@trustify-da/trustify-da-javascript-client 0.3.0-ea.de12f6a → 0.3.0-ea.e5bb86c

package/README.md

@@ -224,7 +224,8 @@ $ trustify-da-javascript-client license /path/to/package.json
 <li><a href="https://www.javascript.com/">JavaScript</a> - <a href="https://pnpm.io/">pnpm</a></li>
 <li><a href="https://www.javascript.com/">JavaScript</a> - <a href="https://classic.yarnpkg.com/">Yarn Classic</a> /  <a href="https://yarnpkg.com/">Yarn Berry</a></li>
 <li><a href="https://go.dev/">Golang</a> - <a href="https://go.dev/blog/using-go-modules/">Go Modules</a></li>
-<li><a href="https://www.python.org/">Python</a> - <a href="https://pypi.org/project/pip/">pip Installer</a></li>
+<li><a href="https://www.python.org/">Python</a> - <a href="https://pypi.org/project/pip/">pip Installer</a> (<code>requirements.txt</code>)</li>
+<li><a href="https://www.python.org/">Python</a> - <a href="https://python-poetry.org/">Poetry</a> / <a href="https://docs.astral.sh/uv/">uv</a> (<code>pyproject.toml</code>)</li>
 <li><a href="https://gradle.org/">Gradle (Groovy and Kotlin DSL)</a> - <a href="https://gradle.org/install/">Gradle Installation</a></li>
 <li><a href="https://www.rust-lang.org/">Rust</a> - <a href="https://doc.rust-lang.org/cargo/">Cargo</a></li>
 </ul>
@@ -391,7 +392,30 @@ version = "1.10"
 log = "0.4" # trustify-da-ignore
 ```
 
-All of the 6 above examples are valid for marking a package to be ignored
+
+<em>Python pyproject.toml</em> users can add a comment with <code>#exhortignore</code> (or <code># trustify-da-ignore</code>) next to the dependency in <code>pyproject.toml</code>.
+
+PEP 621 style (<code>[project]</code> dependencies):
+```toml
+[project]
+dependencies = [
+    "flask>=2.0.3",
+    "requests>=2.25.1",
+    "uvicorn>=0.17.0", #exhortignore
+    "click>=8.0.4", # trustify-da-ignore
+]
+```
+
+Poetry style (<code>[tool.poetry.dependencies]</code>):
+```toml
+[tool.poetry.dependencies]
+flask = "^2.0.3"
+requests = "^2.25.1"
+uvicorn = "^0.17.0" #exhortignore
+click = "^8.0.4" # trustify-da-ignore
+```
+
+All of the above examples are valid for marking a package to be ignored
 </li>
 </ul>
 
@@ -421,6 +445,8 @@ let options = {
   'TRUSTIFY_DA_PIP3_PATH' : '/path/to/pip3',
   'TRUSTIFY_DA_PYTHON_PATH' : '/path/to/python',
   'TRUSTIFY_DA_PIP_PATH' : '/path/to/pip',
+  'TRUSTIFY_DA_UV_PATH' : '/path/to/uv',
+  'TRUSTIFY_DA_POETRY_PATH' : '/path/to/poetry',
   'TRUSTIFY_DA_GRADLE_PATH' : '/path/to/gradle',
   'TRUSTIFY_DA_CARGO_PATH' : '/path/to/cargo',
   // Workspace root for monorepos (Cargo, npm/pnpm/yarn); lock file expected here
@@ -567,6 +593,16 @@ following keys for setting custom paths for the said executables.
 <td>TRUSTIFY_DA_CARGO_PATH</td>
 </tr>
 <tr>
+<td><a href="https://docs.astral.sh/uv/">uv</a></td>
+<td><em>uv</em></td>
+<td>TRUSTIFY_DA_UV_PATH</td>
+</tr>
+<tr>
+<td><a href="https://python-poetry.org/">Poetry</a></td>
+<td><em>poetry</em></td>
+<td>TRUSTIFY_DA_POETRY_PATH</td>
+</tr>
+<tr>
 <td>Workspace root (monorepos)</td>
 <td>—</td>
 <td>workspaceDir / TRUSTIFY_DA_WORKSPACE_DIR</td>
@@ -619,6 +655,24 @@ TRUSTIFY_DA_GO_MVS_LOGIC_ENABLED=false
 
 #### Python Support
 
+The client supports two Python manifest formats:
+
+- **`requirements.txt`** — uses pip/pip3 to resolve dependencies
+- **`pyproject.toml`** — uses [uv](https://docs.astral.sh/uv/) or [Poetry](https://python-poetry.org/) to resolve dependencies
+
+##### pyproject.toml
+
+For `pyproject.toml` projects, the client detects which tool manages the project by checking for lock files:
+- If `poetry.lock` is present and `[tool.poetry]` is defined, **Poetry** is used (`poetry show --tree` and `poetry show --all`)
+- If `uv.lock` is present, **uv** is used (`uv export --format requirements.txt --frozen --no-hashes`)
+- If neither lock file is found, an error is thrown
+
+Both PEP 621 (`[project]` dependencies) and Poetry-style (`[tool.poetry.dependencies]`) are supported.
+
+Custom executable paths can be set via `TRUSTIFY_DA_UV_PATH` and `TRUSTIFY_DA_POETRY_PATH`.
+
+##### requirements.txt
+
 By default, For python support, the api assumes that the package is installed using the pip/pip3 binary on the system PATH, or using the customized
 Binaries passed to environment variables. In any case, If the package is not installed , then an error will be thrown.
 

package/dist/package.json

@@ -38,7 +38,7 @@
         "lint": "eslint src test --ext js",
         "lint:fix": "eslint src test --ext js --fix",
         "test": "c8 npm run tests",
-        "tests": "mocha --config .mocharc.json --grep \".*analysis module.*\" --invert",
+        "tests": "mocha --config .mocharc.json",
         "tests:rep": "mocha --reporter-option maxDiffSize=0 --reporter json > unit-tests-result.json",
         "pretest": "cp node_modules/tree-sitter-requirements/tree-sitter-requirements.wasm src/providers/tree-sitter-requirements.wasm && cp node_modules/tree-sitter-gomod/tree-sitter-gomod.wasm src/providers/tree-sitter-gomod.wasm",
         "precompile": "rm -rf dist",

package/dist/src/analysis.js

@@ -189,7 +189,7 @@ async function requestImages(imageRefs, url, html = false, opts = {}) {
     if (opts['TRUSTIFY_DA_RECOMMENDATIONS_ENABLED'] === 'false') {
         finalUrl.searchParams.append('recommend', 'false');
     }
-    const resp = await fetch(finalUrl, {
+    const fetchOptions = addProxyAgent({
         method: 'POST',
         headers: {
             'Accept': html ? 'text/html' : 'application/json',
@@ -197,7 +197,8 @@ async function requestImages(imageRefs, url, html = false, opts = {}) {
             ...getTokenHeaders(opts)
         },
         body: JSON.stringify(imageSboms),
-    });
+    }, opts);
+    const resp = await fetch(finalUrl, fetchOptions);
     if (resp.status === 200) {
         let result;
         if (!html) {

package/dist/src/cyclone_dx_sbom.d.ts

@@ -70,6 +70,13 @@ export default class CycloneDxSbom {
      * @return {boolean}
      */
     checkIfPackageInsideDependsOnList(component: any, name: string): boolean;
+    /**
+     * Checks if any entry in the dependsOn list of sourceRef starts with the given purl prefix.
+     * @param {PackageURL} sourceRef - The source component
+     * @param {string} purlPrefix - The purl prefix to match (e.g. "pkg:npm/minimist@")
+     * @return {boolean}
+     */
+    checkDependsOnByPurlPrefix(sourceRef: PackageURL, purlPrefix: string): boolean;
     /** Removes the root component from the sbom
      */
     removeRootComponent(): void;

package/dist/src/cyclone_dx_sbom.js

@@ -242,6 +242,20 @@ export default class CycloneDxSbom {
             return false;
         }
     }
+    /**
+     * Checks if any entry in the dependsOn list of sourceRef starts with the given purl prefix.
+     * @param {PackageURL} sourceRef - The source component
+     * @param {string} purlPrefix - The purl prefix to match (e.g. "pkg:npm/minimist@")
+     * @return {boolean}
+     */
+    checkDependsOnByPurlPrefix(sourceRef, purlPrefix) {
+        const sourcePurl = sourceRef.toString();
+        const depIndex = this.getDependencyIndex(sourcePurl);
+        if (depIndex < 0) {
+            return false;
+        }
+        return this.dependencies[depIndex].dependsOn.some(dep => dep.startsWith(purlPrefix));
+    }
     /** Removes the root component from the sbom
      */
     removeRootComponent() {

package/dist/src/index.d.ts

@@ -64,6 +64,8 @@ export type Options = {
     TRUSTIFY_DA_CONTINUE_ON_ERROR?: string | undefined;
     batchMetadata?: boolean | undefined;
     TRUSTIFY_DA_BATCH_METADATA?: string | undefined;
+    TRUSTIFY_DA_UV_PATH?: string | undefined;
+    TRUSTIFY_DA_POETRY_PATH?: string | undefined;
     [key: string]: string | number | boolean | string[] | undefined;
 };
 export type BatchAnalysisMetadata = {

package/dist/src/index.js

@@ -56,6 +56,8 @@ export { discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson
  * TRUSTIFY_DA_CONTINUE_ON_ERROR?: string | undefined,
  * batchMetadata?: boolean | undefined,
  * TRUSTIFY_DA_BATCH_METADATA?: string | undefined,
+ * TRUSTIFY_DA_UV_PATH?: string | undefined,
+ * TRUSTIFY_DA_POETRY_PATH?: string | undefined,
  * [key: string]: string | number | boolean | string[] | undefined,
  * }} Options
  */

package/dist/src/provider.js

@@ -7,6 +7,8 @@ import Javascript_npm from './providers/javascript_npm.js';
 import Javascript_pnpm from './providers/javascript_pnpm.js';
 import Javascript_yarn from './providers/javascript_yarn.js';
 import pythonPipProvider from './providers/python_pip.js';
+import Python_poetry from './providers/python_poetry.js';
+import Python_uv from './providers/python_uv.js';
 import rustCargoProvider from './providers/rust_cargo.js';
 /** @typedef {{ecosystem: string, contentType: string, content: string}} Provided */
 /** @typedef {{isSupported: function(string): boolean, validateLockFile: function(string, Object): void, provideComponent: function(string, {}): Provided | Promise<Provided>, provideStack: function(string, {}): Provided | Promise<Provided>, readLicenseFromManifest: function(string): string | null}} Provider */
@@ -23,6 +25,8 @@ export const availableProviders = [
     new Javascript_npm(),
     golangGomodulesProvider,
     pythonPipProvider,
+    new Python_poetry(),
+    new Python_uv(),
     rustCargoProvider
 ];
 /**

package/dist/src/providers/base_javascript.js

@@ -235,9 +235,32 @@ export default class Base_javascript {
         let sbom = new Sbom();
         sbom.addRoot(mainComponent, license);
         this._addDependenciesToSbom(sbom, depsObject);
+        this.#ensurePeerAndOptionalDeps(sbom);
         sbom.filterIgnoredDeps(this.#manifest.ignored);
         return sbom.getAsJsonString(opts);
     }
+    /**
+     * Ensures peer and optional dependencies declared in the manifest are
+     * present in the SBOM, even when the package manager does not resolve them
+     * (e.g. yarn does not include peer deps in its dependency listing).
+     * @param {Sbom} sbom - The SBOM to supplement
+     * @private
+     */
+    #ensurePeerAndOptionalDeps(sbom) {
+        const rootPurl = toPurl(purlType, this.#manifest.name, this.#manifest.version);
+        const depSources = [this.#manifest.peerDependencies, this.#manifest.optionalDependencies];
+        for (const source of depSources) {
+            for (const [name, version] of Object.entries(source)) {
+                // Build the purl prefix for exact matching (e.g. "pkg:npm/minimist@"
+                // or "pkg:npm/%40hapi/joi@") to avoid substring false positives
+                const probe = toPurl(purlType, name, version);
+                const purlPrefix = probe.toString().replace(/@[^@]*$/, '@');
+                if (!sbom.checkDependsOnByPurlPrefix(rootPurl, purlPrefix)) {
+                    sbom.addDependency(rootPurl, probe);
+                }
+            }
+        }
+    }
     /**
    * Recursively builds the Sbom from the JSON that npm listing returns
    * @param {Sbom} sbom - The SBOM object to add dependencies to
@@ -245,7 +268,10 @@ export default class Base_javascript {
    * @protected
    */
     _addDependenciesToSbom(sbom, depTree) {
-        const dependencies = depTree["dependencies"] || {};
+        const dependencies = {
+            ...depTree["dependencies"],
+            ...depTree["optionalDependencies"],
+        };
         Object.entries(dependencies)
             .forEach(entry => {
             const [name, artifact] = entry;
@@ -295,6 +321,7 @@ export default class Base_javascript {
             const rootPurl = toPurlFromString(sbom.getRoot().purl);
             sbom.addDependency(rootPurl, rootDeps.get(key));
         }
+        this.#ensurePeerAndOptionalDeps(sbom);
         sbom.filterIgnoredDeps(this.#manifest.ignored);
         return sbom.getAsJsonString(opts);
     }
@@ -305,10 +332,14 @@ export default class Base_javascript {
    * @protected
    */
     _getRootDependencies(depTree) {
-        if (!depTree.dependencies) {
+        const allDeps = {
+            ...depTree.dependencies,
+            ...depTree.optionalDependencies,
+        };
+        if (Object.keys(allDeps).length === 0) {
             return new Map();
         }
-        return new Map(Object.entries(depTree.dependencies).map(([key, value]) => [key, toPurl(purlType, key, value.version)]));
+        return new Map(Object.entries(allDeps).map(([key, value]) => [key, toPurl(purlType, key, value.version)]));
     }
     /**
    * Executes the list command to get dependencies

package/dist/src/providers/base_pyproject.d.ts

@@ -0,0 +1,147 @@
+/** @typedef {{name: string, version: string, children: string[]}} GraphEntry */
+/** @typedef {{name: string, version: string, dependencies: DepTreeEntry[]}} DepTreeEntry */
+/** @typedef {{directDeps: string[], graph: Map<string, GraphEntry>}} DependencyData */
+/** @typedef {{ecosystem: string, content: string, contentType: string}} Provided */
+export default class Base_pyproject {
+    /**
+     * @param {string} manifestName
+     * @returns {boolean}
+     */
+    isSupported(manifestName: string): boolean;
+    /**
+     * @param {string} manifestDir
+     * @returns {boolean}
+     */
+    validateLockFile(manifestDir: string): boolean;
+    /**
+     * Read project license from pyproject.toml, with fallback to LICENSE file.
+     * @param {string} manifestPath
+     * @returns {string|null}
+     */
+    readLicenseFromManifest(manifestPath: string): string | null;
+    /**
+     * @param {string} manifest - path to pyproject.toml
+     * @param {Object} [opts={}]
+     * @returns {Promise<Provided>}
+     */
+    provideStack(manifest: string, opts?: any): Promise<Provided>;
+    /**
+     * @param {string} manifest - path to pyproject.toml
+     * @param {Object} [opts={}]
+     * @returns {Promise<Provided>}
+     */
+    provideComponent(manifest: string, opts?: any): Promise<Provided>;
+    /**
+     * @returns {string}
+     * @protected
+     */
+    protected _lockFileName(): string;
+    /**
+     * @returns {string}
+     * @protected
+     */
+    protected _cmdName(): string;
+    /**
+     * Resolve dependencies using the tool-specific command and parser.
+     * @param {string} manifestDir
+     * @param {object} parsed - parsed pyproject.toml
+     * @param {Object} opts
+     * @returns {Promise<DependencyData>}
+     * @protected
+     */
+    protected _getDependencyData(manifestDir: string, parsed: object, opts: any): Promise<DependencyData>;
+    /**
+     * Canonicalize a Python package name per PEP 503.
+     * @param {string} name
+     * @returns {string}
+     * @protected
+     */
+    protected _canonicalize(name: string): string;
+    /**
+     * Get the project name from pyproject.toml.
+     * @param {object} parsed
+     * @returns {string|null}
+     * @protected
+     */
+    protected _getProjectName(parsed: object): string | null;
+    /**
+     * Get the project version from pyproject.toml.
+     * @param {object} parsed
+     * @returns {string|null}
+     * @protected
+     */
+    protected _getProjectVersion(parsed: object): string | null;
+    /**
+     * Scan raw pyproject.toml text for dependencies with ignore markers.
+     * @param {string} manifestPath
+     * @returns {Set<string>}
+     * @protected
+     */
+    protected _getIgnoredDeps(manifestPath: string): Set<string>;
+    /**
+     * Build dependency tree from graph, starting from direct deps.
+     * @param {Map<string, GraphEntry>} graph
+     * @param {string[]} directDeps - canonical names of direct deps
+     * @param {Set<string>} ignoredDeps
+     * @param {boolean} includeTransitive
+     * @returns {DepTreeEntry[]}
+     * @protected
+     */
+    protected _buildDependencyTree(graph: Map<string, GraphEntry>, directDeps: string[], ignoredDeps: Set<string>, includeTransitive: boolean): DepTreeEntry[];
+    /**
+     * Recursively collect transitive dependencies.
+     * @param {Map<string, GraphEntry>} graph
+     * @param {string[]} childKeys
+     * @param {DepTreeEntry[]} result - mutated in place
+     * @param {Set<string>} ignoredDeps
+     * @param {Set<string>} visited
+     * @returns {void}
+     * @protected
+     */
+    protected _collectTransitive(graph: Map<string, GraphEntry>, childKeys: string[], result: DepTreeEntry[], ignoredDeps: Set<string>, visited: Set<string>): void;
+    /**
+     * @param {string} name
+     * @param {string} version
+     * @returns {PackageURL}
+     * @protected
+     */
+    protected _toPurl(name: string, version: string): PackageURL;
+    /**
+     * Recursively add a dependency and its transitive deps to the SBOM.
+     * @param {PackageURL} source
+     * @param {DepTreeEntry} dep
+     * @param {Sbom} sbom
+     * @returns {void}
+     * @private
+     */
+    private _addAllDependencies;
+    /**
+     * Create SBOM json string for a pyproject.toml project.
+     * @param {string} manifest - path to pyproject.toml
+     * @param {Object} opts
+     * @param {boolean} includeTransitive
+     * @returns {Promise<string>}
+     * @private
+     */
+    private _createSbom;
+}
+export type GraphEntry = {
+    name: string;
+    version: string;
+    children: string[];
+};
+export type DepTreeEntry = {
+    name: string;
+    version: string;
+    dependencies: DepTreeEntry[];
+};
+export type DependencyData = {
+    directDeps: string[];
+    graph: Map<string, GraphEntry>;
+};
+export type Provided = {
+    ecosystem: string;
+    content: string;
+    contentType: string;
+};
+import { PackageURL } from 'packageurl-js';

package/dist/src/providers/base_pyproject.js

@@ -0,0 +1,279 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { PackageURL } from 'packageurl-js';
+import { parse as parseToml } from 'smol-toml';
+import { getLicense } from '../license/license_utils.js';
+import Sbom from '../sbom.js';
+const ecosystem = 'pip';
+const IGNORE_MARKERS = ['exhortignore', 'trustify-da-ignore'];
+const DEFAULT_ROOT_NAME = 'default-pip-root';
+const DEFAULT_ROOT_VERSION = '0.0.0';
+/** @typedef {{name: string, version: string, children: string[]}} GraphEntry */
+/** @typedef {{name: string, version: string, dependencies: DepTreeEntry[]}} DepTreeEntry */
+/** @typedef {{directDeps: string[], graph: Map<string, GraphEntry>}} DependencyData */
+/** @typedef {{ecosystem: string, content: string, contentType: string}} Provided */
+export default class Base_pyproject {
+    /**
+     * @param {string} manifestName
+     * @returns {boolean}
+     */
+    isSupported(manifestName) {
+        return 'pyproject.toml' === manifestName;
+    }
+    /**
+     * @param {string} manifestDir
+     * @returns {boolean}
+     */
+    validateLockFile(manifestDir) {
+        return fs.existsSync(path.join(manifestDir, this._lockFileName()));
+    }
+    /**
+     * Read project license from pyproject.toml, with fallback to LICENSE file.
+     * @param {string} manifestPath
+     * @returns {string|null}
+     */
+    readLicenseFromManifest(manifestPath) {
+        let fromManifest = null;
+        try {
+            let content = fs.readFileSync(manifestPath, 'utf-8');
+            let parsed = parseToml(content);
+            fromManifest = parsed.project?.license;
+            if (typeof fromManifest === 'object' && fromManifest != null) {
+                fromManifest = fromManifest.text || null;
+            }
+            if (!fromManifest) {
+                fromManifest = parsed.tool?.poetry?.license || null;
+            }
+        }
+        catch (_) {
+            // leave fromManifest as null
+        }
+        return getLicense(fromManifest, manifestPath);
+    }
+    /**
+     * @param {string} manifest - path to pyproject.toml
+     * @param {Object} [opts={}]
+     * @returns {Promise<Provided>}
+     */
+    async provideStack(manifest, opts = {}) {
+        return {
+            ecosystem,
+            content: await this._createSbom(manifest, opts, true),
+            contentType: 'application/vnd.cyclonedx+json'
+        };
+    }
+    /**
+     * @param {string} manifest - path to pyproject.toml
+     * @param {Object} [opts={}]
+     * @returns {Promise<Provided>}
+     */
+    async provideComponent(manifest, opts = {}) {
+        return {
+            ecosystem,
+            content: await this._createSbom(manifest, opts, false),
+            contentType: 'application/vnd.cyclonedx+json'
+        };
+    }
+    // --- abstract methods (subclasses must override) ---
+    /**
+     * @returns {string}
+     * @protected
+     */
+    _lockFileName() {
+        throw new TypeError('_lockFileName must be implemented');
+    }
+    /**
+     * @returns {string}
+     * @protected
+     */
+    _cmdName() {
+        throw new TypeError('_cmdName must be implemented');
+    }
+    /**
+     * Resolve dependencies using the tool-specific command and parser.
+     * @param {string} manifestDir
+     * @param {object} parsed - parsed pyproject.toml
+     * @param {Object} opts
+     * @returns {Promise<DependencyData>}
+     * @protected
+     */
+    // eslint-disable-next-line no-unused-vars
+    async _getDependencyData(manifestDir, parsed, opts) {
+        throw new TypeError('_getDependencyData must be implemented');
+    }
+    // --- shared helpers ---
+    /**
+     * Canonicalize a Python package name per PEP 503.
+     * @param {string} name
+     * @returns {string}
+     * @protected
+     */
+    _canonicalize(name) {
+        return name.toLowerCase().replace(/[-_.]+/g, '-');
+    }
+    /**
+     * Get the project name from pyproject.toml.
+     * @param {object} parsed
+     * @returns {string|null}
+     * @protected
+     */
+    _getProjectName(parsed) {
+        return parsed.project?.name || parsed.tool?.poetry?.name || null;
+    }
+    /**
+     * Get the project version from pyproject.toml.
+     * @param {object} parsed
+     * @returns {string|null}
+     * @protected
+     */
+    _getProjectVersion(parsed) {
+        return parsed.project?.version || parsed.tool?.poetry?.version || null;
+    }
+    /**
+     * Scan raw pyproject.toml text for dependencies with ignore markers.
+     * @param {string} manifestPath
+     * @returns {Set<string>}
+     * @protected
+     */
+    _getIgnoredDeps(manifestPath) {
+        let ignored = new Set();
+        let content = fs.readFileSync(manifestPath, 'utf-8');
+        let lines = content.split(/\r?\n/);
+        for (let line of lines) {
+            if (!IGNORE_MARKERS.some(m => line.includes(m))) {
+                continue;
+            }
+            // PEP 621 style: "requests>=2.25" #exhortignore
+            let pep621Match = line.match(/^\s*"([^"]+)"/);
+            if (pep621Match) {
+                let reqStr = pep621Match[1];
+                let nameMatch = reqStr.match(/^([A-Za-z0-9]([A-Za-z0-9._-]*[A-Za-z0-9])?)/);
+                if (nameMatch) {
+                    ignored.add(this._canonicalize(nameMatch[1]));
+                }
+                continue;
+            }
+            // Poetry style: requests = "^2.25" #exhortignore
+            let poetryMatch = line.match(/^\s*([A-Za-z0-9][A-Za-z0-9._-]*)\s*=/);
+            if (poetryMatch) {
+                ignored.add(this._canonicalize(poetryMatch[1]));
+            }
+        }
+        return ignored;
+    }
+    /**
+     * Build dependency tree from graph, starting from direct deps.
+     * @param {Map<string, GraphEntry>} graph
+     * @param {string[]} directDeps - canonical names of direct deps
+     * @param {Set<string>} ignoredDeps
+     * @param {boolean} includeTransitive
+     * @returns {DepTreeEntry[]}
+     * @protected
+     */
+    _buildDependencyTree(graph, directDeps, ignoredDeps, includeTransitive) {
+        let result = [];
+        for (let key of directDeps) {
+            if (ignoredDeps.has(key)) {
+                continue;
+            }
+            let entry = graph.get(key);
+            if (!entry) {
+                continue;
+            }
+            let depTree = [];
+            if (includeTransitive) {
+                let visited = new Set();
+                visited.add(key);
+                this._collectTransitive(graph, entry.children, depTree, ignoredDeps, visited);
+            }
+            result.push({ name: entry.name, version: entry.version, dependencies: depTree });
+        }
+        result.sort((a, b) => a.name.toLowerCase().localeCompare(b.name.toLowerCase()));
+        return result;
+    }
+    /**
+     * Recursively collect transitive dependencies.
+     * @param {Map<string, GraphEntry>} graph
+     * @param {string[]} childKeys
+     * @param {DepTreeEntry[]} result - mutated in place
+     * @param {Set<string>} ignoredDeps
+     * @param {Set<string>} visited
+     * @returns {void}
+     * @protected
+     */
+    _collectTransitive(graph, childKeys, result, ignoredDeps, visited) {
+        for (let childKey of childKeys) {
+            let canonKey = this._canonicalize(childKey);
+            if (ignoredDeps.has(canonKey)) {
+                continue;
+            }
+            if (visited.has(canonKey)) {
+                continue;
+            }
+            visited.add(canonKey);
+            let entry = graph.get(canonKey);
+            if (!entry) {
+                continue;
+            }
+            let childDeps = [];
+            this._collectTransitive(graph, entry.children, childDeps, ignoredDeps, visited);
+            result.push({ name: entry.name, version: entry.version, dependencies: childDeps });
+        }
+        result.sort((a, b) => a.name.toLowerCase().localeCompare(b.name.toLowerCase()));
+    }
+    /**
+     * @param {string} name
+     * @param {string} version
+     * @returns {PackageURL}
+     * @protected
+     */
+    _toPurl(name, version) {
+        return new PackageURL('pypi', undefined, name, version, undefined, undefined);
+    }
+    /**
+     * Recursively add a dependency and its transitive deps to the SBOM.
+     * @param {PackageURL} source
+     * @param {DepTreeEntry} dep
+     * @param {Sbom} sbom
+     * @returns {void}
+     * @private
+     */
+    _addAllDependencies(source, dep, sbom) {
+        let targetPurl = this._toPurl(dep.name, dep.version);
+        sbom.addDependency(source, targetPurl);
+        if (dep.dependencies && dep.dependencies.length > 0) {
+            dep.dependencies.forEach(child => this._addAllDependencies(this._toPurl(dep.name, dep.version), child, sbom));
+        }
+    }
+    /**
+     * Create SBOM json string for a pyproject.toml project.
+     * @param {string} manifest - path to pyproject.toml
+     * @param {Object} opts
+     * @param {boolean} includeTransitive
+     * @returns {Promise<string>}
+     * @private
+     */
+    async _createSbom(manifest, opts, includeTransitive) {
+        let manifestDir = path.dirname(manifest);
+        let content = fs.readFileSync(manifest, 'utf-8');
+        let parsed = parseToml(content);
+        let { directDeps, graph } = await this._getDependencyData(manifestDir, parsed, opts);
+        let ignoredDeps = this._getIgnoredDeps(manifest);
+        let dependencies = this._buildDependencyTree(graph, directDeps, ignoredDeps, includeTransitive);
+        let sbom = new Sbom();
+        let rootName = this._getProjectName(parsed) || DEFAULT_ROOT_NAME;
+        let rootVersion = this._getProjectVersion(parsed) || DEFAULT_ROOT_VERSION;
+        let rootPurl = this._toPurl(rootName, rootVersion);
+        let license = this.readLicenseFromManifest(manifest);
+        sbom.addRoot(rootPurl, license);
+        dependencies.forEach(dep => {
+            if (includeTransitive) {
+                this._addAllDependencies(rootPurl, dep, sbom);
+            }
+            else {
+                sbom.addDependency(rootPurl, this._toPurl(dep.name, dep.version));
+            }
+        });
+        return sbom.getAsJsonString(opts);
+    }
+}

package/dist/src/providers/manifest.d.ts

@@ -2,6 +2,8 @@ export default class Manifest {
     constructor(manifestPath: any);
     manifestPath: any;
     dependencies: any[];
+    peerDependencies: any;
+    optionalDependencies: any;
     name: any;
     version: any;
     ignored: any[];

package/dist/src/providers/manifest.js

@@ -9,6 +9,8 @@ export default class Manifest {
         this.manifestPath = manifestPath;
         const content = this.loadManifest();
         this.dependencies = this.loadDependencies(content);
+        this.peerDependencies = content.peerDependencies || {};
+        this.optionalDependencies = content.optionalDependencies || {};
         this.name = content.name;
         this.version = content.version || DEFAULT_VERSION;
         this.ignored = this.loadIgnored(content);
@@ -27,11 +29,27 @@ export default class Manifest {
     }
     loadDependencies(content) {
         let deps = [];
-        if (!content.dependencies) {
-            return deps;
+        const depSources = [
+            content.dependencies,
+            content.peerDependencies,
+            content.optionalDependencies,
+        ];
+        for (const source of depSources) {
+            if (source) {
+                for (let dep in source) {
+                    if (!deps.includes(dep)) {
+                        deps.push(dep);
+                    }
+                }
+            }
         }
-        for (let dep in content.dependencies) {
-            deps.push(dep);
+        // bundledDependencies is an array of package names (subset of dependencies)
+        if (Array.isArray(content.bundledDependencies)) {
+            for (const dep of content.bundledDependencies) {
+                if (!deps.includes(dep)) {
+                    deps.push(dep);
+                }
+            }
         }
         return deps;
     }

package/dist/src/providers/processors/yarn_berry_processor.js

@@ -48,13 +48,15 @@ export default class Yarn_berry_processor extends Yarn_processor {
         if (!depTree) {
             return new Map();
         }
-        return new Map(depTree.filter(dep => !this.#isRoot(dep.value)).map(dep => {
+        return new Map(depTree.filter(dep => !this.#isRoot(dep.value))
+            .map(dep => {
             const depName = dep.value;
             const idx = depName.lastIndexOf('@');
             const name = depName.substring(0, idx);
             const version = dep.children.Version;
             return [name, toPurl(purlType, name, version)];
-        }));
+        })
+            .filter(([name]) => this._manifest.dependencies.includes(name)));
     }
     /**
    * Checks if a dependency is the root package
@@ -77,14 +79,58 @@ export default class Yarn_berry_processor extends Yarn_processor {
         if (!depTree) {
             return;
         }
+        // Build index of nodes by their value for quick lookup
+        const nodeIndex = new Map();
+        depTree.forEach(n => nodeIndex.set(n.value, n));
+        // Determine the set of node values reachable from root via production deps
+        const prodDeps = new Set(this._manifest.dependencies);
+        const reachable = new Set();
+        const queue = [];
+        // Seed with root's production dependencies
+        const rootNode = depTree.find(n => this.#isRoot(n.value));
+        if (rootNode?.children?.Dependencies) {
+            for (const d of rootNode.children.Dependencies) {
+                const to = this.#purlFromLocator(d.locator);
+                if (to) {
+                    const fullName = to.namespace ? `${to.namespace}/${to.name}` : to.name;
+                    if (prodDeps.has(fullName)) {
+                        queue.push(d.locator);
+                    }
+                }
+            }
+        }
+        // BFS to find all transitively reachable packages
+        while (queue.length > 0) {
+            const locator = queue.shift();
+            if (reachable.has(locator)) {
+                continue;
+            }
+            reachable.add(locator);
+            const node = nodeIndex.get(this.#nodeValueFromLocator(locator));
+            if (node?.children?.Dependencies) {
+                for (const d of node.children.Dependencies) {
+                    if (!reachable.has(d.locator)) {
+                        queue.push(d.locator);
+                    }
+                }
+            }
+        }
+        // Only emit edges for root and reachable nodes
         depTree.forEach(n => {
             const depName = n.value;
-            const from = this.#isRoot(depName) ? toPurlFromString(sbom.getRoot().purl) : this.#purlFromNode(depName, n);
+            const isRoot = this.#isRoot(depName);
+            if (!isRoot && !this.#isReachableNode(depName, reachable)) {
+                return;
+            }
+            const from = isRoot ? toPurlFromString(sbom.getRoot().purl) : this.#purlFromNode(depName, n);
             const deps = n.children?.Dependencies;
             if (!deps) {
                 return;
             }
             deps.forEach(d => {
+                if (!reachable.has(d.locator)) {
+                    return;
+                }
                 const to = this.#purlFromLocator(d.locator);
                 if (to) {
                     sbom.addDependency(from, to);
@@ -92,6 +138,39 @@ export default class Yarn_berry_processor extends Yarn_processor {
             });
         });
     }
+    /**
+     * Converts a locator to the node value format used in yarn info output
+     * @param {string} locator - e.g. "express@npm:4.17.1"
+     * @returns {string} The node value, same as locator for non-virtual
+     * @private
+     */
+    #nodeValueFromLocator(locator) {
+        // Virtual locators: "@scope/name@virtual:hash#npm:version" → "@scope/name@npm:version"
+        const virtualMatch = Yarn_berry_processor.VIRTUAL_LOCATOR_PATTERN.exec(locator);
+        if (virtualMatch) {
+            return `${virtualMatch[1]}@npm:${virtualMatch[2]}`;
+        }
+        return locator;
+    }
+    /**
+     * Checks if a node is in the reachable set by matching its value against reachable locators
+     * @param {string} depName - The node value (e.g. "express@npm:4.17.1")
+     * @param {Set<string>} reachable - Set of reachable locators
+     * @returns {boolean}
+     * @private
+     */
+    #isReachableNode(depName, reachable) {
+        if (reachable.has(depName)) {
+            return true;
+        }
+        // Check if any reachable locator resolves to this node value
+        for (const locator of reachable) {
+            if (this.#nodeValueFromLocator(locator) === depName) {
+                return true;
+            }
+        }
+        return false;
+    }
     /**
    * Creates a PackageURL from a dependency locator
    * @param {string} locator - The dependency locator

package/dist/src/providers/python_poetry.d.ts

@@ -0,0 +1,42 @@
+export default class Python_poetry extends Base_pyproject {
+    /**
+     * Get poetry show --tree output.
+     * @param {string} manifestDir
+     * @param {Object} opts
+     * @returns {string}
+     */
+    _getPoetryShowTreeOutput(manifestDir: string, opts: any): string;
+    /**
+     * Get poetry show --all output (flat list with resolved versions).
+     * @param {string} manifestDir
+     * @param {Object} opts
+     * @returns {string}
+     */
+    _getPoetryShowAllOutput(manifestDir: string, opts: any): string;
+    /**
+     * Parse poetry show --all output into a version map.
+     * Lines look like: "name         (!) 1.2.3  Description text..."
+     * or:              "name             1.2.3  Description text..."
+     * @param {string} output
+     * @returns {Map<string, string>} canonical name -> version
+     */
+    _parsePoetryShowAll(output: string): Map<string, string>;
+    /**
+     * Parse poetry show --tree output into a dependency graph structure.
+     * Top-level lines (no indentation/tree chars) are direct deps: "name version description"
+     * Indented lines are transitive deps with tree chars: "├── name >=constraint"
+     *
+     * @param {string} treeOutput
+     * @param {Map<string, string>} versionMap - canonical name -> resolved version
+     * @returns {{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}}
+     */
+    _parsePoetryTree(treeOutput: string, versionMap: Map<string, string>): {
+        directDeps: string[];
+        graph: Map<string, {
+            name: string;
+            version: string;
+            children: string[];
+        }>;
+    };
+}
+import Base_pyproject from './base_pyproject.js';

package/dist/src/providers/python_poetry.js

@@ -0,0 +1,146 @@
+import { environmentVariableIsPopulated, getCustomPath, invokeCommand } from '../tools.js';
+import Base_pyproject from './base_pyproject.js';
+export default class Python_poetry extends Base_pyproject {
+    /** @returns {string} */
+    _lockFileName() {
+        return 'poetry.lock';
+    }
+    /** @returns {string} */
+    _cmdName() {
+        return 'poetry';
+    }
+    /**
+     * @param {string} manifestDir
+     * @param {object} parsed - parsed pyproject.toml
+     * @param {Object} opts
+     * @returns {Promise<{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}>}
+     */
+    async _getDependencyData(manifestDir, parsed, opts) {
+        let treeOutput = this._getPoetryShowTreeOutput(manifestDir, opts);
+        let showAllOutput = this._getPoetryShowAllOutput(manifestDir, opts);
+        let versionMap = this._parsePoetryShowAll(showAllOutput);
+        return this._parsePoetryTree(treeOutput, versionMap);
+    }
+    /**
+     * Get poetry show --tree output.
+     * @param {string} manifestDir
+     * @param {Object} opts
+     * @returns {string}
+     */
+    _getPoetryShowTreeOutput(manifestDir, opts) {
+        if (environmentVariableIsPopulated('TRUSTIFY_DA_POETRY_SHOW_TREE')) {
+            return Buffer.from(process.env['TRUSTIFY_DA_POETRY_SHOW_TREE'], 'base64').toString('utf-8');
+        }
+        let poetryBin = getCustomPath('poetry', opts);
+        return invokeCommand(poetryBin, ['show', '--tree', '--no-ansi'], { cwd: manifestDir }).toString();
+    }
+    /**
+     * Get poetry show --all output (flat list with resolved versions).
+     * @param {string} manifestDir
+     * @param {Object} opts
+     * @returns {string}
+     */
+    _getPoetryShowAllOutput(manifestDir, opts) {
+        if (environmentVariableIsPopulated('TRUSTIFY_DA_POETRY_SHOW_ALL')) {
+            return Buffer.from(process.env['TRUSTIFY_DA_POETRY_SHOW_ALL'], 'base64').toString('utf-8');
+        }
+        let poetryBin = getCustomPath('poetry', opts);
+        return invokeCommand(poetryBin, ['show', '--no-ansi', '--all'], { cwd: manifestDir }).toString();
+    }
+    /**
+     * Parse poetry show --all output into a version map.
+     * Lines look like: "name         (!) 1.2.3  Description text..."
+     * or:              "name             1.2.3  Description text..."
+     * @param {string} output
+     * @returns {Map<string, string>} canonical name -> version
+     */
+    _parsePoetryShowAll(output) {
+        let versions = new Map();
+        let lines = output.split(/\r?\n/);
+        for (let line of lines) {
+            let trimmed = line.trim();
+            if (!trimmed) {
+                continue;
+            }
+            let match = trimmed.match(/^([A-Za-z0-9][A-Za-z0-9._-]*)\s+(?:\(!\)\s+)?(\S+)/);
+            if (match) {
+                versions.set(this._canonicalize(match[1]), match[2]);
+            }
+        }
+        return versions;
+    }
+    /**
+     * Parse poetry show --tree output into a dependency graph structure.
+     * Top-level lines (no indentation/tree chars) are direct deps: "name version description"
+     * Indented lines are transitive deps with tree chars: "├── name >=constraint"
+     *
+     * @param {string} treeOutput
+     * @param {Map<string, string>} versionMap - canonical name -> resolved version
+     * @returns {{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}}
+     */
+    _parsePoetryTree(treeOutput, versionMap) {
+        let lines = treeOutput.split(/\r?\n/);
+        let graph = new Map();
+        let directDeps = [];
+        let stack = []; // [{key, depth}]
+        let currentDirectDep = null;
+        for (let line of lines) {
+            if (!line.trim()) {
+                continue;
+            }
+            // top-level line: "name version description..."
+            let topMatch = line.match(/^([A-Za-z0-9][A-Za-z0-9._-]*)\s+(\S+)\s/);
+            if (topMatch) {
+                let name = topMatch[1];
+                let version = topMatch[2];
+                let key = this._canonicalize(name);
+                directDeps.push(key);
+                if (!graph.has(key)) {
+                    graph.set(key, { name, version, children: [] });
+                }
+                currentDirectDep = key;
+                stack = [{ key, depth: -1 }];
+                continue;
+            }
+            if (!currentDirectDep) {
+                continue;
+            }
+            // indented line with tree chars (UTF-8 box-drawing: ├── └── │)
+            let nameStart = line.search(/[A-Za-z0-9]/);
+            if (nameStart < 0) {
+                continue;
+            }
+            let rest = line.substring(nameStart);
+            let depMatch = rest.match(/^([A-Za-z0-9][A-Za-z0-9._-]*)/);
+            if (!depMatch) {
+                continue;
+            }
+            let depName = depMatch[1];
+            let depKey = this._canonicalize(depName);
+            // determine depth by counting tree-drawing groups in the prefix
+            let prefix = line.substring(0, nameStart);
+            let depth = (prefix.match(/(?:[├└│ ][\s─]{2} ?)/g) || []).length;
+            // resolve version from the version map
+            let version = versionMap.get(depKey) || null;
+            if (!version) {
+                throw new Error(`poetry: package '${depName}' has no resolved version`);
+            }
+            if (!graph.has(depKey)) {
+                graph.set(depKey, { name: depName, version, children: [] });
+            }
+            // pop stack back to find the parent at depth-1
+            while (stack.length > 0 && stack[stack.length - 1].depth >= depth) {
+                stack.pop();
+            }
+            if (stack.length > 0) {
+                let parentKey = stack[stack.length - 1].key;
+                let parentEntry = graph.get(parentKey);
+                if (parentEntry && !parentEntry.children.includes(depKey)) {
+                    parentEntry.children.push(depKey);
+                }
+            }
+            stack.push({ key: depKey, depth });
+        }
+        return { directDeps, graph };
+    }
+}

package/dist/src/providers/python_uv.d.ts

@@ -0,0 +1,26 @@
+export default class Python_uv extends Base_pyproject {
+    /**
+     * Get the uv export output, either from env var or by running the command.
+     * @param {string} manifestDir
+     * @param {Object} opts
+     * @returns {string}
+     */
+    _getUvExportOutput(manifestDir: string, opts: any): string;
+    /**
+     * Parse uv export output into a dependency graph using tree-sitter-requirements
+     * for package/version extraction and string parsing for "# via" comments.
+     *
+     * @param {string} output
+     * @param {string} projectName - canonical project name to identify direct deps
+     * @returns {Promise<{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}>}
+     */
+    _parseUvExport(output: string, projectName: string): Promise<{
+        directDeps: string[];
+        graph: Map<string, {
+            name: string;
+            version: string;
+            children: string[];
+        }>;
+    }>;
+}
+import Base_pyproject from './base_pyproject.js';

package/dist/src/providers/python_uv.js

@@ -0,0 +1,118 @@
+import { environmentVariableIsPopulated, getCustomPath, invokeCommand } from '../tools.js';
+import Base_pyproject from './base_pyproject.js';
+import { getParser, getPinnedVersionQuery } from './requirements_parser.js';
+export default class Python_uv extends Base_pyproject {
+    /** @returns {string} */
+    _lockFileName() {
+        return 'uv.lock';
+    }
+    /** @returns {string} */
+    _cmdName() {
+        return 'uv';
+    }
+    /**
+     * @param {string} manifestDir
+     * @param {object} parsed - parsed pyproject.toml
+     * @param {Object} opts
+     * @returns {Promise<{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}>}
+     */
+    async _getDependencyData(manifestDir, parsed, opts) {
+        let projectName = this._getProjectName(parsed);
+        let uvOutput = this._getUvExportOutput(manifestDir, opts);
+        return this._parseUvExport(uvOutput, projectName);
+    }
+    /**
+     * Get the uv export output, either from env var or by running the command.
+     * @param {string} manifestDir
+     * @param {Object} opts
+     * @returns {string}
+     */
+    _getUvExportOutput(manifestDir, opts) {
+        if (environmentVariableIsPopulated('TRUSTIFY_DA_UV_EXPORT')) {
+            return Buffer.from(process.env['TRUSTIFY_DA_UV_EXPORT'], 'base64').toString('ascii');
+        }
+        let uvBin = getCustomPath('uv', opts);
+        return invokeCommand(uvBin, ['export', '--format', 'requirements.txt', '--frozen', '--no-hashes'], { cwd: manifestDir }).toString();
+    }
+    /**
+     * Parse uv export output into a dependency graph using tree-sitter-requirements
+     * for package/version extraction and string parsing for "# via" comments.
+     *
+     * @param {string} output
+     * @param {string} projectName - canonical project name to identify direct deps
+     * @returns {Promise<{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}>}
+     */
+    async _parseUvExport(output, projectName) {
+        let [parser, pinnedVersionQuery] = await Promise.all([
+            getParser(), getPinnedVersionQuery()
+        ]);
+        let tree = parser.parse(output);
+        let root = tree.rootNode;
+        let canonProjectName = this._canonicalize(projectName);
+        let packages = new Map(); // canonical name -> {name, version, parents: Set}
+        let currentPkg = null;
+        let collectingVia = false;
+        for (let child of root.children) {
+            if (child.type === 'requirement') {
+                let nameNode = child.children.find(c => c.type === 'package');
+                if (!nameNode) {
+                    continue;
+                }
+                let name = nameNode.text;
+                let version = null;
+                let versionMatches = pinnedVersionQuery.matches(child);
+                if (versionMatches.length > 0) {
+                    version = versionMatches[0].captures.find(c => c.name === 'version').node.text;
+                }
+                if (!version) {
+                    throw new Error(`uv export: package '${name}' has no pinned version`);
+                }
+                let key = this._canonicalize(name);
+                currentPkg = { name, version, parents: new Set() };
+                packages.set(key, currentPkg);
+                collectingVia = false;
+                continue;
+            }
+            if (child.type === 'comment' && currentPkg) {
+                let text = child.text.trim();
+                let viaSingle = text.match(/^# via ([A-Za-z0-9][A-Za-z0-9._-]*)$/);
+                if (viaSingle) {
+                    currentPkg.parents.add(this._canonicalize(viaSingle[1]));
+                    collectingVia = false;
+                    continue;
+                }
+                if (text === '# via') {
+                    collectingVia = true;
+                    continue;
+                }
+                if (collectingVia) {
+                    let parentMatch = text.match(/^#\s+([A-Za-z0-9][A-Za-z0-9._-]*)$/);
+                    if (parentMatch) {
+                        currentPkg.parents.add(this._canonicalize(parentMatch[1]));
+                        continue;
+                    }
+                    collectingVia = false;
+                }
+            }
+        }
+        // Build forward dependency map and extract direct deps in one pass
+        let graph = new Map();
+        let directDeps = [];
+        for (let [key, pkg] of packages) {
+            graph.set(key, { name: pkg.name, version: pkg.version, children: [] });
+        }
+        for (let [childKey, pkg] of packages) {
+            for (let parentKey of pkg.parents) {
+                if (parentKey === canonProjectName) {
+                    directDeps.push(childKey);
+                    continue;
+                }
+                let parentEntry = graph.get(parentKey);
+                if (parentEntry) {
+                    parentEntry.children.push(childKey);
+                }
+            }
+        }
+        return { directDeps, graph };
+    }
+}

package/dist/src/sbom.d.ts

@@ -53,6 +53,13 @@ export default class Sbom {
      * @return {boolean}
      */
     checkIfPackageInsideDependsOnList(component: any, name: string): boolean;
+    /**
+     * Checks if any entry in the dependsOn list of sourceRef starts with the given purl prefix.
+     * @param {PackageURL} sourceRef - The source component to check
+     * @param {string} purlPrefix - The purl prefix to match (e.g. "pkg:npm/minimist@")
+     * @return {boolean}
+     */
+    checkDependsOnByPurlPrefix(sourceRef: PackageURL, purlPrefix: string): boolean;
     /** Removes the root component from the sbom
      */
     removeRootComponent(): void;

package/dist/src/sbom.js

@@ -77,6 +77,15 @@ export default class Sbom {
     checkIfPackageInsideDependsOnList(component, name) {
         return this.sbomModel.checkIfPackageInsideDependsOnList(component, name);
     }
+    /**
+     * Checks if any entry in the dependsOn list of sourceRef starts with the given purl prefix.
+     * @param {PackageURL} sourceRef - The source component to check
+     * @param {string} purlPrefix - The purl prefix to match (e.g. "pkg:npm/minimist@")
+     * @return {boolean}
+     */
+    checkDependsOnByPurlPrefix(sourceRef, purlPrefix) {
+        return this.sbomModel.checkDependsOnByPurlPrefix(sourceRef, purlPrefix);
+    }
     /** Removes the root component from the sbom
      */
     removeRootComponent() {

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@trustify-da/trustify-da-javascript-client",
-	"version": "0.3.0-ea.de12f6a",
+	"version": "0.3.0-ea.e5bb86c",
 	"description": "Code-Ready Dependency Analytics JavaScript API.",
 	"license": "Apache-2.0",
 	"homepage": "https://github.com/guacsec/trustify-da-javascript-client#README.md",
@@ -38,7 +38,7 @@
 		"lint": "eslint src test --ext js",
 		"lint:fix": "eslint src test --ext js --fix",
 		"test": "c8 npm run tests",
-		"tests": "mocha --config .mocharc.json --grep \".*analysis module.*\" --invert",
+		"tests": "mocha --config .mocharc.json",
 		"tests:rep": "mocha --reporter-option maxDiffSize=0 --reporter json > unit-tests-result.json",
 		"pretest": "cp node_modules/tree-sitter-requirements/tree-sitter-requirements.wasm src/providers/tree-sitter-requirements.wasm && cp node_modules/tree-sitter-gomod/tree-sitter-gomod.wasm src/providers/tree-sitter-gomod.wasm",
 		"precompile": "rm -rf dist",