@trustify-da/trustify-da-javascript-client 0.3.0-ea.e12bc82 → 0.3.0-ea.f2d5d72

package/dist/src/analysis.js

@@ -1,28 +1,12 @@
 import fs from "node:fs";
 import path from "node:path";
 import { EOL } from "os";
-import { HttpsProxyAgent } from "https-proxy-agent";
+import { runLicenseCheck } from "./license/index.js";
 import { generateImageSBOM, parseImageRef } from "./oci_image/utils.js";
-import { RegexNotToBeLogged, getCustom } from "./tools.js";
-export default { requestComponent, requestStack, requestImages, validateToken };
-const rhdaTokenHeader = "rhda-token";
-const rhdaTelemetryId = "rhda-telemetry-id";
-const rhdaSourceHeader = "rhda-source";
-const rhdaOperationTypeHeader = "rhda-operation-type";
-const rhdaPackageManagerHeader = "rhda-pkg-manager";
-/**
- * Adds proxy agent configuration to fetch options if a proxy URL is specified
- * @param {RequestInit} options - The base fetch options
- * @param {import("index.js").Options} opts - The trustify DA options that may contain proxy configuration
- * @returns {RequestInit} The fetch options with proxy agent if applicable
- */
-function addProxyAgent(options, opts) {
-    const proxyUrl = getCustom('TRUSTIFY_DA_PROXY_URL', null, opts);
-    if (proxyUrl) {
-        options.agent = new HttpsProxyAgent(proxyUrl);
-    }
-    return options;
-}
+import { addProxyAgent, getCustom, getTokenHeaders, TRUSTIFY_DA_OPERATION_TYPE_HEADER, TRUSTIFY_DA_PACKAGE_MANAGER_HEADER } from "./tools.js";
+/** Media type for CycloneDX JSON batch payloads (batch-analysis API). */
+export const CYCLONEDX_JSON_MEDIA_TYPE = 'application/vnd.cyclonedx+json';
+export default { requestComponent, requestStack, requestStackBatch, requestImages, validateToken };
 /**
  * Send a stack analysis request and get the report as 'text/html' or 'application/json'.
  * @param {import('./provider').Provider} provider - the provided data for constructing the request
@@ -35,15 +19,15 @@ function addProxyAgent(options, opts) {
 async function requestStack(provider, manifest, url, html = false, opts = {}) {
     opts["source-manifest"] = Buffer.from(fs.readFileSync(manifest).toString()).toString('base64');
     opts["manifest-type"] = path.parse(manifest).base;
-    let provided = provider.provideStack(manifest, opts); // throws error if content providing failed
+    let provided = await provider.provideStack(manifest, opts); // throws error if content providing failed
     opts["source-manifest"] = "";
-    opts[rhdaOperationTypeHeader.toUpperCase().replaceAll("-", "_")] = "stack-analysis";
+    opts[TRUSTIFY_DA_OPERATION_TYPE_HEADER.toUpperCase().replaceAll("-", "_")] = "stack-analysis";
     let startTime = new Date();
     let endTime;
     if (process.env["TRUSTIFY_DA_DEBUG"] === "true") {
         console.log("Starting time of sending stack analysis request to the dependency analytics server= " + startTime);
     }
-    opts[rhdaPackageManagerHeader.toUpperCase().replaceAll("-", "_")] = provided.ecosystem;
+    opts[TRUSTIFY_DA_PACKAGE_MANAGER_HEADER.toUpperCase().replaceAll("-", "_")] = provided.ecosystem;
     const fetchOptions = addProxyAgent({
         method: 'POST',
         headers: {
@@ -53,7 +37,7 @@ async function requestStack(provider, manifest, url, html = false, opts = {}) {
         },
         body: provided.content
     }, opts);
-    const finalUrl = new URL(`${url}/api/v4/analysis`);
+    const finalUrl = new URL(`${url}/api/v5/analysis`);
     if (opts['TRUSTIFY_DA_RECOMMENDATIONS_ENABLED'] === 'false') {
         finalUrl.searchParams.append('recommend', 'false');
     }
@@ -94,13 +78,13 @@ async function requestStack(provider, manifest, url, html = false, opts = {}) {
  */
 async function requestComponent(provider, manifest, url, opts = {}) {
     opts["source-manifest"] = Buffer.from(fs.readFileSync(manifest).toString()).toString('base64');
-    let provided = provider.provideComponent(manifest, opts); // throws error if content providing failed
+    let provided = await provider.provideComponent(manifest, opts); // throws error if content providing failed
     opts["source-manifest"] = "";
-    opts[rhdaOperationTypeHeader.toUpperCase().replaceAll("-", "_")] = "component-analysis";
+    opts[TRUSTIFY_DA_OPERATION_TYPE_HEADER.toUpperCase().replaceAll("-", "_")] = "component-analysis";
     if (process.env["TRUSTIFY_DA_DEBUG"] === "true") {
         console.log("Starting time of sending component analysis request to Trustify DA backend server= " + new Date());
     }
-    opts[rhdaPackageManagerHeader.toUpperCase().replaceAll("-", "_")] = provided.ecosystem;
+    opts[TRUSTIFY_DA_PACKAGE_MANAGER_HEADER.toUpperCase().replaceAll("-", "_")] = provided.ecosystem;
     const fetchOptions = addProxyAgent({
         method: 'POST',
         headers: {
@@ -110,7 +94,7 @@ async function requestComponent(provider, manifest, url, opts = {}) {
         },
         body: provided.content
     }, opts);
-    const finalUrl = new URL(`${url}/api/v4/analysis`);
+    const finalUrl = new URL(`${url}/api/v5/analysis`);
     if (opts['TRUSTIFY_DA_RECOMMENDATIONS_ENABLED'] === 'false') {
         finalUrl.searchParams.append('recommend', 'false');
     }
@@ -127,12 +111,67 @@ async function requestComponent(provider, manifest, url, opts = {}) {
             console.log(JSON.stringify(result, null, 4));
             console.log("Ending time of sending component analysis request to Trustify DA backend server= " + new Date());
         }
+        const licenseCheckEnabled = getCustom('TRUSTIFY_DA_LICENSE_CHECK', 'true', opts) !== 'false' && opts.licenseCheck !== false;
+        if (licenseCheckEnabled) {
+            try {
+                result.licenseSummary = await runLicenseCheck(provided.content, manifest, url, opts, result);
+            }
+            catch (licenseErr) {
+                result.licenseSummary = { error: licenseErr.message };
+            }
+        }
     }
     else {
         throw new Error(`Got error response from Trustify DA backend - http return code : ${resp.status}, ex-request-id: ${resp.headers.get("ex-request-id")}  error message =>  ${await resp.text()}`);
     }
     return Promise.resolve(result);
 }
+/**
+ * Send a batch stack analysis request for multiple manifests (SBOMs keyed by purl).
+ * @param {Object.<string, object>} sbomByPurl - Map of root purl to CycloneDX SBOM object
+ * @param {string} url - the backend url
+ * @param {boolean} [html=false] - true returns HTML, false returns JSON
+ * @param {import("index.js").Options} [opts={}]
+ * @returns {Promise<string|Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>>}
+ */
+async function requestStackBatch(sbomByPurl, url, html = false, opts = {}) {
+    const finalUrl = new URL(`${url}/api/v5/batch-analysis`);
+    if (opts['TRUSTIFY_DA_RECOMMENDATIONS_ENABLED'] === 'false') {
+        finalUrl.searchParams.append('recommend', 'false');
+    }
+    const fetchOptions = addProxyAgent({
+        method: 'POST',
+        headers: {
+            'Accept': html ? 'text/html' : 'application/json',
+            'Content-Type': CYCLONEDX_JSON_MEDIA_TYPE,
+            ...getTokenHeaders(opts)
+        },
+        body: JSON.stringify(sbomByPurl)
+    }, opts);
+    const resp = await fetch(finalUrl, fetchOptions);
+    if (resp.status === 200) {
+        let result;
+        if (!html) {
+            result = await resp.json();
+        }
+        else {
+            result = await resp.text();
+        }
+        if (process.env["TRUSTIFY_DA_DEBUG"] === "true") {
+            const exRequestId = resp.headers.get("ex-request-id");
+            if (exRequestId) {
+                console.log("Unique Identifier associated with this request - ex-request-id=" + exRequestId);
+            }
+            console.log("Response body received from Trustify DA backend server : " + EOL + EOL);
+            console.log(JSON.stringify(result, null, 4));
+            console.log("Ending time of sending batch stack analysis request to Trustify DA backend server= " + new Date());
+        }
+        return result;
+    }
+    else {
+        throw new Error(`Got error response from Trustify DA backend - http return code : ${resp.status}, ex-request-id: ${resp.headers.get("ex-request-id")}  error message =>  ${await resp.text()}`);
+    }
+}
 /**
  *
  * @param {Array<string>} imageRefs
@@ -146,7 +185,7 @@ async function requestImages(imageRefs, url, html = false, opts = {}) {
         const parsedImageRef = parseImageRef(image, opts);
         imageSboms[parsedImageRef.getPackageURL().toString()] = generateImageSBOM(parsedImageRef, opts);
     }
-    const finalUrl = new URL(`${url}/api/v4/batch-analysis`);
+    const finalUrl = new URL(`${url}/api/v5/batch-analysis`);
     if (opts['TRUSTIFY_DA_RECOMMENDATIONS_ENABLED'] === 'false') {
         finalUrl.searchParams.append('recommend', 'false');
     }
@@ -154,7 +193,7 @@ async function requestImages(imageRefs, url, html = false, opts = {}) {
         method: 'POST',
         headers: {
             'Accept': html ? 'text/html' : 'application/json',
-            'Content-Type': 'application/vnd.cyclonedx+json',
+            'Content-Type': CYCLONEDX_JSON_MEDIA_TYPE,
             ...getTokenHeaders(opts)
         },
         body: JSON.stringify(imageSboms),
@@ -195,7 +234,7 @@ async function validateToken(url, opts = {}) {
             ...getTokenHeaders(opts),
         }
     }, opts);
-    let resp = await fetch(`${url}/api/v4/token`, fetchOptions);
+    let resp = await fetch(`${url}/api/v5/token`, fetchOptions);
     if (process.env["TRUSTIFY_DA_DEBUG"] === "true") {
         let exRequestId = resp.headers.get("ex-request-id");
         if (exRequestId) {
@@ -204,49 +243,3 @@ async function validateToken(url, opts = {}) {
     }
     return resp.status;
 }
-/**
- *
- * @param {string} headerName - the header name to populate in request
- * @param headers
- * @param {import("index.js").Options} [opts={}] - optional various options to pass along the application
- * @private
- */
-function setRhdaHeader(headerName, headers, opts) {
-    let rhdaHeaderValue = getCustom(headerName.toUpperCase().replaceAll("-", "_"), null, opts);
-    if (rhdaHeaderValue) {
-        headers[headerName] = rhdaHeaderValue;
-    }
-}
-/**
- * Utility function for fetching vendor tokens
- * @param {import("index.js").Options} [opts={}] - optional various options to pass along the application
- * @returns {{}}
- */
-function getTokenHeaders(opts = {}) {
-    let supportedTokens = ['snyk', 'oss-index'];
-    let headers = {};
-    supportedTokens.forEach(vendor => {
-        let token = getCustom(`TRUSTIFY_DA_${vendor.replace("-", "_").toUpperCase()}_TOKEN`, null, opts);
-        if (token) {
-            headers[`ex-${vendor}-token`] = token;
-        }
-        let user = getCustom(`TRUSTIFY_DA_${vendor.replace("-", "_").toUpperCase()}_USER`, null, opts);
-        if (user) {
-            headers[`ex-${vendor}-user`] = user;
-        }
-    });
-    setRhdaHeader(rhdaTokenHeader, headers, opts);
-    setRhdaHeader(rhdaSourceHeader, headers, opts);
-    setRhdaHeader(rhdaOperationTypeHeader, headers, opts);
-    setRhdaHeader(rhdaPackageManagerHeader, headers, opts);
-    setRhdaHeader(rhdaTelemetryId, headers, opts);
-    if (process.env["TRUSTIFY_DA_DEBUG"] === "true") {
-        console.log("Headers Values to be sent to Trustify DA backend:" + EOL);
-        for (const headerKey in headers) {
-            if (!headerKey.match(RegexNotToBeLogged)) {
-                console.log(`${headerKey}: ${headers[headerKey]}`);
-            }
-        }
-    }
-    return headers;
-}

package/dist/src/batch_opts.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Whether to skip failed manifests and continue (default), or fail on first SBOM/validation error.
+ * `opts.continueOnError` overrides; env `TRUSTIFY_DA_CONTINUE_ON_ERROR=false` disables continuation.
+ *
+ * @param {{ continueOnError?: boolean, TRUSTIFY_DA_CONTINUE_ON_ERROR?: string, [key: string]: unknown }} [opts={}]
+ * @returns {boolean} true = collect errors (default), false = fail-fast
+ */
+export function resolveContinueOnError(opts?: {
+    continueOnError?: boolean;
+    TRUSTIFY_DA_CONTINUE_ON_ERROR?: string;
+    [key: string]: unknown;
+}): boolean;
+/**
+ * When true, `stackAnalysisBatch` returns `{ analysis, metadata }` instead of the backend response only.
+ * `opts.batchMetadata` overrides; env `TRUSTIFY_DA_BATCH_METADATA=true` enables.
+ *
+ * @param {{ batchMetadata?: boolean, TRUSTIFY_DA_BATCH_METADATA?: string, [key: string]: unknown }} [opts={}]
+ * @returns {boolean}
+ */
+export function resolveBatchMetadata(opts?: {
+    batchMetadata?: boolean;
+    TRUSTIFY_DA_BATCH_METADATA?: string;
+    [key: string]: unknown;
+}): boolean;

package/dist/src/batch_opts.js

@@ -0,0 +1,35 @@
+import { getCustom } from './tools.js';
+/**
+ * Whether to skip failed manifests and continue (default), or fail on first SBOM/validation error.
+ * `opts.continueOnError` overrides; env `TRUSTIFY_DA_CONTINUE_ON_ERROR=false` disables continuation.
+ *
+ * @param {{ continueOnError?: boolean, TRUSTIFY_DA_CONTINUE_ON_ERROR?: string, [key: string]: unknown }} [opts={}]
+ * @returns {boolean} true = collect errors (default), false = fail-fast
+ */
+export function resolveContinueOnError(opts = {}) {
+    if (typeof opts.continueOnError === 'boolean') {
+        return opts.continueOnError;
+    }
+    const v = getCustom('TRUSTIFY_DA_CONTINUE_ON_ERROR', null, opts);
+    if (v != null && String(v).trim() !== '') {
+        return String(v).toLowerCase() !== 'false';
+    }
+    return true;
+}
+/**
+ * When true, `stackAnalysisBatch` returns `{ analysis, metadata }` instead of the backend response only.
+ * `opts.batchMetadata` overrides; env `TRUSTIFY_DA_BATCH_METADATA=true` enables.
+ *
+ * @param {{ batchMetadata?: boolean, TRUSTIFY_DA_BATCH_METADATA?: string, [key: string]: unknown }} [opts={}]
+ * @returns {boolean}
+ */
+export function resolveBatchMetadata(opts = {}) {
+    if (typeof opts.batchMetadata === 'boolean') {
+        return opts.batchMetadata;
+    }
+    const v = getCustom('TRUSTIFY_DA_BATCH_METADATA', null, opts);
+    if (v != null && String(v).trim() !== '') {
+        return String(v).toLowerCase() === 'true';
+    }
+    return false;
+}

package/dist/src/cli.js

@@ -2,7 +2,8 @@
 import * as path from "path";
 import yargs from 'yargs';
 import { hideBin } from 'yargs/helpers';
-import client from './index.js';
+import { getProjectLicense, getLicenseDetails } from './license/index.js';
+import client, { selectTrustifyDABackend } from './index.js';
 // command for component analysis take manifest type and content
 const component = {
     command: 'component </path/to/manifest>',
@@ -11,10 +12,18 @@ const component = {
         desc: 'manifest path for analyzing',
         type: 'string',
         normalize: true,
+    }).options({
+        workspaceDir: {
+            alias: 'w',
+            desc: 'Workspace root directory (for monorepos; lock file is expected here)',
+            type: 'string',
+            normalize: true,
+        }
     }),
     handler: async (args) => {
         let manifestName = args['/path/to/manifest'];
-        let res = await client.componentAnalysis(manifestName);
+        const opts = args.workspaceDir ? { TRUSTIFY_DA_WORKSPACE_DIR: args.workspaceDir } : {};
+        let res = await client.componentAnalysis(manifestName, opts);
         console.log(JSON.stringify(res, null, 2));
     }
 };
@@ -22,9 +31,8 @@ const validateToken = {
     command: 'validate-token <token-provider> [--token-value thevalue]',
     desc: 'Validates input token if authentic and authorized',
     builder: yargs => yargs.positional('token-provider', {
-        desc: 'the token provider',
-        type: 'string',
-        choices: ['snyk', 'oss-index'],
+        desc: 'the token provider name',
+        type: 'string'
     }).options({
         tokenValue: {
             alias: 'value',
@@ -37,7 +45,7 @@ const validateToken = {
         let opts = {};
         if (args['tokenValue'] !== undefined && args['tokenValue'].trim() !== "") {
             let tokenValue = args['tokenValue'].trim();
-            opts[`TRUSTIFY_DA_${tokenProvider}_TOKEN`] = tokenValue;
+            opts[`TRUSTIFY_DA_PROVIDER_${tokenProvider}_TOKEN`] = tokenValue;
         }
         let res = await client.validateToken(opts);
         console.log(res);
@@ -117,15 +125,22 @@ const stack = {
             desc: 'For JSON report, get only the \'summary\'',
             type: 'boolean',
             conflicts: 'html'
+        },
+        workspaceDir: {
+            alias: 'w',
+            desc: 'Workspace root directory (for monorepos; lock file is expected here)',
+            type: 'string',
+            normalize: true,
         }
     }),
     handler: async (args) => {
         let manifest = args['/path/to/manifest'];
         let html = args['html'];
         let summary = args['summary'];
+        const opts = args.workspaceDir ? { TRUSTIFY_DA_WORKSPACE_DIR: args.workspaceDir } : {};
         let theProvidersSummary = new Map();
         let theProvidersObject = {};
-        let res = await client.stackAnalysis(manifest, html);
+        let res = await client.stackAnalysis(manifest, html, opts);
         if (summary) {
             for (let provider in res.providers) {
                 if (res.providers[provider].sources !== undefined) {
@@ -143,13 +158,182 @@ const stack = {
         console.log(html ? res : JSON.stringify(!html && summary ? theProvidersObject : res, null, 2));
     }
 };
+// command for batch stack analysis (workspace)
+const stackBatch = {
+    command: 'stack-batch </path/to/workspace-root> [--html|--summary] [--concurrency <n>] [--ignore <pattern>...] [--metadata] [--fail-fast]',
+    desc: 'produce stack report for all packages/crates in a workspace (Cargo or JS/TS)',
+    builder: yargs => yargs.positional('/path/to/workspace-root', {
+        desc: 'workspace root directory (containing Cargo.toml+Cargo.lock or package.json+lock file)',
+        type: 'string',
+        normalize: true,
+    }).options({
+        html: {
+            alias: 'r',
+            desc: 'Get the report as HTML instead of JSON',
+            type: 'boolean',
+            conflicts: 'summary'
+        },
+        summary: {
+            alias: 's',
+            desc: 'For JSON report, get only the \'summary\' per package',
+            type: 'boolean',
+            conflicts: 'html'
+        },
+        concurrency: {
+            alias: 'c',
+            desc: 'Max parallel SBOM generations (default: 10, env: TRUSTIFY_DA_BATCH_CONCURRENCY)',
+            type: 'number',
+        },
+        ignore: {
+            alias: 'i',
+            desc: 'Extra glob patterns excluded from workspace discovery (merged with defaults). Repeat flag per pattern. Env: TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE (comma-separated)',
+            type: 'string',
+            array: true,
+        },
+        metadata: {
+            alias: 'm',
+            desc: 'Return { analysis, metadata } with per-manifest errors (env: TRUSTIFY_DA_BATCH_METADATA=true)',
+            type: 'boolean',
+            default: false,
+        },
+        failFast: {
+            desc: 'Stop on first invalid package.json or SBOM error (env: TRUSTIFY_DA_CONTINUE_ON_ERROR=false)',
+            type: 'boolean',
+            default: false,
+        }
+    }),
+    handler: async (args) => {
+        const workspaceRoot = args['/path/to/workspace-root'];
+        const html = args['html'];
+        const summary = args['summary'];
+        const opts = {};
+        if (args.concurrency != null) {
+            opts.batchConcurrency = args.concurrency;
+        }
+        const extraIgnores = Array.isArray(args.ignore) ? args.ignore.filter(p => p != null && String(p).trim()) : [];
+        if (extraIgnores.length > 0) {
+            opts.workspaceDiscoveryIgnore = extraIgnores;
+        }
+        if (args.metadata) {
+            opts.batchMetadata = true;
+        }
+        if (args.failFast) {
+            opts.continueOnError = false;
+        }
+        let res = await client.stackAnalysisBatch(workspaceRoot, html, opts);
+        const batchAnalysis = res && typeof res === 'object' && res != null && 'analysis' in res ? res.analysis : res;
+        if (summary && !html && typeof batchAnalysis === 'object') {
+            const summaries = {};
+            for (const [purl, report] of Object.entries(batchAnalysis)) {
+                if (report?.providers) {
+                    for (const provider of Object.keys(report.providers)) {
+                        const sources = report.providers[provider]?.sources;
+                        if (sources) {
+                            for (const [source, data] of Object.entries(sources)) {
+                                if (data?.summary) {
+                                    if (!summaries[purl]) {
+                                        summaries[purl] = {};
+                                    }
+                                    if (!summaries[purl][provider]) {
+                                        summaries[purl][provider] = {};
+                                    }
+                                    summaries[purl][provider][source] = data.summary;
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+            if (res && typeof res === 'object' && res != null && 'metadata' in res) {
+                res = { analysis: summaries, metadata: res.metadata };
+            }
+            else {
+                res = summaries;
+            }
+        }
+        if (html) {
+            const htmlContent = res && typeof res === 'object' && 'analysis' in res ? res.analysis : res;
+            console.log(htmlContent);
+        }
+        else {
+            console.log(JSON.stringify(res, null, 2));
+        }
+    }
+};
+// command for license checking
+const license = {
+    command: 'license </path/to/manifest>',
+    desc: 'Display project license information from manifest and LICENSE file in JSON format',
+    builder: yargs => yargs.positional('/path/to/manifest', {
+        desc: 'manifest path for license analysis',
+        type: 'string',
+        normalize: true,
+    }),
+    handler: async (args) => {
+        let manifestPath = args['/path/to/manifest'];
+        const opts = {}; // CLI options can be extended in the future
+        try {
+            selectTrustifyDABackend(opts);
+        }
+        catch (err) {
+            console.error(JSON.stringify({ error: err.message }, null, 2));
+            process.exit(1);
+        }
+        let localResult;
+        try {
+            localResult = getProjectLicense(manifestPath);
+        }
+        catch (err) {
+            console.error(JSON.stringify({ error: `Failed to read manifest: ${err.message}` }, null, 2));
+            process.exit(1);
+        }
+        const errors = [];
+        // Build LicenseInfo objects
+        const buildLicenseInfo = async (spdxId) => {
+            if (!spdxId) {
+                return null;
+            }
+            const licenseInfo = { spdxId };
+            try {
+                const details = await getLicenseDetails(spdxId, opts);
+                if (details) {
+                    // Check if backend recognized the license as valid
+                    if (details.category === 'UNKNOWN') {
+                        errors.push(`"${spdxId}" is not a valid SPDX license identifier. Please use a valid SPDX expression (e.g., "Apache-2.0", "MIT"). See https://spdx.org/licenses/`);
+                    }
+                    else {
+                        Object.assign(licenseInfo, details);
+                    }
+                }
+                else {
+                    errors.push(`No license details found for ${spdxId}`);
+                }
+            }
+            catch (err) {
+                errors.push(`Failed to fetch details for ${spdxId}: ${err.message}`);
+            }
+            return licenseInfo;
+        };
+        const output = {
+            manifestLicense: await buildLicenseInfo(localResult.fromManifest),
+            fileLicense: await buildLicenseInfo(localResult.fromFile),
+            mismatch: localResult.mismatch
+        };
+        if (errors.length > 0) {
+            output.errors = errors;
+        }
+        console.log(JSON.stringify(output, null, 2));
+    }
+};
 // parse and invoke the command
 yargs(hideBin(process.argv))
-    .usage(`Usage: ${process.argv[0].includes("node") ? path.parse(process.argv[1]).base : path.parse(process.argv[0]).base} {component|stack|image|validate-token}`)
+    .usage(`Usage: ${process.argv[0].includes("node") ? path.parse(process.argv[1]).base : path.parse(process.argv[0]).base} {component|stack|stack-batch|image|validate-token|license}`)
     .command(stack)
+    .command(stackBatch)
     .command(component)
     .command(image)
     .command(validateToken)
+    .command(license)
     .scriptName('')
     .version(false)
     .demandCommand(1)

package/dist/src/cyclone_dx_sbom.d.ts

@@ -1,4 +1,3 @@
-/// <reference types="packageurl-js/src/package-url" />
 export default class CycloneDxSbom {
     sbomObject: any;
     rootComponent: any;
@@ -7,9 +6,10 @@ export default class CycloneDxSbom {
     sourceManifestForAuditTrail: any;
     /**
      * @param {PackageURL} root - add main/root component for sbom
+     * @param {string|Array} [licenses] - optional license(s) for the root component
      * @return {CycloneDxSbom} the CycloneDxSbom Sbom Object
      */
-    addRoot(root: PackageURL): CycloneDxSbom;
+    addRoot(root: PackageURL, licenses?: string | any[]): CycloneDxSbom;
     /**
      * @return {{{"bom-ref": string, name, purl: string, type, version}}} root component of sbom.
      */
@@ -49,6 +49,7 @@ export default class CycloneDxSbom {
         type: any;
         version: any;
         scope: any;
+        licenses?: any;
     };
     /**
      * This method gets an array of dependencies to be ignored, and remove all of them from CycloneDx Sbom
@@ -69,6 +70,13 @@ export default class CycloneDxSbom {
      * @return {boolean}
      */
     checkIfPackageInsideDependsOnList(component: any, name: string): boolean;
+    /**
+     * Checks if any entry in the dependsOn list of sourceRef starts with the given purl prefix.
+     * @param {PackageURL} sourceRef - The source component
+     * @param {string} purlPrefix - The purl prefix to match (e.g. "pkg:npm/minimist@")
+     * @return {boolean}
+     */
+    checkDependsOnByPurlPrefix(sourceRef: PackageURL, purlPrefix: string): boolean;
     /** Removes the root component from the sbom
      */
     removeRootComponent(): void;

package/dist/src/cyclone_dx_sbom.js

@@ -5,10 +5,11 @@ import { PackageURL } from "packageurl-js";
  * @param component {PackageURL}
  * @param type type of package - application or library
  * @param scope scope of the component - runtime or compile
- * @return {{"bom-ref": string, name, purl: string, type, version, scope}}
+ * @param licenses optional license string or array of licenses for the component
+ * @return {{"bom-ref": string, name, purl: string, type, version, scope, licenses?}}
  * @private
  */
-function getComponent(component, type, scope) {
+function getComponent(component, type, scope, licenses) {
     let componentObject;
     if (component instanceof PackageURL) {
         if (component.namespace) {
@@ -36,6 +37,16 @@ function getComponent(component, type, scope) {
     else {
         componentObject = component;
     }
+    // Add licenses if provided (CycloneDX format). Callers must provide valid SPDX identifiers.
+    if (licenses) {
+        const licenseArray = Array.isArray(licenses) ? licenses : [licenses];
+        componentObject.licenses = licenseArray.map(lic => {
+            if (typeof lic === 'string') {
+                return { license: { id: lic } };
+            }
+            return lic;
+        });
+    }
     return componentObject;
 }
 function createDependency(dependency) {
@@ -56,11 +67,12 @@ export default class CycloneDxSbom {
     }
     /**
      * @param {PackageURL} root - add main/root component for sbom
+     * @param {string|Array} [licenses] - optional license(s) for the root component
      * @return {CycloneDxSbom} the CycloneDxSbom Sbom Object
      */
-    addRoot(root) {
+    addRoot(root, licenses) {
         this.rootComponent =
-            getComponent(root, "application");
+            getComponent(root, "application", undefined, licenses);
         this.components.push(this.rootComponent);
         return this;
     }
@@ -108,6 +120,7 @@ export default class CycloneDxSbom {
     getAsJsonString(opts) {
         let manifestType = opts["manifest-type"];
         this.setSourceManifest(opts["source-manifest"]);
+        const rootPurl = this.rootComponent?.purl;
         this.sbomObject = {
             "bomFormat": "CycloneDX",
             "specVersion": "1.4",
@@ -117,7 +130,7 @@ export default class CycloneDxSbom {
                 "component": this.rootComponent,
                 "properties": new Array()
             },
-            "components": this.components,
+            "components": this.components.filter(c => c.purl !== rootPurl),
             "dependencies": this.dependencies
         };
         if (this.rootComponent === undefined) {
@@ -229,6 +242,20 @@ export default class CycloneDxSbom {
             return false;
         }
     }
+    /**
+     * Checks if any entry in the dependsOn list of sourceRef starts with the given purl prefix.
+     * @param {PackageURL} sourceRef - The source component
+     * @param {string} purlPrefix - The purl prefix to match (e.g. "pkg:npm/minimist@")
+     * @return {boolean}
+     */
+    checkDependsOnByPurlPrefix(sourceRef, purlPrefix) {
+        const sourcePurl = sourceRef.toString();
+        const depIndex = this.getDependencyIndex(sourcePurl);
+        if (depIndex < 0) {
+            return false;
+        }
+        return this.dependencies[depIndex].dependsOn.some(dep => dep.startsWith(purlPrefix));
+    }
     /** Removes the root component from the sbom
      */
     removeRootComponent() {