@trustify-da/trustify-da-javascript-client 0.3.0-ea.d71f957 → 0.3.0-ea.d84439a

package/README.md

@@ -224,7 +224,8 @@ $ trustify-da-javascript-client license /path/to/package.json
 <li><a href="https://www.javascript.com/">JavaScript</a> - <a href="https://pnpm.io/">pnpm</a></li>
 <li><a href="https://www.javascript.com/">JavaScript</a> - <a href="https://classic.yarnpkg.com/">Yarn Classic</a> /  <a href="https://yarnpkg.com/">Yarn Berry</a></li>
 <li><a href="https://go.dev/">Golang</a> - <a href="https://go.dev/blog/using-go-modules/">Go Modules</a></li>
-<li><a href="https://www.python.org/">Python</a> - <a href="https://pypi.org/project/pip/">pip Installer</a></li>
+<li><a href="https://www.python.org/">Python</a> - <a href="https://pypi.org/project/pip/">pip Installer</a> (<code>requirements.txt</code>)</li>
+<li><a href="https://www.python.org/">Python</a> - <a href="https://python-poetry.org/">Poetry</a> / <a href="https://docs.astral.sh/uv/">uv</a> (<code>pyproject.toml</code>)</li>
 <li><a href="https://gradle.org/">Gradle (Groovy and Kotlin DSL)</a> - <a href="https://gradle.org/install/">Gradle Installation</a></li>
 <li><a href="https://www.rust-lang.org/">Rust</a> - <a href="https://doc.rust-lang.org/cargo/">Cargo</a></li>
 </ul>
@@ -391,7 +392,30 @@ version = "1.10"
 log = "0.4" # trustify-da-ignore
 ```
 
-All of the 6 above examples are valid for marking a package to be ignored
+
+<em>Python pyproject.toml</em> users can add a comment with <code>#exhortignore</code> (or <code># trustify-da-ignore</code>) next to the dependency in <code>pyproject.toml</code>.
+
+PEP 621 style (<code>[project]</code> dependencies):
+```toml
+[project]
+dependencies = [
+    "flask>=2.0.3",
+    "requests>=2.25.1",
+    "uvicorn>=0.17.0", #exhortignore
+    "click>=8.0.4", # trustify-da-ignore
+]
+```
+
+Poetry style (<code>[tool.poetry.dependencies]</code>):
+```toml
+[tool.poetry.dependencies]
+flask = "^2.0.3"
+requests = "^2.25.1"
+uvicorn = "^0.17.0" #exhortignore
+click = "^8.0.4" # trustify-da-ignore
+```
+
+All of the above examples are valid for marking a package to be ignored
 </li>
 </ul>
 
@@ -421,6 +445,8 @@ let options = {
   'TRUSTIFY_DA_PIP3_PATH' : '/path/to/pip3',
   'TRUSTIFY_DA_PYTHON_PATH' : '/path/to/python',
   'TRUSTIFY_DA_PIP_PATH' : '/path/to/pip',
+  'TRUSTIFY_DA_UV_PATH' : '/path/to/uv',
+  'TRUSTIFY_DA_POETRY_PATH' : '/path/to/poetry',
   'TRUSTIFY_DA_GRADLE_PATH' : '/path/to/gradle',
   'TRUSTIFY_DA_CARGO_PATH' : '/path/to/cargo',
   // Workspace root for monorepos (Cargo, npm/pnpm/yarn); lock file expected here
@@ -567,6 +593,16 @@ following keys for setting custom paths for the said executables.
 <td>TRUSTIFY_DA_CARGO_PATH</td>
 </tr>
 <tr>
+<td><a href="https://docs.astral.sh/uv/">uv</a></td>
+<td><em>uv</em></td>
+<td>TRUSTIFY_DA_UV_PATH</td>
+</tr>
+<tr>
+<td><a href="https://python-poetry.org/">Poetry</a></td>
+<td><em>poetry</em></td>
+<td>TRUSTIFY_DA_POETRY_PATH</td>
+</tr>
+<tr>
 <td>Workspace root (monorepos)</td>
 <td>—</td>
 <td>workspaceDir / TRUSTIFY_DA_WORKSPACE_DIR</td>
@@ -619,6 +655,24 @@ TRUSTIFY_DA_GO_MVS_LOGIC_ENABLED=false
 
 #### Python Support
 
+The client supports two Python manifest formats:
+
+- **`requirements.txt`** — uses pip/pip3 to resolve dependencies
+- **`pyproject.toml`** — uses [uv](https://docs.astral.sh/uv/) or [Poetry](https://python-poetry.org/) to resolve dependencies
+
+##### pyproject.toml
+
+For `pyproject.toml` projects, the client detects which tool manages the project by checking for lock files:
+- If `poetry.lock` is present and `[tool.poetry]` is defined, **Poetry** is used (`poetry show --tree` and `poetry show --all`)
+- If `uv.lock` is present, **uv** is used (`uv export --format requirements.txt --frozen --no-hashes`)
+- If neither lock file is found, an error is thrown
+
+Both PEP 621 (`[project]` dependencies) and Poetry-style (`[tool.poetry.dependencies]`) are supported.
+
+Custom executable paths can be set via `TRUSTIFY_DA_UV_PATH` and `TRUSTIFY_DA_POETRY_PATH`.
+
+##### requirements.txt
+
 By default, For python support, the api assumes that the package is installed using the pip/pip3 binary on the system PATH, or using the customized
 Binaries passed to environment variables. In any case, If the package is not installed , then an error will be thrown.
 

package/dist/package.json

@@ -38,7 +38,7 @@
         "lint": "eslint src test --ext js",
         "lint:fix": "eslint src test --ext js --fix",
         "test": "c8 npm run tests",
-        "tests": "mocha --config .mocharc.json --grep \".*analysis module.*\" --invert",
+        "tests": "mocha --config .mocharc.json",
         "tests:rep": "mocha --reporter-option maxDiffSize=0 --reporter json > unit-tests-result.json",
         "pretest": "cp node_modules/tree-sitter-requirements/tree-sitter-requirements.wasm src/providers/tree-sitter-requirements.wasm && cp node_modules/tree-sitter-gomod/tree-sitter-gomod.wasm src/providers/tree-sitter-gomod.wasm",
         "precompile": "rm -rf dist",

package/dist/src/analysis.js

@@ -189,7 +189,7 @@ async function requestImages(imageRefs, url, html = false, opts = {}) {
     if (opts['TRUSTIFY_DA_RECOMMENDATIONS_ENABLED'] === 'false') {
         finalUrl.searchParams.append('recommend', 'false');
     }
-    const resp = await fetch(finalUrl, {
+    const fetchOptions = addProxyAgent({
         method: 'POST',
         headers: {
             'Accept': html ? 'text/html' : 'application/json',
@@ -197,7 +197,8 @@ async function requestImages(imageRefs, url, html = false, opts = {}) {
             ...getTokenHeaders(opts)
         },
         body: JSON.stringify(imageSboms),
-    });
+    }, opts);
+    const resp = await fetch(finalUrl, fetchOptions);
     if (resp.status === 200) {
         let result;
         if (!html) {

package/dist/src/cli.js

@@ -1,9 +1,10 @@
 #!/usr/bin/env node
+import fs from 'node:fs';
 import * as path from "path";
 import yargs from 'yargs';
 import { hideBin } from 'yargs/helpers';
 import { getProjectLicense, getLicenseDetails } from './license/index.js';
-import client, { selectTrustifyDABackend } from './index.js';
+import client, { selectTrustifyDABackend, generateSbom } from './index.js';
 // command for component analysis take manifest type and content
 const component = {
     command: 'component </path/to/manifest>',
@@ -325,15 +326,63 @@ const license = {
         console.log(JSON.stringify(output, null, 2));
     }
 };
+const sbom = {
+    command: 'sbom </path/to/manifest> [--output]',
+    desc: 'generate a CycloneDX SBOM from a manifest file',
+    builder: yargs => yargs.positional('/path/to/manifest', {
+        desc: 'manifest path for SBOM generation',
+        type: 'string',
+        normalize: true,
+    }).options({
+        output: {
+            alias: 'o',
+            desc: 'Write SBOM JSON to a file instead of stdout',
+            type: 'string',
+            normalize: true,
+        },
+        workspaceDir: {
+            alias: 'w',
+            desc: 'Workspace root directory (for monorepos; lock file is expected here)',
+            type: 'string',
+            normalize: true,
+        }
+    }),
+    handler: async (args) => {
+        let manifest = args['/path/to/manifest'];
+        const opts = args.workspaceDir ? { TRUSTIFY_DA_WORKSPACE_DIR: args.workspaceDir } : {};
+        let result;
+        try {
+            result = await generateSbom(manifest, opts);
+        }
+        catch (err) {
+            console.error(JSON.stringify({ error: `Failed to generate SBOM: ${err.message}` }, null, 2));
+            process.exit(1);
+        }
+        const json = JSON.stringify(result, null, 2);
+        if (args.output) {
+            try {
+                fs.writeFileSync(args.output, json);
+            }
+            catch (err) {
+                console.error(JSON.stringify({ error: `Failed to write output file: ${err.message}` }, null, 2));
+                process.exit(1);
+            }
+        }
+        else {
+            console.log(json);
+        }
+    }
+};
 // parse and invoke the command
 yargs(hideBin(process.argv))
-    .usage(`Usage: ${process.argv[0].includes("node") ? path.parse(process.argv[1]).base : path.parse(process.argv[0]).base} {component|stack|stack-batch|image|validate-token|license}`)
+    .usage(`Usage: ${process.argv[0].includes("node") ? path.parse(process.argv[1]).base : path.parse(process.argv[0]).base} {component|stack|stack-batch|image|validate-token|license|sbom}`)
     .command(stack)
     .command(stackBatch)
     .command(component)
     .command(image)
     .command(validateToken)
     .command(license)
+    .command(sbom)
     .scriptName('')
     .version(false)
     .demandCommand(1)

package/dist/src/index.d.ts

@@ -13,6 +13,15 @@ export function selectTrustifyDABackend(opts?: {
     TRUSTIFY_DA_DEBUG?: string | undefined;
     TRUSTIFY_DA_BACKEND_URL?: string | undefined;
 }): string;
+/**
+ * Generate a CycloneDX SBOM from a manifest file. No backend HTTP request is made.
+ *
+ * @param {string} manifestPath - path to the manifest file (e.g. pom.xml, package.json)
+ * @param {Options} [opts={}] - optional options (e.g. workspace dir, tool paths)
+ * @returns {Promise<object>} parsed CycloneDX SBOM JSON object
+ * @throws {Error} if the manifest is unsupported or SBOM generation fails
+ */
+export function generateSbom(manifestPath: string, opts?: Options): Promise<object>;
 export { parseImageRef } from "./oci_image/utils.js";
 export { ImageRef } from "./oci_image/images.js";
 declare namespace _default {
@@ -21,6 +30,7 @@ declare namespace _default {
     export { stackAnalysisBatch };
     export { imageAnalysis };
     export { validateToken };
+    export { generateSbom };
 }
 export default _default;
 export type Options = {
@@ -64,6 +74,8 @@ export type Options = {
     TRUSTIFY_DA_CONTINUE_ON_ERROR?: string | undefined;
     batchMetadata?: boolean | undefined;
     TRUSTIFY_DA_BATCH_METADATA?: string | undefined;
+    TRUSTIFY_DA_UV_PATH?: string | undefined;
+    TRUSTIFY_DA_POETRY_PATH?: string | undefined;
     [key: string]: string | number | boolean | string[] | undefined;
 };
 export type BatchAnalysisMetadata = {

package/dist/src/index.js

@@ -12,7 +12,7 @@ import * as url from 'url';
 export { parseImageRef } from "./oci_image/utils.js";
 export { ImageRef } from "./oci_image/images.js";
 export { getProjectLicense, findLicenseFilePath, identifyLicense, getLicenseDetails, licensesFromReport, normalizeLicensesResponse, runLicenseCheck, getCompatibility } from "./license/index.js";
-export default { componentAnalysis, stackAnalysis, stackAnalysisBatch, imageAnalysis, validateToken };
+export default { componentAnalysis, stackAnalysis, stackAnalysisBatch, imageAnalysis, validateToken, generateSbom };
 export { discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson, resolveWorkspaceDiscoveryIgnore, filterManifestPathsByDiscoveryIgnore, resolveContinueOnError, resolveBatchMetadata, };
 /**
  * @typedef {{
@@ -56,6 +56,8 @@ export { discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson
  * TRUSTIFY_DA_CONTINUE_ON_ERROR?: string | undefined,
  * batchMetadata?: boolean | undefined,
  * TRUSTIFY_DA_BATCH_METADATA?: string | undefined,
+ * TRUSTIFY_DA_UV_PATH?: string | undefined,
+ * TRUSTIFY_DA_POETRY_PATH?: string | undefined,
  * [key: string]: string | number | boolean | string[] | undefined,
  * }} Options
  */
@@ -235,6 +237,22 @@ function buildBatchAnalysisMetadata(root, ecosystem, totalSbomAttempts, successf
         errors: [...errors],
     };
 }
+/**
+ * Generate a CycloneDX SBOM from a manifest file. No backend HTTP request is made.
+ *
+ * @param {string} manifestPath - path to the manifest file (e.g. pom.xml, package.json)
+ * @param {Options} [opts={}] - optional options (e.g. workspace dir, tool paths)
+ * @returns {Promise<object>} parsed CycloneDX SBOM JSON object
+ * @throws {Error} if the manifest is unsupported or SBOM generation fails
+ */
+export async function generateSbom(manifestPath, opts = {}) {
+    fs.accessSync(manifestPath, fs.constants.R_OK);
+    const result = await generateOneSbom(manifestPath, opts);
+    if (!result.ok) {
+        throw new Error(`Failed to generate SBOM for ${result.manifestPath}: ${result.reason}`);
+    }
+    return result.sbom;
+}
 /**
  * @typedef {{ ok: true, purl: string, sbom: object } | { ok: false, manifestPath: string, reason: string }} SbomResult
  */

package/dist/src/oci_image/utils.js

@@ -135,7 +135,7 @@ function execSyft(imageRef, opts = {}) {
 function getSyftEnvs(dockerPath, podmanPath) {
     let path = null;
     if (dockerPath && podmanPath) {
-        path = `${dockerPath}${File.pathSeparator}${podmanPath}`;
+        path = `${dockerPath}${delimiter}${podmanPath}`;
     }
     else if (dockerPath) {
         path = dockerPath;
@@ -276,7 +276,16 @@ function podmanGetVariant(opts = {}) {
  * @returns {string} - The information
  */
 function dockerPodmanInfo(dockerSupplier, podmanSupplier, opts = {}) {
-    return dockerSupplier(opts) || podmanSupplier(opts);
+    try {
+        const result = dockerSupplier(opts);
+        if (result) {
+            return result;
+        }
+    }
+    catch (_) {
+        // docker not available, fall through to podman
+    }
+    return podmanSupplier(opts);
 }
 /**
  * Gets the digests for an image

package/dist/src/provider.js

@@ -7,6 +7,8 @@ import Javascript_npm from './providers/javascript_npm.js';
 import Javascript_pnpm from './providers/javascript_pnpm.js';
 import Javascript_yarn from './providers/javascript_yarn.js';
 import pythonPipProvider from './providers/python_pip.js';
+import Python_poetry from './providers/python_poetry.js';
+import Python_uv from './providers/python_uv.js';
 import rustCargoProvider from './providers/rust_cargo.js';
 /** @typedef {{ecosystem: string, contentType: string, content: string}} Provided */
 /** @typedef {{isSupported: function(string): boolean, validateLockFile: function(string, Object): void, provideComponent: function(string, {}): Provided | Promise<Provided>, provideStack: function(string, {}): Provided | Promise<Provided>, readLicenseFromManifest: function(string): string | null}} Provider */
@@ -23,6 +25,8 @@ export const availableProviders = [
     new Javascript_npm(),
     golangGomodulesProvider,
     pythonPipProvider,
+    new Python_poetry(),
+    new Python_uv(),
     rustCargoProvider
 ];
 /**

package/dist/src/providers/base_pyproject.d.ts

@@ -0,0 +1,170 @@
+/** @typedef {{name: string, version: string, children: string[]}} GraphEntry */
+/** @typedef {{name: string, version: string, dependencies: DepTreeEntry[]}} DepTreeEntry */
+/** @typedef {{directDeps: string[], graph: Map<string, GraphEntry>}} DependencyData */
+/** @typedef {{ecosystem: string, content: string, contentType: string}} Provided */
+export default class Base_pyproject {
+    /**
+     * @param {string} manifestName
+     * @returns {boolean}
+     */
+    isSupported(manifestName: string): boolean;
+    /**
+     * @param {string} manifestDir
+     * @param {Object} [opts={}]
+     * @returns {boolean}
+     */
+    validateLockFile(manifestDir: string, opts?: any): boolean;
+    /**
+     * Walk up from manifestDir to find the directory containing the lock file.
+     * Follows the same pattern as Base_javascript._findLockFileDir().
+     * @param {string} manifestDir
+     * @param {Object} [opts={}]
+     * @returns {string|null}
+     * @protected
+     */
+    protected _findLockFileDir(manifestDir: string, opts?: any): string | null;
+    /**
+     * Detect workspace root boundaries.
+     * Currently only uv has native workspace support ([tool.uv.workspace] in pyproject.toml).
+     * Poetry has no workspace/monorepo support (python-poetry/poetry#2270), so each
+     * poetry project is treated independently — see Python_poetry._findLockFileDir().
+     * @param {string} dir
+     * @returns {boolean}
+     * @protected
+     */
+    protected _isWorkspaceRoot(dir: string): boolean;
+    /**
+     * Read project license from pyproject.toml, with fallback to LICENSE file.
+     * @param {string} manifestPath
+     * @returns {string|null}
+     */
+    readLicenseFromManifest(manifestPath: string): string | null;
+    /**
+     * @param {string} manifest - path to pyproject.toml
+     * @param {Object} [opts={}]
+     * @returns {Promise<Provided>}
+     */
+    provideStack(manifest: string, opts?: any): Promise<Provided>;
+    /**
+     * @param {string} manifest - path to pyproject.toml
+     * @param {Object} [opts={}]
+     * @returns {Promise<Provided>}
+     */
+    provideComponent(manifest: string, opts?: any): Promise<Provided>;
+    /**
+     * @returns {string}
+     * @protected
+     */
+    protected _lockFileName(): string;
+    /**
+     * @returns {string}
+     * @protected
+     */
+    protected _cmdName(): string;
+    /**
+     * Resolve dependencies using the tool-specific command and parser.
+     *
+     * @param {string} manifestDir - directory containing the target pyproject.toml
+     * @param {string} workspaceDir - workspace root (where the lock file lives);
+     *   only used by providers that need workspace-level resolution (e.g. uv)
+     * @param {object} parsed - parsed pyproject.toml
+     * @param {Object} opts
+     * @returns {Promise<DependencyData>}
+     * @protected
+     */
+    protected _getDependencyData(manifestDir: string, workspaceDir: string, parsed: object, opts: any): Promise<DependencyData>;
+    /**
+     * Canonicalize a Python package name per PEP 503.
+     * @param {string} name
+     * @returns {string}
+     * @protected
+     */
+    protected _canonicalize(name: string): string;
+    /**
+     * Get the project name from pyproject.toml.
+     * @param {object} parsed
+     * @returns {string|null}
+     * @protected
+     */
+    protected _getProjectName(parsed: object): string | null;
+    /**
+     * Get the project version from pyproject.toml.
+     * @param {object} parsed
+     * @returns {string|null}
+     * @protected
+     */
+    protected _getProjectVersion(parsed: object): string | null;
+    /**
+     * Scan raw pyproject.toml text for dependencies with ignore markers.
+     * @param {string} manifestPath
+     * @returns {Set<string>}
+     * @protected
+     */
+    protected _getIgnoredDeps(manifestPath: string): Set<string>;
+    /**
+     * Build dependency tree from graph, starting from direct deps.
+     * @param {Map<string, GraphEntry>} graph
+     * @param {string[]} directDeps - canonical names of direct deps
+     * @param {Set<string>} ignoredDeps
+     * @param {boolean} includeTransitive
+     * @returns {DepTreeEntry[]}
+     * @protected
+     */
+    protected _buildDependencyTree(graph: Map<string, GraphEntry>, directDeps: string[], ignoredDeps: Set<string>, includeTransitive: boolean): DepTreeEntry[];
+    /**
+     * Recursively collect transitive dependencies.
+     * @param {Map<string, GraphEntry>} graph
+     * @param {string[]} childKeys
+     * @param {DepTreeEntry[]} result - mutated in place
+     * @param {Set<string>} ignoredDeps
+     * @param {Set<string>} visited
+     * @returns {void}
+     * @protected
+     */
+    protected _collectTransitive(graph: Map<string, GraphEntry>, childKeys: string[], result: DepTreeEntry[], ignoredDeps: Set<string>, visited: Set<string>): void;
+    /**
+     * @param {string} name
+     * @param {string} version
+     * @returns {PackageURL}
+     * @protected
+     */
+    protected _toPurl(name: string, version: string): PackageURL;
+    /**
+     * Recursively add a dependency and its transitive deps to the SBOM.
+     * @param {PackageURL} source
+     * @param {DepTreeEntry} dep
+     * @param {Sbom} sbom
+     * @returns {void}
+     * @private
+     */
+    private _addAllDependencies;
+    /**
+     * Create SBOM json string for a pyproject.toml project.
+     * @param {string} manifest - path to pyproject.toml
+     * @param {Object} opts
+     * @param {boolean} includeTransitive
+     * @returns {Promise<string>}
+     * @private
+     */
+    private _createSbom;
+}
+export type GraphEntry = {
+    name: string;
+    version: string;
+    children: string[];
+};
+export type DepTreeEntry = {
+    name: string;
+    version: string;
+    dependencies: DepTreeEntry[];
+};
+export type DependencyData = {
+    directDeps: string[];
+    graph: Map<string, GraphEntry>;
+};
+export type Provided = {
+    ecosystem: string;
+    content: string;
+    contentType: string;
+};
+import { PackageURL } from 'packageurl-js';

package/dist/src/providers/base_pyproject.js

@@ -0,0 +1,338 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { PackageURL } from 'packageurl-js';
+import { parse as parseToml } from 'smol-toml';
+import { getLicense } from '../license/license_utils.js';
+import Sbom from '../sbom.js';
+import { getCustom } from '../tools.js';
+const ecosystem = 'pip';
+const IGNORE_MARKERS = ['exhortignore', 'trustify-da-ignore'];
+const DEFAULT_ROOT_NAME = 'default-pip-root';
+const DEFAULT_ROOT_VERSION = '0.0.0';
+/** @typedef {{name: string, version: string, children: string[]}} GraphEntry */
+/** @typedef {{name: string, version: string, dependencies: DepTreeEntry[]}} DepTreeEntry */
+/** @typedef {{directDeps: string[], graph: Map<string, GraphEntry>}} DependencyData */
+/** @typedef {{ecosystem: string, content: string, contentType: string}} Provided */
+export default class Base_pyproject {
+    /**
+     * @param {string} manifestName
+     * @returns {boolean}
+     */
+    isSupported(manifestName) {
+        return 'pyproject.toml' === manifestName;
+    }
+    /**
+     * @param {string} manifestDir
+     * @param {Object} [opts={}]
+     * @returns {boolean}
+     */
+    validateLockFile(manifestDir, opts = {}) {
+        return this._findLockFileDir(manifestDir, opts) != null;
+    }
+    /**
+     * Walk up from manifestDir to find the directory containing the lock file.
+     * Follows the same pattern as Base_javascript._findLockFileDir().
+     * @param {string} manifestDir
+     * @param {Object} [opts={}]
+     * @returns {string|null}
+     * @protected
+     */
+    _findLockFileDir(manifestDir, opts = {}) {
+        const workspaceDir = getCustom('TRUSTIFY_DA_WORKSPACE_DIR', null, opts);
+        if (workspaceDir) {
+            const dir = path.resolve(workspaceDir);
+            return fs.existsSync(path.join(dir, this._lockFileName())) ? dir : null;
+        }
+        let dir = path.resolve(manifestDir);
+        let parent = dir;
+        do {
+            dir = parent;
+            if (fs.existsSync(path.join(dir, this._lockFileName()))) {
+                return dir;
+            }
+            if (this._isWorkspaceRoot(dir)) {
+                return null;
+            }
+            parent = path.dirname(dir);
+        } while (parent !== dir);
+        return null;
+    }
+    /**
+     * Detect workspace root boundaries.
+     * Currently only uv has native workspace support ([tool.uv.workspace] in pyproject.toml).
+     * Poetry has no workspace/monorepo support (python-poetry/poetry#2270), so each
+     * poetry project is treated independently — see Python_poetry._findLockFileDir().
+     * @param {string} dir
+     * @returns {boolean}
+     * @protected
+     */
+    _isWorkspaceRoot(dir) {
+        const pyprojectPath = path.join(dir, 'pyproject.toml');
+        if (!fs.existsSync(pyprojectPath)) {
+            return false;
+        }
+        try {
+            const content = parseToml(fs.readFileSync(pyprojectPath, 'utf-8'));
+            if (content.tool?.uv?.workspace) {
+                return true;
+            }
+        }
+        catch (_) {
+            // ignore parse errors
+        }
+        return false;
+    }
+    /**
+     * Read project license from pyproject.toml, with fallback to LICENSE file.
+     * @param {string} manifestPath
+     * @returns {string|null}
+     */
+    readLicenseFromManifest(manifestPath) {
+        let fromManifest = null;
+        try {
+            let content = fs.readFileSync(manifestPath, 'utf-8');
+            let parsed = parseToml(content);
+            fromManifest = parsed.project?.license;
+            if (typeof fromManifest === 'object' && fromManifest != null) {
+                fromManifest = fromManifest.text || null;
+            }
+            if (!fromManifest) {
+                fromManifest = parsed.tool?.poetry?.license || null;
+            }
+        }
+        catch (_) {
+            // leave fromManifest as null
+        }
+        return getLicense(fromManifest, manifestPath);
+    }
+    /**
+     * @param {string} manifest - path to pyproject.toml
+     * @param {Object} [opts={}]
+     * @returns {Promise<Provided>}
+     */
+    async provideStack(manifest, opts = {}) {
+        return {
+            ecosystem,
+            content: await this._createSbom(manifest, opts, true),
+            contentType: 'application/vnd.cyclonedx+json'
+        };
+    }
+    /**
+     * @param {string} manifest - path to pyproject.toml
+     * @param {Object} [opts={}]
+     * @returns {Promise<Provided>}
+     */
+    async provideComponent(manifest, opts = {}) {
+        return {
+            ecosystem,
+            content: await this._createSbom(manifest, opts, false),
+            contentType: 'application/vnd.cyclonedx+json'
+        };
+    }
+    // --- abstract methods (subclasses must override) ---
+    /**
+     * @returns {string}
+     * @protected
+     */
+    _lockFileName() {
+        throw new TypeError('_lockFileName must be implemented');
+    }
+    /**
+     * @returns {string}
+     * @protected
+     */
+    _cmdName() {
+        throw new TypeError('_cmdName must be implemented');
+    }
+    /**
+     * Resolve dependencies using the tool-specific command and parser.
+     *
+     * @param {string} manifestDir - directory containing the target pyproject.toml
+     * @param {string} workspaceDir - workspace root (where the lock file lives);
+     *   only used by providers that need workspace-level resolution (e.g. uv)
+     * @param {object} parsed - parsed pyproject.toml
+     * @param {Object} opts
+     * @returns {Promise<DependencyData>}
+     * @protected
+     */
+    // eslint-disable-next-line no-unused-vars
+    async _getDependencyData(manifestDir, workspaceDir, parsed, opts) {
+        throw new TypeError('_getDependencyData must be implemented');
+    }
+    // --- shared helpers ---
+    /**
+     * Canonicalize a Python package name per PEP 503.
+     * @param {string} name
+     * @returns {string}
+     * @protected
+     */
+    _canonicalize(name) {
+        return name.toLowerCase().replace(/[-_.]+/g, '-');
+    }
+    /**
+     * Get the project name from pyproject.toml.
+     * @param {object} parsed
+     * @returns {string|null}
+     * @protected
+     */
+    _getProjectName(parsed) {
+        return parsed.project?.name || parsed.tool?.poetry?.name || null;
+    }
+    /**
+     * Get the project version from pyproject.toml.
+     * @param {object} parsed
+     * @returns {string|null}
+     * @protected
+     */
+    _getProjectVersion(parsed) {
+        return parsed.project?.version || parsed.tool?.poetry?.version || null;
+    }
+    /**
+     * Scan raw pyproject.toml text for dependencies with ignore markers.
+     * @param {string} manifestPath
+     * @returns {Set<string>}
+     * @protected
+     */
+    _getIgnoredDeps(manifestPath) {
+        let ignored = new Set();
+        let content = fs.readFileSync(manifestPath, 'utf-8');
+        let lines = content.split(/\r?\n/);
+        for (let line of lines) {
+            if (!IGNORE_MARKERS.some(m => line.includes(m))) {
+                continue;
+            }
+            // PEP 621 style: "requests>=2.25" #exhortignore
+            let pep621Match = line.match(/^\s*"([^"]+)"/);
+            if (pep621Match) {
+                let reqStr = pep621Match[1];
+                let nameMatch = reqStr.match(/^([A-Za-z0-9]([A-Za-z0-9._-]*[A-Za-z0-9])?)/);
+                if (nameMatch) {
+                    ignored.add(this._canonicalize(nameMatch[1]));
+                }
+                continue;
+            }
+            // Poetry style: requests = "^2.25" #exhortignore
+            let poetryMatch = line.match(/^\s*([A-Za-z0-9][A-Za-z0-9._-]*)\s*=/);
+            if (poetryMatch) {
+                ignored.add(this._canonicalize(poetryMatch[1]));
+            }
+        }
+        return ignored;
+    }
+    /**
+     * Build dependency tree from graph, starting from direct deps.
+     * @param {Map<string, GraphEntry>} graph
+     * @param {string[]} directDeps - canonical names of direct deps
+     * @param {Set<string>} ignoredDeps
+     * @param {boolean} includeTransitive
+     * @returns {DepTreeEntry[]}
+     * @protected
+     */
+    _buildDependencyTree(graph, directDeps, ignoredDeps, includeTransitive) {
+        let result = [];
+        for (let key of directDeps) {
+            if (ignoredDeps.has(key)) {
+                continue;
+            }
+            let entry = graph.get(key);
+            if (!entry) {
+                continue;
+            }
+            let depTree = [];
+            if (includeTransitive) {
+                let visited = new Set();
+                visited.add(key);
+                this._collectTransitive(graph, entry.children, depTree, ignoredDeps, visited);
+            }
+            result.push({ name: entry.name, version: entry.version, dependencies: depTree });
+        }
+        result.sort((a, b) => a.name.toLowerCase().localeCompare(b.name.toLowerCase()));
+        return result;
+    }
+    /**
+     * Recursively collect transitive dependencies.
+     * @param {Map<string, GraphEntry>} graph
+     * @param {string[]} childKeys
+     * @param {DepTreeEntry[]} result - mutated in place
+     * @param {Set<string>} ignoredDeps
+     * @param {Set<string>} visited
+     * @returns {void}
+     * @protected
+     */
+    _collectTransitive(graph, childKeys, result, ignoredDeps, visited) {
+        for (let childKey of childKeys) {
+            let canonKey = this._canonicalize(childKey);
+            if (ignoredDeps.has(canonKey)) {
+                continue;
+            }
+            if (visited.has(canonKey)) {
+                continue;
+            }
+            visited.add(canonKey);
+            let entry = graph.get(canonKey);
+            if (!entry) {
+                continue;
+            }
+            let childDeps = [];
+            this._collectTransitive(graph, entry.children, childDeps, ignoredDeps, visited);
+            result.push({ name: entry.name, version: entry.version, dependencies: childDeps });
+        }
+        result.sort((a, b) => a.name.toLowerCase().localeCompare(b.name.toLowerCase()));
+    }
+    /**
+     * @param {string} name
+     * @param {string} version
+     * @returns {PackageURL}
+     * @protected
+     */
+    _toPurl(name, version) {
+        return new PackageURL('pypi', undefined, name, version, undefined, undefined);
+    }
+    /**
+     * Recursively add a dependency and its transitive deps to the SBOM.
+     * @param {PackageURL} source
+     * @param {DepTreeEntry} dep
+     * @param {Sbom} sbom
+     * @returns {void}
+     * @private
+     */
+    _addAllDependencies(source, dep, sbom) {
+        let targetPurl = this._toPurl(dep.name, dep.version);
+        sbom.addDependency(source, targetPurl);
+        if (dep.dependencies && dep.dependencies.length > 0) {
+            dep.dependencies.forEach(child => this._addAllDependencies(this._toPurl(dep.name, dep.version), child, sbom));
+        }
+    }
+    /**
+     * Create SBOM json string for a pyproject.toml project.
+     * @param {string} manifest - path to pyproject.toml
+     * @param {Object} opts
+     * @param {boolean} includeTransitive
+     * @returns {Promise<string>}
+     * @private
+     */
+    async _createSbom(manifest, opts, includeTransitive) {
+        let manifestDir = path.dirname(manifest);
+        let content = fs.readFileSync(manifest, 'utf-8');
+        let parsed = parseToml(content);
+        let workspaceDir = this._findLockFileDir(manifestDir, opts) || manifestDir;
+        let { directDeps, graph } = await this._getDependencyData(manifestDir, workspaceDir, parsed, opts);
+        let ignoredDeps = this._getIgnoredDeps(manifest);
+        let dependencies = this._buildDependencyTree(graph, directDeps, ignoredDeps, includeTransitive);
+        let sbom = new Sbom();
+        let rootName = this._getProjectName(parsed) || DEFAULT_ROOT_NAME;
+        let rootVersion = this._getProjectVersion(parsed) || DEFAULT_ROOT_VERSION;
+        let rootPurl = this._toPurl(rootName, rootVersion);
+        let license = this.readLicenseFromManifest(manifest);
+        sbom.addRoot(rootPurl, license);
+        dependencies.forEach(dep => {
+            if (includeTransitive) {
+                this._addAllDependencies(rootPurl, dep, sbom);
+            }
+            else {
+                sbom.addDependency(rootPurl, this._toPurl(dep.name, dep.version));
+            }
+        });
+        return sbom.getAsJsonString(opts);
+    }
+}

package/dist/src/providers/python_poetry.d.ts

@@ -0,0 +1,42 @@
+export default class Python_poetry extends Base_pyproject {
+    /**
+     * Get poetry show --tree output.
+     * @param {string} manifestDir
+     * @param {Object} opts
+     * @returns {string}
+     */
+    _getPoetryShowTreeOutput(manifestDir: string, opts: any): string;
+    /**
+     * Get poetry show --all output (flat list with resolved versions).
+     * @param {string} manifestDir
+     * @param {Object} opts
+     * @returns {string}
+     */
+    _getPoetryShowAllOutput(manifestDir: string, opts: any): string;
+    /**
+     * Parse poetry show --all output into a version map.
+     * Lines look like: "name         (!) 1.2.3  Description text..."
+     * or:              "name             1.2.3  Description text..."
+     * @param {string} output
+     * @returns {Map<string, string>} canonical name -> version
+     */
+    _parsePoetryShowAll(output: string): Map<string, string>;
+    /**
+     * Parse poetry show --tree output into a dependency graph structure.
+     * Top-level lines (no indentation/tree chars) are direct deps: "name version description"
+     * Indented lines are transitive deps with tree chars: "├── name >=constraint"
+     *
+     * @param {string} treeOutput
+     * @param {Map<string, string>} versionMap - canonical name -> resolved version
+     * @returns {{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}}
+     */
+    _parsePoetryTree(treeOutput: string, versionMap: Map<string, string>): {
+        directDeps: string[];
+        graph: Map<string, {
+            name: string;
+            version: string;
+            children: string[];
+        }>;
+    };
+}
+import Base_pyproject from './base_pyproject.js';

package/dist/src/providers/python_poetry.js

@@ -0,0 +1,169 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { environmentVariableIsPopulated, getCustom, getCustomPath, invokeCommand } from '../tools.js';
+import Base_pyproject from './base_pyproject.js';
+export default class Python_poetry extends Base_pyproject {
+    /**
+     * Poetry has no native workspace/monorepo support (python-poetry/poetry#2270).
+     * Each poetry project is treated independently — no lock file walk-up.
+     * Running `poetry show` from a parent directory returns the parent's deps, not
+     * the sub-package's, so walk-up would produce incorrect SBOMs.
+     * @param {string} manifestDir
+     * @param {Object} [opts={}]
+     * @returns {string|null}
+     * @protected
+     */
+    _findLockFileDir(manifestDir, opts = {}) {
+        const workspaceDir = getCustom('TRUSTIFY_DA_WORKSPACE_DIR', null, opts);
+        if (workspaceDir) {
+            const dir = path.resolve(workspaceDir);
+            return fs.existsSync(path.join(dir, this._lockFileName())) ? dir : null;
+        }
+        const dir = path.resolve(manifestDir);
+        return fs.existsSync(path.join(dir, this._lockFileName())) ? dir : null;
+    }
+    /** @returns {string} */
+    _lockFileName() {
+        return 'poetry.lock';
+    }
+    /** @returns {string} */
+    _cmdName() {
+        return 'poetry';
+    }
+    /**
+     * @param {string} manifestDir
+     * @param {string} _workspaceDir - unused (poetry has no workspace support)
+     * @param {object} parsed - parsed pyproject.toml
+     * @param {Object} opts
+     * @returns {Promise<{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}>}
+     */
+    // eslint-disable-next-line no-unused-vars
+    async _getDependencyData(manifestDir, _workspaceDir, parsed, opts) {
+        let treeOutput = this._getPoetryShowTreeOutput(manifestDir, opts);
+        let showAllOutput = this._getPoetryShowAllOutput(manifestDir, opts);
+        let versionMap = this._parsePoetryShowAll(showAllOutput);
+        return this._parsePoetryTree(treeOutput, versionMap);
+    }
+    /**
+     * Get poetry show --tree output.
+     * @param {string} manifestDir
+     * @param {Object} opts
+     * @returns {string}
+     */
+    _getPoetryShowTreeOutput(manifestDir, opts) {
+        if (environmentVariableIsPopulated('TRUSTIFY_DA_POETRY_SHOW_TREE')) {
+            return Buffer.from(process.env['TRUSTIFY_DA_POETRY_SHOW_TREE'], 'base64').toString('utf-8');
+        }
+        let poetryBin = getCustomPath('poetry', opts);
+        return invokeCommand(poetryBin, ['show', '--tree', '--no-ansi'], { cwd: manifestDir }).toString();
+    }
+    /**
+     * Get poetry show --all output (flat list with resolved versions).
+     * @param {string} manifestDir
+     * @param {Object} opts
+     * @returns {string}
+     */
+    _getPoetryShowAllOutput(manifestDir, opts) {
+        if (environmentVariableIsPopulated('TRUSTIFY_DA_POETRY_SHOW_ALL')) {
+            return Buffer.from(process.env['TRUSTIFY_DA_POETRY_SHOW_ALL'], 'base64').toString('utf-8');
+        }
+        let poetryBin = getCustomPath('poetry', opts);
+        return invokeCommand(poetryBin, ['show', '--no-ansi', '--all'], { cwd: manifestDir }).toString();
+    }
+    /**
+     * Parse poetry show --all output into a version map.
+     * Lines look like: "name         (!) 1.2.3  Description text..."
+     * or:              "name             1.2.3  Description text..."
+     * @param {string} output
+     * @returns {Map<string, string>} canonical name -> version
+     */
+    _parsePoetryShowAll(output) {
+        let versions = new Map();
+        let lines = output.split(/\r?\n/);
+        for (let line of lines) {
+            let trimmed = line.trim();
+            if (!trimmed) {
+                continue;
+            }
+            let match = trimmed.match(/^([A-Za-z0-9][A-Za-z0-9._-]*)\s+(?:\(!\)\s+)?(\S+)/);
+            if (match) {
+                versions.set(this._canonicalize(match[1]), match[2]);
+            }
+        }
+        return versions;
+    }
+    /**
+     * Parse poetry show --tree output into a dependency graph structure.
+     * Top-level lines (no indentation/tree chars) are direct deps: "name version description"
+     * Indented lines are transitive deps with tree chars: "├── name >=constraint"
+     *
+     * @param {string} treeOutput
+     * @param {Map<string, string>} versionMap - canonical name -> resolved version
+     * @returns {{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}}
+     */
+    _parsePoetryTree(treeOutput, versionMap) {
+        let lines = treeOutput.split(/\r?\n/);
+        let graph = new Map();
+        let directDeps = [];
+        let stack = []; // [{key, depth}]
+        let currentDirectDep = null;
+        for (let line of lines) {
+            if (!line.trim()) {
+                continue;
+            }
+            // top-level line: "name version description..."
+            let topMatch = line.match(/^([A-Za-z0-9][A-Za-z0-9._-]*)\s+(\S+)(?:\s|$)/);
+            if (topMatch) {
+                let name = topMatch[1];
+                let version = topMatch[2];
+                let key = this._canonicalize(name);
+                directDeps.push(key);
+                if (!graph.has(key)) {
+                    graph.set(key, { name, version, children: [] });
+                }
+                currentDirectDep = key;
+                stack = [{ key, depth: -1 }];
+                continue;
+            }
+            if (!currentDirectDep) {
+                continue;
+            }
+            // indented line with tree chars (UTF-8 box-drawing: ├── └── │)
+            let nameStart = line.search(/[A-Za-z0-9]/);
+            if (nameStart < 0) {
+                continue;
+            }
+            let rest = line.substring(nameStart);
+            let depMatch = rest.match(/^([A-Za-z0-9][A-Za-z0-9._-]*)/);
+            if (!depMatch) {
+                continue;
+            }
+            let depName = depMatch[1];
+            let depKey = this._canonicalize(depName);
+            // determine depth by counting tree-drawing groups in the prefix
+            let prefix = line.substring(0, nameStart);
+            let depth = (prefix.match(/(?:[├└│ ][\s─]{2} ?)/g) || []).length;
+            // resolve version from the version map
+            let version = versionMap.get(depKey) || null;
+            if (!version) {
+                throw new Error(`poetry: package '${depName}' has no resolved version`);
+            }
+            if (!graph.has(depKey)) {
+                graph.set(depKey, { name: depName, version, children: [] });
+            }
+            // pop stack back to find the parent at depth-1
+            while (stack.length > 0 && stack[stack.length - 1].depth >= depth) {
+                stack.pop();
+            }
+            if (stack.length > 0) {
+                let parentKey = stack[stack.length - 1].key;
+                let parentEntry = graph.get(parentKey);
+                if (parentEntry && !parentEntry.children.includes(depKey)) {
+                    parentEntry.children.push(depKey);
+                }
+            }
+            stack.push({ key: depKey, depth });
+        }
+        return { directDeps, graph };
+    }
+}

package/dist/src/providers/python_uv.d.ts

@@ -0,0 +1,27 @@
+export default class Python_uv extends Base_pyproject {
+    /**
+     * Get the uv export output, either from env var or by running the command.
+     * @param {string} manifestDir
+     * @param {Object} opts
+     * @returns {string}
+     */
+    _getUvExportOutput(manifestDir: string, opts: any): string;
+    /**
+     * Parse uv export output into a dependency graph using tree-sitter-requirements
+     * for package/version extraction and string parsing for "# via" comments.
+     *
+     * @param {string} output
+     * @param {string} projectName - canonical project name to identify direct deps
+     * @param {string} workspaceDir - workspace root (for resolving editable install paths)
+     * @returns {Promise<{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}>}
+     */
+    _parseUvExport(output: string, projectName: string, workspaceDir: string): Promise<{
+        directDeps: string[];
+        graph: Map<string, {
+            name: string;
+            version: string;
+            children: string[];
+        }>;
+    }>;
+}
+import Base_pyproject from './base_pyproject.js';

package/dist/src/providers/python_uv.js

@@ -0,0 +1,146 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { parse as parseToml } from 'smol-toml';
+import { environmentVariableIsPopulated, getCustomPath, invokeCommand } from '../tools.js';
+import Base_pyproject from './base_pyproject.js';
+import { getParser, getPinnedVersionQuery } from './requirements_parser.js';
+export default class Python_uv extends Base_pyproject {
+    /** @returns {string} */
+    _lockFileName() {
+        return 'uv.lock';
+    }
+    /** @returns {string} */
+    _cmdName() {
+        return 'uv';
+    }
+    /**
+     * @param {string} manifestDir - directory containing the target pyproject.toml
+     * @param {string} workspaceDir - workspace root (for resolving editable install paths)
+     * @param {object} parsed - parsed pyproject.toml
+     * @param {Object} opts
+     * @returns {Promise<{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}>}
+     */
+    async _getDependencyData(manifestDir, workspaceDir, parsed, opts) {
+        let projectName = this._getProjectName(parsed);
+        let uvOutput = this._getUvExportOutput(manifestDir, opts);
+        return this._parseUvExport(uvOutput, projectName, workspaceDir);
+    }
+    /**
+     * Get the uv export output, either from env var or by running the command.
+     * @param {string} manifestDir
+     * @param {Object} opts
+     * @returns {string}
+     */
+    _getUvExportOutput(manifestDir, opts) {
+        if (environmentVariableIsPopulated('TRUSTIFY_DA_UV_EXPORT')) {
+            return Buffer.from(process.env['TRUSTIFY_DA_UV_EXPORT'], 'base64').toString('ascii');
+        }
+        let uvBin = getCustomPath('uv', opts);
+        return invokeCommand(uvBin, ['export', '--format', 'requirements.txt', '--frozen', '--no-hashes'], { cwd: manifestDir }).toString();
+    }
+    /**
+     * Parse uv export output into a dependency graph using tree-sitter-requirements
+     * for package/version extraction and string parsing for "# via" comments.
+     *
+     * @param {string} output
+     * @param {string} projectName - canonical project name to identify direct deps
+     * @param {string} workspaceDir - workspace root (for resolving editable install paths)
+     * @returns {Promise<{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}>}
+     */
+    async _parseUvExport(output, projectName, workspaceDir) {
+        let [parser, pinnedVersionQuery] = await Promise.all([
+            getParser(), getPinnedVersionQuery()
+        ]);
+        let tree = parser.parse(output);
+        let root = tree.rootNode;
+        let canonProjectName = this._canonicalize(projectName);
+        let packages = new Map(); // canonical name -> {name, version, parents: Set}
+        let currentPkg = null;
+        let collectingVia = false;
+        for (let child of root.children) {
+            if (child.type === 'global_opt') {
+                let optNode = child.children.find(c => c.type === 'option');
+                let pathNode = child.children.find(c => c.type === 'path');
+                if (optNode?.text === '-e' && pathNode && workspaceDir) {
+                    let memberDir = path.resolve(workspaceDir, pathNode.text);
+                    let memberManifest = path.join(memberDir, 'pyproject.toml');
+                    if (fs.existsSync(memberManifest)) {
+                        let memberParsed = parseToml(fs.readFileSync(memberManifest, 'utf-8'));
+                        let name = memberParsed.project?.name || memberParsed.tool?.poetry?.name;
+                        let version = memberParsed.project?.version || memberParsed.tool?.poetry?.version;
+                        if (name && version) {
+                            let key = this._canonicalize(name);
+                            currentPkg = { name, version, parents: new Set() };
+                            packages.set(key, currentPkg);
+                            collectingVia = false;
+                            continue;
+                        }
+                    }
+                }
+                currentPkg = null;
+                collectingVia = false;
+                continue;
+            }
+            if (child.type === 'requirement') {
+                let nameNode = child.children.find(c => c.type === 'package');
+                if (!nameNode) {
+                    continue;
+                }
+                let name = nameNode.text;
+                let version = null;
+                let versionMatches = pinnedVersionQuery.matches(child);
+                if (versionMatches.length > 0) {
+                    version = versionMatches[0].captures.find(c => c.name === 'version').node.text;
+                }
+                if (!version) {
+                    throw new Error(`uv export: package '${name}' has no pinned version`);
+                }
+                let key = this._canonicalize(name);
+                currentPkg = { name, version, parents: new Set() };
+                packages.set(key, currentPkg);
+                collectingVia = false;
+                continue;
+            }
+            if (child.type === 'comment' && currentPkg) {
+                let text = child.text.trim();
+                let viaSingle = text.match(/^# via ([A-Za-z0-9][A-Za-z0-9._-]*)$/);
+                if (viaSingle) {
+                    currentPkg.parents.add(this._canonicalize(viaSingle[1]));
+                    collectingVia = false;
+                    continue;
+                }
+                if (text === '# via') {
+                    collectingVia = true;
+                    continue;
+                }
+                if (collectingVia) {
+                    let parentMatch = text.match(/^#\s+([A-Za-z0-9][A-Za-z0-9._-]*)$/);
+                    if (parentMatch) {
+                        currentPkg.parents.add(this._canonicalize(parentMatch[1]));
+                        continue;
+                    }
+                    collectingVia = false;
+                }
+            }
+        }
+        // Build forward dependency map and extract direct deps in one pass
+        let graph = new Map();
+        let directDeps = [];
+        for (let [key, pkg] of packages) {
+            graph.set(key, { name: pkg.name, version: pkg.version, children: [] });
+        }
+        for (let [childKey, pkg] of packages) {
+            for (let parentKey of pkg.parents) {
+                if (parentKey === canonProjectName) {
+                    directDeps.push(childKey);
+                    continue;
+                }
+                let parentEntry = graph.get(parentKey);
+                if (parentEntry) {
+                    parentEntry.children.push(childKey);
+                }
+            }
+        }
+        return { directDeps, graph };
+    }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@trustify-da/trustify-da-javascript-client",
-	"version": "0.3.0-ea.d71f957",
+	"version": "0.3.0-ea.d84439a",
 	"description": "Code-Ready Dependency Analytics JavaScript API.",
 	"license": "Apache-2.0",
 	"homepage": "https://github.com/guacsec/trustify-da-javascript-client#README.md",
@@ -38,7 +38,7 @@
 		"lint": "eslint src test --ext js",
 		"lint:fix": "eslint src test --ext js --fix",
 		"test": "c8 npm run tests",
-		"tests": "mocha --config .mocharc.json --grep \".*analysis module.*\" --invert",
+		"tests": "mocha --config .mocharc.json",
 		"tests:rep": "mocha --reporter-option maxDiffSize=0 --reporter json > unit-tests-result.json",
 		"pretest": "cp node_modules/tree-sitter-requirements/tree-sitter-requirements.wasm src/providers/tree-sitter-requirements.wasm && cp node_modules/tree-sitter-gomod/tree-sitter-gomod.wasm src/providers/tree-sitter-gomod.wasm",
 		"precompile": "rm -rf dist",