@trustify-da/trustify-da-javascript-client 0.3.0-ea.daa4d82 → 0.3.0-ea.f2c4df7

package/dist/src/index.js

@@ -8,6 +8,7 @@ import.meta.dirname;
 import * as url from 'url';
 export { parseImageRef } from "./oci_image/utils.js";
 export { ImageRef } from "./oci_image/images.js";
+export { getProjectLicense, findLicenseFilePath, identifyLicense, getLicenseDetails, licensesFromReport, normalizeLicensesResponse, runLicenseCheck, getCompatibility } from "./license/index.js";
 export default { componentAnalysis, stackAnalysis, imageAnalysis, validateToken };
 /**
  * @typedef {{
@@ -35,10 +36,11 @@ export default { componentAnalysis, stackAnalysis, imageAnalysis, validateToken
  * TRUSTIFY_DA_SYFT_CONFIG_PATH?: string | undefined,
  * TRUSTIFY_DA_SYFT_PATH?: string | undefined,
  * TRUSTIFY_DA_YARN_PATH?: string | undefined,
+ * TRUSTIFY_DA_LICENSE_CHECK?: string | undefined,
  * MATCH_MANIFEST_VERSIONS?: string | undefined,
- * RHDA_SOURCE?: string | undefined,
- * RHDA_TOKEN?: string | undefined,
- * RHDA_TELEMETRY_ID?: string | undefined,
+ * TRUSTIFY_DA_SOURCE?: string | undefined,
+ * TRUSTIFY_DA_TOKEN?: string | undefined,
+ * TRUSTIFY_DA_TELEMETRY_ID?: string | undefined,
  * [key: string]: string | undefined,
  * }} Options
  */

package/dist/src/license/index.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Run full license check: resolve project license (with backend identification and details),
+ * get dependency licenses from analysis report, and compute incompatibilities.
+ *
+ * @param {string} sbomContent - CycloneDX SBOM JSON string (the one sent for component analysis)
+ * @param {string} manifestPath - path to manifest
+ * @param {string} url - the backend url to send the request to
+ * @param {import('../index.js').Options} [opts={}]
+ * @param {import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport} [analysisResult] - analysis result that includes licenses array from backend
+ * @returns {Promise<{ projectLicense: { manifest: Object|null, file: Object|null, mismatch: boolean }, incompatibleDependencies: Array<{ purl: string, licenses: string[], category?: string, reason: string }>, error?: string }>}
+ */
+export function runLicenseCheck(sbomContent: string, manifestPath: string, url: string, opts?: import("../index.js").Options, analysisResult?: import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport): Promise<{
+    projectLicense: {
+        manifest: any | null;
+        file: any | null;
+        mismatch: boolean;
+    };
+    incompatibleDependencies: Array<{
+        purl: string;
+        licenses: string[];
+        category?: string;
+        reason: string;
+    }>;
+    error?: string;
+}>;
+export { getCompatibility } from "./license_utils.js";
+export { getProjectLicense, findLicenseFilePath, identifyLicense } from "./project_license.js";
+export { licensesFromReport, normalizeLicensesResponse, getLicenseDetails } from "./licenses_api.js";

package/dist/src/license/index.js

@@ -0,0 +1,100 @@
+/**
+ * License resolution and dependency license compatibility for component analysis.
+ */
+import { getProjectLicense, findLicenseFilePath, identifyLicense } from './project_license.js';
+import { licensesFromReport, getLicenseDetails } from './licenses_api.js';
+import { getCompatibility } from './license_utils.js';
+export { getProjectLicense, findLicenseFilePath, identifyLicense } from './project_license.js';
+export { licensesFromReport, normalizeLicensesResponse, getLicenseDetails } from './licenses_api.js';
+export { getCompatibility } from './license_utils.js';
+/**
+ * Run full license check: resolve project license (with backend identification and details),
+ * get dependency licenses from analysis report, and compute incompatibilities.
+ *
+ * @param {string} sbomContent - CycloneDX SBOM JSON string (the one sent for component analysis)
+ * @param {string} manifestPath - path to manifest
+ * @param {string} url - the backend url to send the request to
+ * @param {import('../index.js').Options} [opts={}]
+ * @param {import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport} [analysisResult] - analysis result that includes licenses array from backend
+ * @returns {Promise<{ projectLicense: { manifest: Object|null, file: Object|null, mismatch: boolean }, incompatibleDependencies: Array<{ purl: string, licenses: string[], category?: string, reason: string }>, error?: string }>}
+ */
+export async function runLicenseCheck(sbomContent, manifestPath, url, opts = {}, analysisResult = null) {
+    // Resolve project license from manifest and LICENSE file
+    const projectLicense = getProjectLicense(manifestPath);
+    // Try backend identification for LICENSE file (more accurate than local pattern matching)
+    const licenseFilePath = findLicenseFilePath(manifestPath);
+    let backendFileId = null;
+    if (licenseFilePath) {
+        try {
+            backendFileId = await identifyLicense(licenseFilePath, { ...opts, TRUSTIFY_DA_BACKEND_URL: url });
+        }
+        catch {
+            // Fall back to local detection
+        }
+    }
+    // Determine final license identifiers
+    const manifestSpdx = projectLicense.fromManifest;
+    const fileSpdx = backendFileId || projectLicense.fromFile;
+    const mismatch = Boolean(manifestSpdx && fileSpdx && manifestSpdx.toLowerCase() !== fileSpdx.toLowerCase());
+    // Fetch detailed license info from backend (avoid duplicate calls if same license)
+    const licenseDetailsCache = new Map();
+    async function getDetails(spdxId) {
+        if (!spdxId || !url)
+            return null;
+        if (licenseDetailsCache.has(spdxId))
+            return licenseDetailsCache.get(spdxId);
+        try {
+            const details = await getLicenseDetails(spdxId, { ...opts, TRUSTIFY_DA_BACKEND_URL: url });
+            licenseDetailsCache.set(spdxId, details);
+            return details;
+        }
+        catch {
+            return null;
+        }
+    }
+    const manifestLicenseInfo = await getDetails(manifestSpdx);
+    const fileLicenseInfo = await getDetails(fileSpdx);
+    // Extract dependency purls from SBOM (exclude root component)
+    const sbomObj = typeof sbomContent === 'string' ? JSON.parse(sbomContent) : sbomContent;
+    const rootRef = sbomObj?.metadata?.component?.["bom-ref"] || sbomObj?.metadata?.component?.purl;
+    const purls = (sbomObj?.components || [])
+        .map(c => c.purl || c["bom-ref"])
+        .filter(Boolean)
+        .filter(purl => !rootRef || purl !== rootRef);
+    if (purls.length === 0) {
+        return {
+            projectLicense: { manifest: manifestLicenseInfo, file: fileLicenseInfo, mismatch },
+            incompatibleDependencies: []
+        };
+    }
+    // Get dependency licenses from analysis report
+    const licenseByPurl = licensesFromReport(analysisResult, purls);
+    if (licenseByPurl.size === 0 && analysisResult) {
+        return {
+            projectLicense: { manifest: manifestLicenseInfo, file: fileLicenseInfo, mismatch },
+            incompatibleDependencies: [],
+            error: 'No license data available in analysis report'
+        };
+    }
+    // Check compatibility for each dependency
+    const projectCategory = manifestLicenseInfo?.category || fileLicenseInfo?.category;
+    const incompatibleDependencies = [];
+    for (const purl of purls) {
+        const entry = licenseByPurl.get(purl);
+        if (!entry)
+            continue;
+        const status = getCompatibility(projectCategory, entry.category);
+        if (status === 'incompatible') {
+            incompatibleDependencies.push({
+                purl,
+                licenses: entry.licenses,
+                category: entry.category,
+                reason: 'Dependency license(s) are incompatible with the project license.'
+            });
+        }
+    }
+    return {
+        projectLicense: { manifest: manifestLicenseInfo, file: fileLicenseInfo, mismatch },
+        incompatibleDependencies
+    };
+}

package/dist/src/license/license_utils.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Find LICENSE file path in the same directory as the manifest.
+ * @param {string} manifestPath
+ * @returns {string|null} - path to LICENSE file or null if not found
+ */
+export function findLicenseFilePath(manifestPath: string): string | null;
+/**
+ * Very simple SPDX detection from common license text (first ~500 chars).
+ * @param {string} text
+ * @returns {string|null}
+ */
+export function detectSpdxFromText(text: string): string | null;
+/**
+ * Read LICENSE file and detect SPDX identifier.
+ * @param {string} manifestPath - path to manifest
+ * @returns {string|null} - SPDX identifier from LICENSE file or null
+ */
+export function readLicenseFile(manifestPath: string): string | null;
+/**
+ * Get project license from manifest or LICENSE file.
+ * Returns manifestLicense if provided, otherwise tries LICENSE file.
+ * @param {string|null} manifestLicense - license from manifest (or null)
+ * @param {string} manifestPath - path to manifest
+ * @returns {string|null} - SPDX identifier or null
+ */
+export function getLicense(manifestLicense: string | null, manifestPath: string): string | null;
+/**
+ * Normalize SPDX identifier for comparison (lowercase, strip common suffixes).
+ * @param {string} spdxOrName
+ * @returns {string}
+ */
+export function normalizeSpdx(spdxOrName: string): string;
+/**
+ * Check if a dependency's license is compatible with the project license based on backend categories.
+ *
+ * @param {string} [projectCategory] - backend category for project license: PERMISSIVE | WEAK_COPYLEFT | STRONG_COPYLEFT | UNKNOWN
+ * @param {string} [dependencyCategory] - backend category for dependency license: PERMISSIVE | WEAK_COPYLEFT | STRONG_COPYLEFT | UNKNOWN
+ * @returns {'compatible'|'incompatible'|'unknown'}
+ */
+export function getCompatibility(projectCategory?: string, dependencyCategory?: string): "compatible" | "incompatible" | "unknown";

package/dist/src/license/license_utils.js

@@ -0,0 +1,134 @@
+/**
+ * License utilities: file reading, SPDX detection, normalization, compatibility.
+ * This module has NO dependencies on providers or backend to avoid circular dependencies.
+ */
+import fs from 'node:fs';
+import path from 'node:path';
+const LICENSE_FILES = ['LICENSE', 'LICENSE.md', 'LICENSE.txt'];
+/**
+ * Find LICENSE file path in the same directory as the manifest.
+ * @param {string} manifestPath
+ * @returns {string|null} - path to LICENSE file or null if not found
+ */
+export function findLicenseFilePath(manifestPath) {
+    const manifestDir = path.dirname(path.resolve(manifestPath));
+    for (const name of LICENSE_FILES) {
+        const filePath = path.join(manifestDir, name);
+        try {
+            if (fs.statSync(filePath).isFile()) {
+                return filePath;
+            }
+        }
+        catch {
+            // skip
+        }
+    }
+    return null;
+}
+/**
+ * Very simple SPDX detection from common license text (first ~500 chars).
+ * @param {string} text
+ * @returns {string|null}
+ */
+export function detectSpdxFromText(text) {
+    const head = text.slice(0, 500);
+    if (/Apache License,?\s*Version 2\.0/i.test(head)) {
+        return 'Apache-2.0';
+    }
+    if (/MIT License/i.test(head) && /Permission is hereby granted/i.test(head)) {
+        return 'MIT';
+    }
+    if (/GNU AFFERO GENERAL PUBLIC LICENSE\s+Version 3/i.test(head)) {
+        return 'AGPL-3.0-only';
+    }
+    if (/GNU LESSER GENERAL PUBLIC LICENSE\s+Version 3/i.test(head)) {
+        return 'LGPL-3.0-only';
+    }
+    if (/GNU LESSER GENERAL PUBLIC LICENSE\s+Version 2\.1/i.test(head)) {
+        return 'LGPL-2.1-only';
+    }
+    if (/GNU GENERAL PUBLIC LICENSE\s+Version 2/i.test(head)) {
+        return 'GPL-2.0-only';
+    }
+    if (/GNU GENERAL PUBLIC LICENSE\s+Version 3/i.test(head)) {
+        return 'GPL-3.0-only';
+    }
+    if (/BSD 2-Clause/i.test(head)) {
+        return 'BSD-2-Clause';
+    }
+    if (/BSD 3-Clause/i.test(head)) {
+        return 'BSD-3-Clause';
+    }
+    return null;
+}
+/**
+ * Read LICENSE file and detect SPDX identifier.
+ * @param {string} manifestPath - path to manifest
+ * @returns {string|null} - SPDX identifier from LICENSE file or null
+ */
+export function readLicenseFile(manifestPath) {
+    const licenseFilePath = findLicenseFilePath(manifestPath);
+    if (!licenseFilePath) {
+        return null;
+    }
+    try {
+        const content = fs.readFileSync(licenseFilePath, 'utf-8');
+        return detectSpdxFromText(content) || content.split('\n')[0]?.trim() || null;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Get project license from manifest or LICENSE file.
+ * Returns manifestLicense if provided, otherwise tries LICENSE file.
+ * @param {string|null} manifestLicense - license from manifest (or null)
+ * @param {string} manifestPath - path to manifest
+ * @returns {string|null} - SPDX identifier or null
+ */
+export function getLicense(manifestLicense, manifestPath) {
+    return manifestLicense || readLicenseFile(manifestPath) || null;
+}
+/**
+ * Normalize SPDX identifier for comparison (lowercase, strip common suffixes).
+ * @param {string} spdxOrName
+ * @returns {string}
+ */
+export function normalizeSpdx(spdxOrName) {
+    const s = String(spdxOrName).trim().toLowerCase();
+    if (s.endsWith(' license')) {
+        return s.slice(0, -8);
+    }
+    return s;
+}
+/**
+ * Check if a dependency's license is compatible with the project license based on backend categories.
+ *
+ * @param {string} [projectCategory] - backend category for project license: PERMISSIVE | WEAK_COPYLEFT | STRONG_COPYLEFT | UNKNOWN
+ * @param {string} [dependencyCategory] - backend category for dependency license: PERMISSIVE | WEAK_COPYLEFT | STRONG_COPYLEFT | UNKNOWN
+ * @returns {'compatible'|'incompatible'|'unknown'}
+ */
+export function getCompatibility(projectCategory, dependencyCategory) {
+    if (!projectCategory || !dependencyCategory) {
+        return 'unknown';
+    }
+    const proj = projectCategory.toUpperCase();
+    const dep = dependencyCategory.toUpperCase();
+    if (proj === 'UNKNOWN' || dep === 'UNKNOWN') {
+        return 'unknown';
+    }
+    const restrictiveness = {
+        'PERMISSIVE': 1,
+        'WEAK_COPYLEFT': 2,
+        'STRONG_COPYLEFT': 3
+    };
+    const projLevel = restrictiveness[proj];
+    const depLevel = restrictiveness[dep];
+    if (projLevel === undefined || depLevel === undefined) {
+        return 'unknown';
+    }
+    if (depLevel > projLevel) {
+        return 'incompatible';
+    }
+    return 'compatible';
+}

package/dist/src/license/licenses_api.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Fetch license details by SPDX identifier from the backend GET /api/v5/licenses/{spdx}.
+ * Returns detailed information about a specific license including category, name, and text.
+ *
+ * @param {string} spdxId - SPDX identifier (e.g., "Apache-2.0", "MIT")
+ * @param {import('../index.js').Options} [opts={}] - options (proxy, token, TRUSTIFY_DA_BACKEND_URL, etc.)
+ * @returns {Promise<Object|null>} License details or null if not found
+ */
+export function getLicenseDetails(spdxId: string, opts?: import("../index.js").Options): Promise<any | null>;
+/**
+ * Normalize the LicensesResponse shape (array of LicenseProviderResult) into a map of purl -> license info.
+ * Each provider result has { status, summary, packages } where packages is { [purl]: { concluded, evidence } }.
+ * We merge the first successful provider's packages; concluded has identifiers[], category (PERMISSIVE | WEAK_COPYLEFT | STRONG_COPYLEFT | UNKNOWN).
+ *
+ * @param {unknown} data - LicensesResponse (array) or analysis report's licenses field
+ * @param {string[]} [purls] - optional list of purls to restrict to (for consistency with getLicensesByPurl)
+ * @returns {Map<string, { licenses: string[], category?: string }>}
+ */
+export function normalizeLicensesResponse(data: unknown, purls?: string[]): Map<string, {
+    licenses: string[];
+    category?: string;
+}>;
+/**
+ * Build license map from an analysis report that already includes license data (result.licenses).
+ * Use this when the dependency analysis response already contains the licenses array to avoid a second request.
+ *
+ * @param {import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport} analysisReport - full analysis JSON
+ * @param {string[]} [purls] - optional list of purls to restrict to
+ * @returns {Map<string, { licenses: string[], category?: string }>}
+ */
+export function licensesFromReport(analysisReport: import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport, purls?: string[]): Map<string, {
+    licenses: string[];
+    category?: string;
+}>;

package/dist/src/license/licenses_api.js

@@ -0,0 +1,91 @@
+/**
+ * Client for the Trustify DA backend License Analysis API (POST /api/v5/licenses).
+ * The same license data shape is returned in the dependency analysis JSON report (result.licenses).
+ * @see https://github.com/guacsec/trustify-dependency-analytics#license-analysis-apiv5licenses
+ * @see https://github.com/guacsec/trustify-da-api-spec/blob/main/api/v5/openapi.yaml
+ */
+import { selectTrustifyDABackend } from '../index.js';
+import { addProxyAgent, getTokenHeaders } from '../tools.js';
+/**
+ * Fetch license details by SPDX identifier from the backend GET /api/v5/licenses/{spdx}.
+ * Returns detailed information about a specific license including category, name, and text.
+ *
+ * @param {string} spdxId - SPDX identifier (e.g., "Apache-2.0", "MIT")
+ * @param {import('../index.js').Options} [opts={}] - options (proxy, token, TRUSTIFY_DA_BACKEND_URL, etc.)
+ * @returns {Promise<Object|null>} License details or null if not found
+ */
+export async function getLicenseDetails(spdxId, opts = {}) {
+    if (!spdxId) {
+        return null;
+    }
+    const url = selectTrustifyDABackend(opts);
+    const finalUrl = new URL(`${url}/api/v5/licenses/${encodeURIComponent(spdxId)}`);
+    const fetchOptions = addProxyAgent({
+        method: 'GET',
+        headers: {
+            'Accept': 'application/json',
+            ...getTokenHeaders(opts)
+        },
+    }, opts);
+    try {
+        const resp = await fetch(finalUrl, fetchOptions);
+        if (!resp.ok) {
+            const errorText = await resp.text().catch(() => '');
+            throw new Error(`HTTP ${resp.status}: ${errorText || resp.statusText}`);
+        }
+        return await resp.json();
+    }
+    catch (err) {
+        throw new Error(`Failed to fetch license details: ${err.message}`);
+    }
+}
+/**
+ * Normalize the LicensesResponse shape (array of LicenseProviderResult) into a map of purl -> license info.
+ * Each provider result has { status, summary, packages } where packages is { [purl]: { concluded, evidence } }.
+ * We merge the first successful provider's packages; concluded has identifiers[], category (PERMISSIVE | WEAK_COPYLEFT | STRONG_COPYLEFT | UNKNOWN).
+ *
+ * @param {unknown} data - LicensesResponse (array) or analysis report's licenses field
+ * @param {string[]} [purls] - optional list of purls to restrict to (for consistency with getLicensesByPurl)
+ * @returns {Map<string, { licenses: string[], category?: string }>}
+ */
+export function normalizeLicensesResponse(data, purls = []) {
+    const map = new Map();
+    if (!data || !Array.isArray(data)) {
+        return map;
+    }
+    for (const providerResult of data) {
+        const packages = providerResult?.packages;
+        if (!packages || typeof packages !== 'object') {
+            continue;
+        }
+        for (const [purl, pkgLicense] of Object.entries(packages)) {
+            const concluded = pkgLicense?.concluded;
+            const identifiers = Array.isArray(concluded?.identifiers) ? concluded.identifiers : [];
+            const expression = concluded?.expression;
+            const licenses = identifiers.length > 0 ? identifiers : (expression ? [expression] : []);
+            const category = concluded?.category; // PERMISSIVE | WEAK_COPYLEFT | STRONG_COPYLEFT | UNKNOWN
+            if (purls.length === 0 || purls.includes(purl)) {
+                map.set(purl, { licenses: licenses.filter(Boolean), category });
+            }
+        }
+        // Use first provider that has packages; backend may return multiple (e.g. deps.dev)
+        if (map.size > 0) {
+            break;
+        }
+    }
+    return map;
+}
+/**
+ * Build license map from an analysis report that already includes license data (result.licenses).
+ * Use this when the dependency analysis response already contains the licenses array to avoid a second request.
+ *
+ * @param {import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport} analysisReport - full analysis JSON
+ * @param {string[]} [purls] - optional list of purls to restrict to
+ * @returns {Map<string, { licenses: string[], category?: string }>}
+ */
+export function licensesFromReport(analysisReport, purls = []) {
+    if (!analysisReport?.licenses) {
+        return new Map();
+    }
+    return normalizeLicensesResponse(analysisReport.licenses, purls);
+}

package/dist/src/license/project_license.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Resolve project license from manifest and from LICENSE / LICENSE.md in manifest dir or git root.
+ * Uses local pattern matching for LICENSE file identification (synchronous).
+ * For more accurate backend-based identification, use identifyLicense() separately.
+ * @param {string} manifestPath - path to manifest
+ * @returns {{ fromManifest: string|null, fromFile: string|null, mismatch: boolean }}
+ */
+export function getProjectLicense(manifestPath: string): {
+    fromManifest: string | null;
+    fromFile: string | null;
+    mismatch: boolean;
+};
+/**
+ * Call backend /licenses/identify endpoint to identify license from file.
+ * @param {string} licenseFilePath - path to LICENSE file
+ * @param {{}} [opts={}] - options (proxy, token, etc.)
+ * @returns {Promise<string|null>} - SPDX identifier or null
+ */
+export function identifyLicense(licenseFilePath: string, opts?: {}): Promise<string | null>;
+/**
+ * Get license for SBOM root component with fallback to LICENSE file.
+ * Priority: manifest license > LICENSE file > null
+ * This is used by providers to populate the license field in the SBOM.
+ * @param {string} manifestPath - path to manifest
+ * @returns {string|null} - SPDX identifier or null
+ */
+export function getLicenseForSbom(manifestPath: string): string | null;
+export { findLicenseFilePath, readLicenseFile } from "./license_utils.js";

package/dist/src/license/project_license.js

@@ -0,0 +1,73 @@
+/**
+ * Resolves the project license from the manifest and from a LICENSE / LICENSE.md file.
+ * Used to report manifest-vs-file mismatch and as the baseline for dependency license compatibility.
+ */
+import fs from 'node:fs';
+import path from 'node:path';
+import { selectTrustifyDABackend } from '../index.js';
+import { matchForLicense, availableProviders } from '../provider.js';
+import { addProxyAgent, getTokenHeaders } from '../tools.js';
+import { normalizeSpdx, readLicenseFile } from './license_utils.js';
+/**
+ * Resolve project license from manifest and from LICENSE / LICENSE.md in manifest dir or git root.
+ * Uses local pattern matching for LICENSE file identification (synchronous).
+ * For more accurate backend-based identification, use identifyLicense() separately.
+ * @param {string} manifestPath - path to manifest
+ * @returns {{ fromManifest: string|null, fromFile: string|null, mismatch: boolean }}
+ */
+export function getProjectLicense(manifestPath) {
+    const resolved = path.resolve(manifestPath);
+    const provider = matchForLicense(resolved, availableProviders);
+    const fromManifest = provider.readLicenseFromManifest(resolved);
+    const fromFile = readLicenseFile(resolved);
+    const mismatch = Boolean(fromManifest && fromFile && normalizeSpdx(fromManifest) !== normalizeSpdx(fromFile));
+    return {
+        fromManifest: fromManifest || null,
+        fromFile: fromFile || null,
+        mismatch
+    };
+}
+export { findLicenseFilePath, readLicenseFile } from './license_utils.js';
+/**
+ * Call backend /licenses/identify endpoint to identify license from file.
+ * @param {string} licenseFilePath - path to LICENSE file
+ * @param {{}} [opts={}] - options (proxy, token, etc.)
+ * @returns {Promise<string|null>} - SPDX identifier or null
+ */
+export async function identifyLicense(licenseFilePath, opts = {}) {
+    try {
+        const fileContent = fs.readFileSync(licenseFilePath);
+        const backendUrl = selectTrustifyDABackend(opts);
+        const url = new URL(`${backendUrl}/api/v5/licenses/identify`);
+        const tokenHeaders = getTokenHeaders(opts);
+        const fetchOptions = addProxyAgent({
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/octet-stream',
+                ...tokenHeaders,
+            },
+            body: fileContent,
+        }, opts);
+        const resp = await fetch(url, fetchOptions);
+        if (!resp.ok) {
+            return null; // Fallback to local detection on error
+        }
+        const data = await resp.json();
+        // Extract SPDX identifier from backend response
+        return data?.license?.id || data?.spdx_id || data?.identifier || null;
+    }
+    catch {
+        return null; // Fallback to local detection on error
+    }
+}
+/**
+ * Get license for SBOM root component with fallback to LICENSE file.
+ * Priority: manifest license > LICENSE file > null
+ * This is used by providers to populate the license field in the SBOM.
+ * @param {string} manifestPath - path to manifest
+ * @returns {string|null} - SPDX identifier or null
+ */
+export function getLicenseForSbom(manifestPath) {
+    const { fromManifest, fromFile } = getProjectLicense(manifestPath);
+    return fromManifest || fromFile || null;
+}

package/dist/src/oci_image/images.d.ts

@@ -1,4 +1,3 @@
-/// <reference types="packageurl-js/src/package-url.js" />
 /**
 * Helper class for parsing docker repository/image names:
 *
@@ -26,7 +25,7 @@ export class Image {
      * @param {string} fullName
      * @param {string} [givenTag]
      */
-    constructor(fullName: string, givenTag?: string | undefined);
+    constructor(fullName: string, givenTag?: string);
     repository: string;
     registry: string;
     tag: string;
@@ -46,12 +45,12 @@ export class Image {
     * @param {string} [optionalRegistry]
     * @returns {string}
     */
-    getNameWithoutTag(optionalRegistry?: string | undefined): string;
+    getNameWithoutTag(optionalRegistry?: string): string;
     /**
     * @param {string} [optionalRegistry]
     * @returns {string}
     */
-    getFullName(optionalRegistry?: string | undefined): string;
+    getFullName(optionalRegistry?: string): string;
     /**
     * @returns {string}
     */
@@ -79,7 +78,7 @@ export class ImageRef {
      * @param {string} [platform]
      * @param {import("index.js").Options} [opts={}]
      */
-    constructor(image: string, platform?: string | undefined, opts?: import("index.js").Options | undefined);
+    constructor(image: string, platform?: string, opts?: import("index.js").Options);
     /** @type {Image} */
     image: Image;
     /** @type {Platform} */

package/dist/src/oci_image/utils.d.ts

@@ -4,20 +4,20 @@
  * @param {import("../index.js").Options} [opts={}] - optional various options to pass along the application
  * @returns {{}}
  */
-export function generateImageSBOM(imageRef: import('./images').ImageRef, opts?: import("../index.js").Options | undefined): {};
+export function generateImageSBOM(imageRef: import("./images").ImageRef, opts?: import("../index.js").Options): {};
 /**
  *
  * @param {string} image
  * @param {import("../index.js").Options} [opts={}] - optional various options to pass along the application
  * @returns {ImageRef}
  */
-export function parseImageRef(image: string, opts?: import("../index.js").Options | undefined): ImageRef;
+export function parseImageRef(image: string, opts?: import("../index.js").Options): ImageRef;
 /**
  * Gets the platform information for an image
  * @param {import("../index.js").Options} [opts={}] - optional various options to pass along the application
  * @returns {Platform|null} - The platform information or null
  */
-export function getImagePlatform(opts?: import("../index.js").Options | undefined): Platform | null;
+export function getImagePlatform(opts?: import("../index.js").Options): Platform | null;
 /**
  * Gets the digests for an image
  * @param {import('./images').ImageRef} imageRef - The image reference
@@ -25,7 +25,7 @@ export function getImagePlatform(opts?: import("../index.js").Options | undefine
  * @returns {Object.<string, string>} - The image digests
  * @throws {Error} If the image info is invalid
  */
-export function getImageDigests(imageRef: import('./images').ImageRef, opts?: import("../index.js").Options | undefined): {
+export function getImageDigests(imageRef: import("./images").ImageRef, opts?: import("../index.js").Options): {
     [x: string]: string;
 };
 export type SyftImageSource = {

package/dist/src/provider.d.ts

@@ -1,3 +1,11 @@
+/**
+ * Match a provider by manifest type only (no lock file check). Used for license reading.
+ * @param {string} manifestPath - path or name of the manifest
+ * @param {[Provider]} providers - list of providers to iterate over
+ * @returns {Provider}
+ * @throws {Error} when the manifest is not supported and no provider was matched
+ */
+export function matchForLicense(manifestPath: string, providers: [Provider]): Provider;
 /**
  * Match a provider from a list or providers based on file type.
  * Each provider MUST export 'isSupported' taking a file name-type and returning true if supported.
@@ -10,7 +18,7 @@
  */
 export function match(manifest: string, providers: [Provider]): Provider;
 /** @typedef {{ecosystem: string, contentType: string, content: string}} Provided */
-/** @typedef {{isSupported: function(string): boolean, validateLockFile: function(string): void, provideComponent: function(string, {}): Provided, provideStack: function(string, {}): Provided}} Provider */
+/** @typedef {{isSupported: function(string): boolean, validateLockFile: function(string): void, provideComponent: function(string, {}): Provided | Promise<Provided>, provideStack: function(string, {}): Provided | Promise<Provided>, readLicenseFromManifest: function(string): string | null}} Provider */
 /**
  * MUST include all providers here.
  * @type {[Provider]}
@@ -24,6 +32,7 @@ export type Provided = {
 export type Provider = {
     isSupported: (arg0: string) => boolean;
     validateLockFile: (arg0: string) => void;
-    provideComponent: (arg0: string, arg1: {}) => Provided;
-    provideStack: (arg0: string, arg1: {}) => Provided;
+    provideComponent: (arg0: string, arg1: {}) => Provided | Promise<Provided>;
+    provideStack: (arg0: string, arg1: {}) => Provided | Promise<Provided>;
+    readLicenseFromManifest: (arg0: string) => string | null;
 };