cargo.lock) or JS/TS (package.json + lock file).
+ * SBOMs are generated in parallel (see `batchConcurrency`) unless `continueOnError: false` (fail-fast sequential).
+ * With `opts.batchMetadata` / `TRUSTIFY_DA_BATCH_METADATA`, returns `{ analysis, metadata }` including validation and SBOM errors.
+ *
+ * @param {string} workspaceRoot - Path to workspace root (containing lock file and workspace config)
+ * @param {boolean} [html=false] - true returns HTML, false returns JSON report
+ * @param {Options} [opts={}] - `batchConcurrency`, discovery ignores, `continueOnError` (default true), `batchMetadata` (default false)
+ * @returns {Promise<string|Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>|{ analysis: string|Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>, metadata: BatchAnalysisMetadata }>}
+ * @throws {Error} if workspace root invalid, no manifests found, no packages pass validation, no SBOMs produced, or backend request failed. When `opts.batchMetadata` is set, `error.batchMetadata` may be set on thrown errors.
+ */
+async function stackAnalysisBatch(workspaceRoot, html = false, opts = {}) {
+    const theUrl = selectTrustifyDABackend(opts);
+    const root = path.resolve(workspaceRoot);
+    fs.accessSync(root, fs.constants.R_OK);
+    const continueOnError = resolveContinueOnError(opts);
+    const wantMetadata = resolveBatchMetadata(opts);
+    /** @type {Array<{ manifestPath: string, phase: 'validation' | 'sbom', reason: string }>} */
+    const collectedErrors = [];
+    const { ecosystem, manifestPaths: discovered } = await detectWorkspaceManifests(root, opts);
+    let manifestPaths = discovered;
+    if (ecosystem === 'javascript') {
+        try {
+            const { validPaths } = validateJsManifests(manifestPaths, continueOnError, collectedErrors);
+            manifestPaths = validPaths;
+        }
+        catch (err) {
+            throw batchError(err.message, wantMetadata, buildBatchAnalysisMetadata(root, ecosystem, 0, 0, collectedErrors));
+        }
+        if (manifestPaths.length === 0 && discovered.length > 0) {
+            const detail = collectedErrors.map(e => `${e.manifestPath}: ${e.reason}`).join('; ');
+            throw batchError(`No valid packages after validation at ${root}. ${detail}`, wantMetadata, buildBatchAnalysisMetadata(root, ecosystem, 0, 0, collectedErrors));
+        }
+    }
+    if (manifestPaths.length === 0) {
+        throw new Error(`No workspace manifests found at ${root}. Ensure Cargo.toml+Cargo.lock or package.json+lock file exist.`);
+    }
+    const workspaceOpts = { ...opts, TRUSTIFY_DA_WORKSPACE_DIR: root };
+    const concurrency = resolveBatchConcurrency(opts);
+    let sbomByPurl;
+    try {
+        sbomByPurl = await generateSboms(manifestPaths, workspaceOpts, continueOnError, concurrency, collectedErrors);
+    }
+    catch (err) {
+        throw batchError(err.message, wantMetadata, buildBatchAnalysisMetadata(root, ecosystem, manifestPaths.length, 0, collectedErrors));
+    }
+    if (Object.keys(sbomByPurl).length === 0) {
+        throw batchError(`No valid SBOMs produced from ${manifestPaths.length} manifest(s) at ${root}`, wantMetadata, buildBatchAnalysisMetadata(root, ecosystem, manifestPaths.length, 0, collectedErrors));
+    }
+    const analysisResult = await analysis.requestStackBatch(sbomByPurl, theUrl, html, opts);
+    const meta = buildBatchAnalysisMetadata(root, ecosystem, manifestPaths.length, Object.keys(sbomByPurl).length, collectedErrors);
+    if (wantMetadata) {
+        return { analysis: analysisResult, metadata: meta };
+    }
+    return analysisResult;
+}
 /**
  * Validates the Exhort token.
  * @param {Options} [opts={}] - Optional parameters, potentially including token override.

package/dist/src/license/index.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Run full license check: resolve project license (with backend identification and details),
+ * get dependency licenses from analysis report, and compute incompatibilities.
+ *
+ * @param {string} sbomContent - CycloneDX SBOM JSON string (the one sent for component analysis)
+ * @param {string} manifestPath - path to manifest
+ * @param {string} url - the backend url to send the request to
+ * @param {import('../index.js').Options} [opts={}]
+ * @param {import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport} [analysisResult] - analysis result that includes licenses array from backend
+ * @returns {Promise<{ projectLicense: { manifest: Object|null, file: Object|null, mismatch: boolean }, incompatibleDependencies: Array<{ purl: string, licenses: string[], category?: string, reason: string }>, error?: string }>}
+ */
+export function runLicenseCheck(sbomContent: string, manifestPath: string, url: string, opts?: import("../index.js").Options, analysisResult?: import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport): Promise<{
+    projectLicense: {
+        manifest: any | null;
+        file: any | null;
+        mismatch: boolean;
+    };
+    incompatibleDependencies: Array<{
+        purl: string;
+        licenses: string[];
+        category?: string;
+        reason: string;
+    }>;
+    error?: string;
+}>;
+export { getCompatibility } from "./license_utils.js";
+export { getProjectLicense, findLicenseFilePath, identifyLicense } from "./project_license.js";
+export { licensesFromReport, normalizeLicensesResponse, getLicenseDetails } from "./licenses_api.js";

package/dist/src/license/index.js

@@ -0,0 +1,100 @@
+/**
+ * License resolution and dependency license compatibility for component analysis.
+ */
+import { getProjectLicense, findLicenseFilePath, identifyLicense } from './project_license.js';
+import { licensesFromReport, getLicenseDetails } from './licenses_api.js';
+import { getCompatibility } from './license_utils.js';
+export { getProjectLicense, findLicenseFilePath, identifyLicense } from './project_license.js';
+export { licensesFromReport, normalizeLicensesResponse, getLicenseDetails } from './licenses_api.js';
+export { getCompatibility } from './license_utils.js';
+/**
+ * Run full license check: resolve project license (with backend identification and details),
+ * get dependency licenses from analysis report, and compute incompatibilities.
+ *
+ * @param {string} sbomContent - CycloneDX SBOM JSON string (the one sent for component analysis)
+ * @param {string} manifestPath - path to manifest
+ * @param {string} url - the backend url to send the request to
+ * @param {import('../index.js').Options} [opts={}]
+ * @param {import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport} [analysisResult] - analysis result that includes licenses array from backend
+ * @returns {Promise<{ projectLicense: { manifest: Object|null, file: Object|null, mismatch: boolean }, incompatibleDependencies: Array<{ purl: string, licenses: string[], category?: string, reason: string }>, error?: string }>}
+ */
+export async function runLicenseCheck(sbomContent, manifestPath, url, opts = {}, analysisResult = null) {
+    // Resolve project license from manifest and LICENSE file
+    const projectLicense = getProjectLicense(manifestPath);
+    // Try backend identification for LICENSE file (more accurate than local pattern matching)
+    const licenseFilePath = findLicenseFilePath(manifestPath);
+    let backendFileId = null;
+    if (licenseFilePath) {
+        try {
+            backendFileId = await identifyLicense(licenseFilePath, { ...opts, TRUSTIFY_DA_BACKEND_URL: url });
+        }
+        catch {
+            // Fall back to local detection
+        }
+    }
+    // Determine final license identifiers
+    const manifestSpdx = projectLicense.fromManifest;
+    const fileSpdx = backendFileId || projectLicense.fromFile;
+    const mismatch = Boolean(manifestSpdx && fileSpdx && manifestSpdx.toLowerCase() !== fileSpdx.toLowerCase());
+    // Fetch detailed license info from backend (avoid duplicate calls if same license)
+    const licenseDetailsCache = new Map();
+    async function getDetails(spdxId) {
+        if (!spdxId || !url)
+            return null;
+        if (licenseDetailsCache.has(spdxId))
+            return licenseDetailsCache.get(spdxId);
+        try {
+            const details = await getLicenseDetails(spdxId, { ...opts, TRUSTIFY_DA_BACKEND_URL: url });
+            licenseDetailsCache.set(spdxId, details);
+            return details;
+        }
+        catch {
+            return null;
+        }
+    }
+    const manifestLicenseInfo = await getDetails(manifestSpdx);
+    const fileLicenseInfo = await getDetails(fileSpdx);
+    // Extract dependency purls from SBOM (exclude root component)
+    const sbomObj = typeof sbomContent === 'string' ? JSON.parse(sbomContent) : sbomContent;
+    const rootRef = sbomObj?.metadata?.component?.["bom-ref"] || sbomObj?.metadata?.component?.purl;
+    const purls = (sbomObj?.components || [])
+        .map(c => c.purl || c["bom-ref"])
+        .filter(Boolean)
+        .filter(purl => !rootRef || purl !== rootRef);
+    if (purls.length === 0) {
+        return {
+            projectLicense: { manifest: manifestLicenseInfo, file: fileLicenseInfo, mismatch },
+            incompatibleDependencies: []
+        };
+    }
+    // Get dependency licenses from analysis report
+    const licenseByPurl = licensesFromReport(analysisResult, purls);
+    if (licenseByPurl.size === 0 && analysisResult) {
+        return {
+            projectLicense: { manifest: manifestLicenseInfo, file: fileLicenseInfo, mismatch },
+            incompatibleDependencies: [],
+            error: 'No license data available in analysis report'
+        };
+    }
+    // Check compatibility for each dependency
+    const projectCategory = manifestLicenseInfo?.category || fileLicenseInfo?.category;
+    const incompatibleDependencies = [];
+    for (const purl of purls) {
+        const entry = licenseByPurl.get(purl);
+        if (!entry)
+            continue;
+        const status = getCompatibility(projectCategory, entry.category);
+        if (status === 'incompatible') {
+            incompatibleDependencies.push({
+                purl,
+                licenses: entry.licenses,
+                category: entry.category,
+                reason: 'Dependency license(s) are incompatible with the project license.'
+            });
+        }
+    }
+    return {
+        projectLicense: { manifest: manifestLicenseInfo, file: fileLicenseInfo, mismatch },
+        incompatibleDependencies
+    };
+}