@trustify-da/trustify-da-javascript-client 0.3.0-ea.e5bb86c → 0.3.0-ea.f136061

package/dist/src/cli.js

@@ -1,9 +1,10 @@
 #!/usr/bin/env node
+import fs from 'node:fs';
 import * as path from "path";
 import yargs from 'yargs';
 import { hideBin } from 'yargs/helpers';
 import { getProjectLicense, getLicenseDetails } from './license/index.js';
-import client, { selectTrustifyDABackend } from './index.js';
+import client, { selectTrustifyDABackend, generateSbom } from './index.js';
 // command for component analysis take manifest type and content
 const component = {
     command: 'component </path/to/manifest>',
@@ -325,15 +326,63 @@ const license = {
         console.log(JSON.stringify(output, null, 2));
     }
 };
+const sbom = {
+    command: 'sbom </path/to/manifest> [--output]',
+    desc: 'generate a CycloneDX SBOM from a manifest file',
+    builder: yargs => yargs.positional('/path/to/manifest', {
+        desc: 'manifest path for SBOM generation',
+        type: 'string',
+        normalize: true,
+    }).options({
+        output: {
+            alias: 'o',
+            desc: 'Write SBOM JSON to a file instead of stdout',
+            type: 'string',
+            normalize: true,
+        },
+        workspaceDir: {
+            alias: 'w',
+            desc: 'Workspace root directory (for monorepos; lock file is expected here)',
+            type: 'string',
+            normalize: true,
+        }
+    }),
+    handler: async (args) => {
+        let manifest = args['/path/to/manifest'];
+        const opts = args.workspaceDir ? { TRUSTIFY_DA_WORKSPACE_DIR: args.workspaceDir } : {};
+        let result;
+        try {
+            result = await generateSbom(manifest, opts);
+        }
+        catch (err) {
+            console.error(JSON.stringify({ error: `Failed to generate SBOM: ${err.message}` }, null, 2));
+            process.exit(1);
+        }
+        const json = JSON.stringify(result, null, 2);
+        if (args.output) {
+            try {
+                fs.writeFileSync(args.output, json);
+            }
+            catch (err) {
+                console.error(JSON.stringify({ error: `Failed to write output file: ${err.message}` }, null, 2));
+                process.exit(1);
+            }
+        }
+        else {
+            console.log(json);
+        }
+    }
+};
 // parse and invoke the command
 yargs(hideBin(process.argv))
-    .usage(`Usage: ${process.argv[0].includes("node") ? path.parse(process.argv[1]).base : path.parse(process.argv[0]).base} {component|stack|stack-batch|image|validate-token|license}`)
+    .usage(`Usage: ${process.argv[0].includes("node") ? path.parse(process.argv[1]).base : path.parse(process.argv[0]).base} {component|stack|stack-batch|image|validate-token|license|sbom}`)
     .command(stack)
     .command(stackBatch)
     .command(component)
     .command(image)
     .command(validateToken)
     .command(license)
+    .command(sbom)
     .scriptName('')
     .version(false)
     .demandCommand(1)

package/dist/src/index.d.ts

@@ -13,6 +13,15 @@ export function selectTrustifyDABackend(opts?: {
     TRUSTIFY_DA_DEBUG?: string | undefined;
     TRUSTIFY_DA_BACKEND_URL?: string | undefined;
 }): string;
+/**
+ * Generate a CycloneDX SBOM from a manifest file. No backend HTTP request is made.
+ *
+ * @param {string} manifestPath - path to the manifest file (e.g. pom.xml, package.json)
+ * @param {Options} [opts={}] - optional options (e.g. workspace dir, tool paths)
+ * @returns {Promise<object>} parsed CycloneDX SBOM JSON object
+ * @throws {Error} if the manifest is unsupported or SBOM generation fails
+ */
+export function generateSbom(manifestPath: string, opts?: Options): Promise<object>;
 export { parseImageRef } from "./oci_image/utils.js";
 export { ImageRef } from "./oci_image/images.js";
 declare namespace _default {
@@ -21,6 +30,7 @@ declare namespace _default {
     export { stackAnalysisBatch };
     export { imageAnalysis };
     export { validateToken };
+    export { generateSbom };
 }
 export default _default;
 export type Options = {

package/dist/src/index.js

@@ -12,7 +12,7 @@ import * as url from 'url';
 export { parseImageRef } from "./oci_image/utils.js";
 export { ImageRef } from "./oci_image/images.js";
 export { getProjectLicense, findLicenseFilePath, identifyLicense, getLicenseDetails, licensesFromReport, normalizeLicensesResponse, runLicenseCheck, getCompatibility } from "./license/index.js";
-export default { componentAnalysis, stackAnalysis, stackAnalysisBatch, imageAnalysis, validateToken };
+export default { componentAnalysis, stackAnalysis, stackAnalysisBatch, imageAnalysis, validateToken, generateSbom };
 export { discoverWorkspacePackages, discoverWorkspaceCrates, validatePackageJson, resolveWorkspaceDiscoveryIgnore, filterManifestPathsByDiscoveryIgnore, resolveContinueOnError, resolveBatchMetadata, };
 /**
  * @typedef {{
@@ -237,6 +237,22 @@ function buildBatchAnalysisMetadata(root, ecosystem, totalSbomAttempts, successf
         errors: [...errors],
     };
 }
+/**
+ * Generate a CycloneDX SBOM from a manifest file. No backend HTTP request is made.
+ *
+ * @param {string} manifestPath - path to the manifest file (e.g. pom.xml, package.json)
+ * @param {Options} [opts={}] - optional options (e.g. workspace dir, tool paths)
+ * @returns {Promise<object>} parsed CycloneDX SBOM JSON object
+ * @throws {Error} if the manifest is unsupported or SBOM generation fails
+ */
+export async function generateSbom(manifestPath, opts = {}) {
+    fs.accessSync(manifestPath, fs.constants.R_OK);
+    const result = await generateOneSbom(manifestPath, opts);
+    if (!result.ok) {
+        throw new Error(`Failed to generate SBOM for ${result.manifestPath}: ${result.reason}`);
+    }
+    return result.sbom;
+}
 /**
  * @typedef {{ ok: true, purl: string, sbom: object } | { ok: false, manifestPath: string, reason: string }} SbomResult
  */

package/dist/src/oci_image/utils.js

@@ -135,7 +135,7 @@ function execSyft(imageRef, opts = {}) {
 function getSyftEnvs(dockerPath, podmanPath) {
     let path = null;
     if (dockerPath && podmanPath) {
-        path = `${dockerPath}${File.pathSeparator}${podmanPath}`;
+        path = `${dockerPath}${delimiter}${podmanPath}`;
     }
     else if (dockerPath) {
         path = dockerPath;
@@ -276,7 +276,16 @@ function podmanGetVariant(opts = {}) {
  * @returns {string} - The information
  */
 function dockerPodmanInfo(dockerSupplier, podmanSupplier, opts = {}) {
-    return dockerSupplier(opts) || podmanSupplier(opts);
+    try {
+        const result = dockerSupplier(opts);
+        if (result) {
+            return result;
+        }
+    }
+    catch (_) {
+        // docker not available, fall through to podman
+    }
+    return podmanSupplier(opts);
 }
 /**
  * Gets the digests for an image

package/dist/src/provider.js

@@ -7,6 +7,7 @@ import Javascript_npm from './providers/javascript_npm.js';
 import Javascript_pnpm from './providers/javascript_pnpm.js';
 import Javascript_yarn from './providers/javascript_yarn.js';
 import pythonPipProvider from './providers/python_pip.js';
+import Python_pip_pyproject from './providers/python_pip_pyproject.js';
 import Python_poetry from './providers/python_poetry.js';
 import Python_uv from './providers/python_uv.js';
 import rustCargoProvider from './providers/rust_cargo.js';
@@ -27,6 +28,7 @@ export const availableProviders = [
     pythonPipProvider,
     new Python_poetry(),
     new Python_uv(),
+    new Python_pip_pyproject(),
     rustCargoProvider
 ];
 /**

package/dist/src/providers/base_pyproject.d.ts

@@ -10,9 +10,29 @@ export default class Base_pyproject {
     isSupported(manifestName: string): boolean;
     /**
      * @param {string} manifestDir
+     * @param {Object} [opts={}]
      * @returns {boolean}
      */
-    validateLockFile(manifestDir: string): boolean;
+    validateLockFile(manifestDir: string, opts?: any): boolean;
+    /**
+     * Walk up from manifestDir to find the directory containing the lock file.
+     * Follows the same pattern as Base_javascript._findLockFileDir().
+     * @param {string} manifestDir
+     * @param {Object} [opts={}]
+     * @returns {string|null}
+     * @protected
+     */
+    protected _findLockFileDir(manifestDir: string, opts?: any): string | null;
+    /**
+     * Detect workspace root boundaries.
+     * Currently only uv has native workspace support ([tool.uv.workspace] in pyproject.toml).
+     * Poetry has no workspace/monorepo support (python-poetry/poetry#2270), so each
+     * poetry project is treated independently — see Python_poetry._findLockFileDir().
+     * @param {string} dir
+     * @returns {boolean}
+     * @protected
+     */
+    protected _isWorkspaceRoot(dir: string): boolean;
     /**
      * Read project license from pyproject.toml, with fallback to LICENSE file.
      * @param {string} manifestPath
@@ -43,13 +63,16 @@ export default class Base_pyproject {
     protected _cmdName(): string;
     /**
      * Resolve dependencies using the tool-specific command and parser.
-     * @param {string} manifestDir
+     *
+     * @param {string} manifestDir - directory containing the target pyproject.toml
+     * @param {string} workspaceDir - workspace root (where the lock file lives);
+     *   only used by providers that need workspace-level resolution (e.g. uv)
      * @param {object} parsed - parsed pyproject.toml
      * @param {Object} opts
      * @returns {Promise<DependencyData>}
      * @protected
      */
-    protected _getDependencyData(manifestDir: string, parsed: object, opts: any): Promise<DependencyData>;
+    protected _getDependencyData(manifestDir: string, workspaceDir: string, parsed: object, opts: any): Promise<DependencyData>;
     /**
      * Canonicalize a Python package name per PEP 503.
      * @param {string} name
@@ -79,26 +102,14 @@ export default class Base_pyproject {
      */
     protected _getIgnoredDeps(manifestPath: string): Set<string>;
     /**
-     * Build dependency tree from graph, starting from direct deps.
+     * Compute the set of graph nodes reachable from direct deps, excluding ignored.
      * @param {Map<string, GraphEntry>} graph
-     * @param {string[]} directDeps - canonical names of direct deps
+     * @param {string[]} directDeps
      * @param {Set<string>} ignoredDeps
-     * @param {boolean} includeTransitive
-     * @returns {DepTreeEntry[]}
-     * @protected
-     */
-    protected _buildDependencyTree(graph: Map<string, GraphEntry>, directDeps: string[], ignoredDeps: Set<string>, includeTransitive: boolean): DepTreeEntry[];
-    /**
-     * Recursively collect transitive dependencies.
-     * @param {Map<string, GraphEntry>} graph
-     * @param {string[]} childKeys
-     * @param {DepTreeEntry[]} result - mutated in place
-     * @param {Set<string>} ignoredDeps
-     * @param {Set<string>} visited
-     * @returns {void}
+     * @returns {Set<string>}
      * @protected
      */
-    protected _collectTransitive(graph: Map<string, GraphEntry>, childKeys: string[], result: DepTreeEntry[], ignoredDeps: Set<string>, visited: Set<string>): void;
+    protected _reachableNodes(graph: Map<string, GraphEntry>, directDeps: string[], ignoredDeps: Set<string>): Set<string>;
     /**
      * @param {string} name
      * @param {string} version
@@ -106,15 +117,6 @@ export default class Base_pyproject {
      * @protected
      */
     protected _toPurl(name: string, version: string): PackageURL;
-    /**
-     * Recursively add a dependency and its transitive deps to the SBOM.
-     * @param {PackageURL} source
-     * @param {DepTreeEntry} dep
-     * @param {Sbom} sbom
-     * @returns {void}
-     * @private
-     */
-    private _addAllDependencies;
     /**
      * Create SBOM json string for a pyproject.toml project.
      * @param {string} manifest - path to pyproject.toml

package/dist/src/providers/base_pyproject.js

@@ -4,6 +4,7 @@ import { PackageURL } from 'packageurl-js';
 import { parse as parseToml } from 'smol-toml';
 import { getLicense } from '../license/license_utils.js';
 import Sbom from '../sbom.js';
+import { getCustom } from '../tools.js';
 const ecosystem = 'pip';
 const IGNORE_MARKERS = ['exhortignore', 'trustify-da-ignore'];
 const DEFAULT_ROOT_NAME = 'default-pip-root';
@@ -22,10 +23,64 @@ export default class Base_pyproject {
     }
     /**
      * @param {string} manifestDir
+     * @param {Object} [opts={}]
      * @returns {boolean}
      */
-    validateLockFile(manifestDir) {
-        return fs.existsSync(path.join(manifestDir, this._lockFileName()));
+    validateLockFile(manifestDir, opts = {}) {
+        return this._findLockFileDir(manifestDir, opts) != null;
+    }
+    /**
+     * Walk up from manifestDir to find the directory containing the lock file.
+     * Follows the same pattern as Base_javascript._findLockFileDir().
+     * @param {string} manifestDir
+     * @param {Object} [opts={}]
+     * @returns {string|null}
+     * @protected
+     */
+    _findLockFileDir(manifestDir, opts = {}) {
+        const workspaceDir = getCustom('TRUSTIFY_DA_WORKSPACE_DIR', null, opts);
+        if (workspaceDir) {
+            const dir = path.resolve(workspaceDir);
+            return fs.existsSync(path.join(dir, this._lockFileName())) ? dir : null;
+        }
+        let dir = path.resolve(manifestDir);
+        let parent = dir;
+        do {
+            dir = parent;
+            if (fs.existsSync(path.join(dir, this._lockFileName()))) {
+                return dir;
+            }
+            if (this._isWorkspaceRoot(dir)) {
+                return null;
+            }
+            parent = path.dirname(dir);
+        } while (parent !== dir);
+        return null;
+    }
+    /**
+     * Detect workspace root boundaries.
+     * Currently only uv has native workspace support ([tool.uv.workspace] in pyproject.toml).
+     * Poetry has no workspace/monorepo support (python-poetry/poetry#2270), so each
+     * poetry project is treated independently — see Python_poetry._findLockFileDir().
+     * @param {string} dir
+     * @returns {boolean}
+     * @protected
+     */
+    _isWorkspaceRoot(dir) {
+        const pyprojectPath = path.join(dir, 'pyproject.toml');
+        if (!fs.existsSync(pyprojectPath)) {
+            return false;
+        }
+        try {
+            const content = parseToml(fs.readFileSync(pyprojectPath, 'utf-8'));
+            if (content.tool?.uv?.workspace) {
+                return true;
+            }
+        }
+        catch (_) {
+            // ignore parse errors
+        }
+        return false;
     }
     /**
      * Read project license from pyproject.toml, with fallback to LICENSE file.
@@ -91,14 +146,17 @@ export default class Base_pyproject {
     }
     /**
      * Resolve dependencies using the tool-specific command and parser.
-     * @param {string} manifestDir
+     *
+     * @param {string} manifestDir - directory containing the target pyproject.toml
+     * @param {string} workspaceDir - workspace root (where the lock file lives);
+     *   only used by providers that need workspace-level resolution (e.g. uv)
      * @param {object} parsed - parsed pyproject.toml
      * @param {Object} opts
      * @returns {Promise<DependencyData>}
      * @protected
      */
     // eslint-disable-next-line no-unused-vars
-    async _getDependencyData(manifestDir, parsed, opts) {
+    async _getDependencyData(manifestDir, workspaceDir, parsed, opts) {
         throw new TypeError('_getDependencyData must be implemented');
     }
     // --- shared helpers ---
@@ -162,64 +220,29 @@ export default class Base_pyproject {
         return ignored;
     }
     /**
-     * Build dependency tree from graph, starting from direct deps.
-     * @param {Map<string, GraphEntry>} graph
-     * @param {string[]} directDeps - canonical names of direct deps
-     * @param {Set<string>} ignoredDeps
-     * @param {boolean} includeTransitive
-     * @returns {DepTreeEntry[]}
-     * @protected
-     */
-    _buildDependencyTree(graph, directDeps, ignoredDeps, includeTransitive) {
-        let result = [];
-        for (let key of directDeps) {
-            if (ignoredDeps.has(key)) {
-                continue;
-            }
-            let entry = graph.get(key);
-            if (!entry) {
-                continue;
-            }
-            let depTree = [];
-            if (includeTransitive) {
-                let visited = new Set();
-                visited.add(key);
-                this._collectTransitive(graph, entry.children, depTree, ignoredDeps, visited);
-            }
-            result.push({ name: entry.name, version: entry.version, dependencies: depTree });
-        }
-        result.sort((a, b) => a.name.toLowerCase().localeCompare(b.name.toLowerCase()));
-        return result;
-    }
-    /**
-     * Recursively collect transitive dependencies.
+     * Compute the set of graph nodes reachable from direct deps, excluding ignored.
      * @param {Map<string, GraphEntry>} graph
-     * @param {string[]} childKeys
-     * @param {DepTreeEntry[]} result - mutated in place
+     * @param {string[]} directDeps
      * @param {Set<string>} ignoredDeps
-     * @param {Set<string>} visited
-     * @returns {void}
+     * @returns {Set<string>}
      * @protected
      */
-    _collectTransitive(graph, childKeys, result, ignoredDeps, visited) {
-        for (let childKey of childKeys) {
-            let canonKey = this._canonicalize(childKey);
-            if (ignoredDeps.has(canonKey)) {
+    _reachableNodes(graph, directDeps, ignoredDeps) {
+        let reachable = new Set();
+        let queue = directDeps.filter(k => !ignoredDeps.has(k) && graph.has(k));
+        while (queue.length > 0) {
+            let key = queue.shift();
+            if (reachable.has(key)) {
                 continue;
             }
-            if (visited.has(canonKey)) {
-                continue;
-            }
-            visited.add(canonKey);
-            let entry = graph.get(canonKey);
-            if (!entry) {
-                continue;
+            reachable.add(key);
+            for (let child of graph.get(key).children) {
+                if (!ignoredDeps.has(child) && graph.has(child) && !reachable.has(child)) {
+                    queue.push(child);
+                }
             }
-            let childDeps = [];
-            this._collectTransitive(graph, entry.children, childDeps, ignoredDeps, visited);
-            result.push({ name: entry.name, version: entry.version, dependencies: childDeps });
         }
-        result.sort((a, b) => a.name.toLowerCase().localeCompare(b.name.toLowerCase()));
+        return reachable;
     }
     /**
      * @param {string} name
@@ -230,21 +253,6 @@ export default class Base_pyproject {
     _toPurl(name, version) {
         return new PackageURL('pypi', undefined, name, version, undefined, undefined);
     }
-    /**
-     * Recursively add a dependency and its transitive deps to the SBOM.
-     * @param {PackageURL} source
-     * @param {DepTreeEntry} dep
-     * @param {Sbom} sbom
-     * @returns {void}
-     * @private
-     */
-    _addAllDependencies(source, dep, sbom) {
-        let targetPurl = this._toPurl(dep.name, dep.version);
-        sbom.addDependency(source, targetPurl);
-        if (dep.dependencies && dep.dependencies.length > 0) {
-            dep.dependencies.forEach(child => this._addAllDependencies(this._toPurl(dep.name, dep.version), child, sbom));
-        }
-    }
     /**
      * Create SBOM json string for a pyproject.toml project.
      * @param {string} manifest - path to pyproject.toml
@@ -257,23 +265,50 @@ export default class Base_pyproject {
         let manifestDir = path.dirname(manifest);
         let content = fs.readFileSync(manifest, 'utf-8');
         let parsed = parseToml(content);
-        let { directDeps, graph } = await this._getDependencyData(manifestDir, parsed, opts);
+        let workspaceDir = this._findLockFileDir(manifestDir, opts) || manifestDir;
+        let { directDeps, graph } = await this._getDependencyData(manifestDir, workspaceDir, parsed, opts);
         let ignoredDeps = this._getIgnoredDeps(manifest);
-        let dependencies = this._buildDependencyTree(graph, directDeps, ignoredDeps, includeTransitive);
         let sbom = new Sbom();
         let rootName = this._getProjectName(parsed) || DEFAULT_ROOT_NAME;
         let rootVersion = this._getProjectVersion(parsed) || DEFAULT_ROOT_VERSION;
         let rootPurl = this._toPurl(rootName, rootVersion);
         let license = this.readLicenseFromManifest(manifest);
         sbom.addRoot(rootPurl, license);
-        dependencies.forEach(dep => {
-            if (includeTransitive) {
-                this._addAllDependencies(rootPurl, dep, sbom);
+        if (includeTransitive) {
+            let reachable = this._reachableNodes(graph, directDeps, ignoredDeps);
+            for (let key of directDeps) {
+                if (!reachable.has(key)) {
+                    continue;
+                }
+                let entry = graph.get(key);
+                sbom.addDependency(rootPurl, this._toPurl(entry.name, entry.version));
             }
-            else {
-                sbom.addDependency(rootPurl, this._toPurl(dep.name, dep.version));
+            for (let [key, entry] of graph) {
+                if (!reachable.has(key)) {
+                    continue;
+                }
+                let parentPurl = this._toPurl(entry.name, entry.version);
+                for (let child of entry.children) {
+                    if (!reachable.has(child)) {
+                        continue;
+                    }
+                    let childEntry = graph.get(child);
+                    sbom.addDependency(parentPurl, this._toPurl(childEntry.name, childEntry.version));
+                }
+            }
+        }
+        else {
+            for (let key of directDeps) {
+                if (ignoredDeps.has(key)) {
+                    continue;
+                }
+                let entry = graph.get(key);
+                if (!entry) {
+                    continue;
+                }
+                sbom.addDependency(rootPurl, this._toPurl(entry.name, entry.version));
             }
-        });
+        }
         return sbom.getAsJsonString(opts);
     }
 }

package/dist/src/providers/python_controller.js

@@ -95,7 +95,7 @@ export default class Python_controller {
     }
     /**
      * Parse the requirements.txt file using tree-sitter and return structured requirement data.
-     * @return {Promise<{name: string, version: string|null}[]>}
+     * @return {Promise<{name: string, version: string|null, hasMarker: boolean}[]>}
      */
     async #parseRequirements() {
         const content = fs.readFileSync(this.pathToRequirements).toString();
@@ -107,7 +107,8 @@ export default class Python_controller {
             const version = versionMatches.length > 0
                 ? versionMatches[0].captures.find(c => c.name === 'version').node.text
                 : null;
-            return { name, version };
+            const hasMarker = reqNode.children.some(c => c.type === 'marker_spec');
+            return { name, version, hasMarker };
         }));
     }
     #decideIfWindowsOrLinuxPath(fileName) {
@@ -224,7 +225,10 @@ export default class Python_controller {
                 CachedEnvironmentDeps[packageName.replace("_", "-")] = pipDepTreeEntryForCache;
             });
         }
-        parsedRequirements.forEach(({ name: depName, version: manifestVersion }) => {
+        parsedRequirements.forEach(({ name: depName, version: manifestVersion, hasMarker }) => {
+            if (hasMarker && CachedEnvironmentDeps[depName.toLowerCase()] === undefined) {
+                return;
+            }
             if (matchManifestVersions === "true" && manifestVersion != null) {
                 let installedVersion;
                 if (CachedEnvironmentDeps[depName.toLowerCase()] !== undefined) {

package/dist/src/providers/python_pip_pyproject.d.ts

@@ -0,0 +1,61 @@
+/**
+ * Python provider for pyproject.toml files using PEP 621 format without a lock file.
+ * Uses `pip install --dry-run --ignore-installed --report` to resolve the full dependency tree.
+ * Acts as the fallback provider when no lock file (uv.lock/poetry.lock) is found.
+ */
+export default class Python_pip_pyproject extends Base_pyproject {
+    /**
+     * Always returns true — pip provider is the fallback when no lock file is found.
+     * @param {string} manifestDir
+     * @param {{}} [opts={}]
+     * @returns {boolean}
+     */
+    validateLockFile(manifestDir: string, opts?: {}): boolean;
+    /**
+     * Get pip report output from env var override or by running pip.
+     * @param {string} manifestDir - directory containing pyproject.toml
+     * @param {{}} [opts={}]
+     * @returns {string} pip report JSON string
+     */
+    _getPipReportOutput(manifestDir: string, opts?: {}): string;
+    /**
+     * Parse pip report JSON and build dependency graph.
+     * @param {string} reportJson - pip report JSON string
+     * @returns {{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}}
+     */
+    _parsePipReport(reportJson: string): {
+        directDeps: string[];
+        graph: Map<string, {
+            name: string;
+            version: string;
+            children: string[];
+        }>;
+    };
+    /**
+     * Check if a requires_dist entry is an extras-only dependency.
+     * @param {string} req - e.g. "PySocks!=1.5.7,>=1.5.6; extra == \"socks\""
+     * @returns {boolean}
+     */
+    _hasExtraMarker(req: string): boolean;
+    /**
+     * Extract package name from a requires_dist entry.
+     * @param {string} req - e.g. "charset_normalizer<4,>=2"
+     * @returns {string|null}
+     */
+    _extractDepName(req: string): string | null;
+    /**
+     * Resolve dependencies using pip install --dry-run --report.
+     * @param {string} manifestDir
+     * @param {string} _workspaceDir - unused (pip resolves from manifest directory)
+     * @param {object} parsed - parsed pyproject.toml
+     * @param {{}} [opts={}]
+     * @returns {Promise<{directDeps: string[], graph: Map}>}
+     */
+    _getDependencyData(manifestDir: string, _workspaceDir: string, parsed: object, opts?: {}): Promise<{
+        directDeps: string[];
+        graph: Map<any, any>;
+    }>;
+    _findEggInfoDirs(dir: any): string[];
+    _cleanupEggInfo(dir: any, existing: any): void;
+}
+import Base_pyproject from './base_pyproject.js';

package/dist/src/providers/python_pip_pyproject.js

@@ -0,0 +1,144 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { environmentVariableIsPopulated, getCustomPath, invokeCommand } from '../tools.js';
+import Base_pyproject from './base_pyproject.js';
+/**
+ * Python provider for pyproject.toml files using PEP 621 format without a lock file.
+ * Uses `pip install --dry-run --ignore-installed --report` to resolve the full dependency tree.
+ * Acts as the fallback provider when no lock file (uv.lock/poetry.lock) is found.
+ */
+export default class Python_pip_pyproject extends Base_pyproject {
+    /** @returns {string} */
+    _lockFileName() {
+        return '.pip-lock-nonexistent';
+    }
+    /** @returns {string} */
+    _cmdName() {
+        return 'pip';
+    }
+    /**
+     * Always returns true — pip provider is the fallback when no lock file is found.
+     * @param {string} manifestDir
+     * @param {{}} [opts={}]
+     * @returns {boolean}
+     */
+    // eslint-disable-next-line no-unused-vars
+    validateLockFile(manifestDir, opts = {}) {
+        return true;
+    }
+    /**
+     * Get pip report output from env var override or by running pip.
+     * @param {string} manifestDir - directory containing pyproject.toml
+     * @param {{}} [opts={}]
+     * @returns {string} pip report JSON string
+     */
+    _getPipReportOutput(manifestDir, opts) {
+        if (environmentVariableIsPopulated('TRUSTIFY_DA_PIP_REPORT')) {
+            return Buffer.from(process.env['TRUSTIFY_DA_PIP_REPORT'], 'base64').toString('ascii');
+        }
+        let pipBin = getCustomPath('pip3', opts);
+        try {
+            invokeCommand(pipBin, ['--version']);
+        }
+        catch {
+            pipBin = getCustomPath('pip', opts);
+        }
+        let eggInfoDirs = this._findEggInfoDirs(manifestDir);
+        let result = invokeCommand(pipBin, [
+            'install', '--dry-run', '--ignore-installed', '--quiet', '--report', '-', '.'
+        ], { cwd: manifestDir }).toString();
+        this._cleanupEggInfo(manifestDir, eggInfoDirs);
+        return result;
+    }
+    /**
+     * Parse pip report JSON and build dependency graph.
+     * @param {string} reportJson - pip report JSON string
+     * @returns {{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}}
+     */
+    _parsePipReport(reportJson) {
+        let report = JSON.parse(reportJson);
+        let packages = report.install || [];
+        let rootEntry = packages.find(p => p.download_info?.dir_info !== undefined);
+        let rootRequires = rootEntry?.metadata?.requires_dist || [];
+        let directDepNames = new Set();
+        for (let req of rootRequires) {
+            if (this._hasExtraMarker(req)) {
+                continue;
+            }
+            let name = this._extractDepName(req);
+            if (name) {
+                directDepNames.add(this._canonicalize(name));
+            }
+        }
+        let graph = new Map();
+        let nonRootPackages = packages.filter(p => p !== rootEntry);
+        for (let pkg of nonRootPackages) {
+            let name = pkg.metadata.name;
+            let version = pkg.metadata.version;
+            let key = this._canonicalize(name);
+            graph.set(key, { name, version, children: [] });
+        }
+        for (let pkg of nonRootPackages) {
+            let key = this._canonicalize(pkg.metadata.name);
+            let entry = graph.get(key);
+            let requires = pkg.metadata.requires_dist || [];
+            for (let req of requires) {
+                let depName = this._extractDepName(req);
+                if (!depName) {
+                    continue;
+                }
+                let depKey = this._canonicalize(depName);
+                if (graph.has(depKey)) {
+                    entry.children.push(depKey);
+                }
+            }
+        }
+        let directDeps = [...directDepNames].filter(key => graph.has(key));
+        return { directDeps, graph };
+    }
+    /**
+     * Check if a requires_dist entry is an extras-only dependency.
+     * @param {string} req - e.g. "PySocks!=1.5.7,>=1.5.6; extra == \"socks\""
+     * @returns {boolean}
+     */
+    _hasExtraMarker(req) {
+        return /;\s*.*extra\s*==/.test(req);
+    }
+    /**
+     * Extract package name from a requires_dist entry.
+     * @param {string} req - e.g. "charset_normalizer<4,>=2"
+     * @returns {string|null}
+     */
+    _extractDepName(req) {
+        let match = req.match(/^([A-Za-z0-9]([A-Za-z0-9._-]*[A-Za-z0-9])?)/);
+        return match ? match[1] : null;
+    }
+    /**
+     * Resolve dependencies using pip install --dry-run --report.
+     * @param {string} manifestDir
+     * @param {string} _workspaceDir - unused (pip resolves from manifest directory)
+     * @param {object} parsed - parsed pyproject.toml
+     * @param {{}} [opts={}]
+     * @returns {Promise<{directDeps: string[], graph: Map}>}
+     */
+    // eslint-disable-next-line no-unused-vars
+    async _getDependencyData(manifestDir, _workspaceDir, parsed, opts) {
+        let reportOutput = this._getPipReportOutput(manifestDir, opts);
+        return this._parsePipReport(reportOutput);
+    }
+    _findEggInfoDirs(dir) {
+        try {
+            return fs.readdirSync(dir).filter(f => f.endsWith('.egg-info'));
+        }
+        catch {
+            return [];
+        }
+    }
+    _cleanupEggInfo(dir, existing) {
+        for (let entry of this._findEggInfoDirs(dir)) {
+            if (!existing.includes(entry)) {
+                fs.rmSync(path.join(dir, entry), { recursive: true, force: true });
+            }
+        }
+    }
+}

package/dist/src/providers/python_poetry.d.ts

@@ -2,10 +2,11 @@ export default class Python_poetry extends Base_pyproject {
     /**
      * Get poetry show --tree output.
      * @param {string} manifestDir
+     * @param {boolean} hasDevGroup
      * @param {Object} opts
      * @returns {string}
      */
-    _getPoetryShowTreeOutput(manifestDir: string, opts: any): string;
+    _getPoetryShowTreeOutput(manifestDir: string, hasDevGroup: boolean, opts: any): string;
     /**
      * Get poetry show --all output (flat list with resolved versions).
      * @param {string} manifestDir

package/dist/src/providers/python_poetry.js

@@ -1,6 +1,27 @@
-import { environmentVariableIsPopulated, getCustomPath, invokeCommand } from '../tools.js';
+import fs from 'node:fs';
+import path from 'node:path';
+import { environmentVariableIsPopulated, getCustom, getCustomPath, invokeCommand } from '../tools.js';
 import Base_pyproject from './base_pyproject.js';
 export default class Python_poetry extends Base_pyproject {
+    /**
+     * Poetry has no native workspace/monorepo support (python-poetry/poetry#2270).
+     * Each poetry project is treated independently — no lock file walk-up.
+     * Running `poetry show` from a parent directory returns the parent's deps, not
+     * the sub-package's, so walk-up would produce incorrect SBOMs.
+     * @param {string} manifestDir
+     * @param {Object} [opts={}]
+     * @returns {string|null}
+     * @protected
+     */
+    _findLockFileDir(manifestDir, opts = {}) {
+        const workspaceDir = getCustom('TRUSTIFY_DA_WORKSPACE_DIR', null, opts);
+        if (workspaceDir) {
+            const dir = path.resolve(workspaceDir);
+            return fs.existsSync(path.join(dir, this._lockFileName())) ? dir : null;
+        }
+        const dir = path.resolve(manifestDir);
+        return fs.existsSync(path.join(dir, this._lockFileName())) ? dir : null;
+    }
     /** @returns {string} */
     _lockFileName() {
         return 'poetry.lock';
@@ -11,12 +32,15 @@ export default class Python_poetry extends Base_pyproject {
     }
     /**
      * @param {string} manifestDir
+     * @param {string} _workspaceDir - unused (poetry has no workspace support)
      * @param {object} parsed - parsed pyproject.toml
      * @param {Object} opts
      * @returns {Promise<{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}>}
      */
-    async _getDependencyData(manifestDir, parsed, opts) {
-        let treeOutput = this._getPoetryShowTreeOutput(manifestDir, opts);
+    // eslint-disable-next-line no-unused-vars
+    async _getDependencyData(manifestDir, _workspaceDir, parsed, opts) {
+        let hasDevGroup = !!(parsed.tool?.poetry?.group?.dev || parsed.tool?.poetry?.['dev-dependencies']);
+        let treeOutput = this._getPoetryShowTreeOutput(manifestDir, hasDevGroup, opts);
         let showAllOutput = this._getPoetryShowAllOutput(manifestDir, opts);
         let versionMap = this._parsePoetryShowAll(showAllOutput);
         return this._parsePoetryTree(treeOutput, versionMap);
@@ -24,15 +48,20 @@ export default class Python_poetry extends Base_pyproject {
     /**
      * Get poetry show --tree output.
      * @param {string} manifestDir
+     * @param {boolean} hasDevGroup
      * @param {Object} opts
      * @returns {string}
      */
-    _getPoetryShowTreeOutput(manifestDir, opts) {
+    _getPoetryShowTreeOutput(manifestDir, hasDevGroup, opts) {
         if (environmentVariableIsPopulated('TRUSTIFY_DA_POETRY_SHOW_TREE')) {
             return Buffer.from(process.env['TRUSTIFY_DA_POETRY_SHOW_TREE'], 'base64').toString('utf-8');
         }
         let poetryBin = getCustomPath('poetry', opts);
-        return invokeCommand(poetryBin, ['show', '--tree', '--no-ansi'], { cwd: manifestDir }).toString();
+        let args = ['show', '--tree', '--no-ansi'];
+        if (hasDevGroup) {
+            args.push('--without', 'dev');
+        }
+        return invokeCommand(poetryBin, args, { cwd: manifestDir }).toString();
     }
     /**
      * Get poetry show --all output (flat list with resolved versions).
@@ -89,7 +118,7 @@ export default class Python_poetry extends Base_pyproject {
                 continue;
             }
             // top-level line: "name version description..."
-            let topMatch = line.match(/^([A-Za-z0-9][A-Za-z0-9._-]*)\s+(\S+)\s/);
+            let topMatch = line.match(/^([A-Za-z0-9][A-Za-z0-9._-]*)\s+(\S+)(?:\s|$)/);
             if (topMatch) {
                 let name = topMatch[1];
                 let version = topMatch[2];

package/dist/src/providers/python_uv.d.ts

@@ -12,9 +12,10 @@ export default class Python_uv extends Base_pyproject {
      *
      * @param {string} output
      * @param {string} projectName - canonical project name to identify direct deps
+     * @param {string} workspaceDir - workspace root (for resolving editable install paths)
      * @returns {Promise<{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}>}
      */
-    _parseUvExport(output: string, projectName: string): Promise<{
+    _parseUvExport(output: string, projectName: string, workspaceDir: string): Promise<{
         directDeps: string[];
         graph: Map<string, {
             name: string;

package/dist/src/providers/python_uv.js

@@ -1,3 +1,6 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { parse as parseToml } from 'smol-toml';
 import { environmentVariableIsPopulated, getCustomPath, invokeCommand } from '../tools.js';
 import Base_pyproject from './base_pyproject.js';
 import { getParser, getPinnedVersionQuery } from './requirements_parser.js';
@@ -11,15 +14,16 @@ export default class Python_uv extends Base_pyproject {
         return 'uv';
     }
     /**
-     * @param {string} manifestDir
+     * @param {string} manifestDir - directory containing the target pyproject.toml
+     * @param {string} workspaceDir - workspace root (for resolving editable install paths)
      * @param {object} parsed - parsed pyproject.toml
      * @param {Object} opts
      * @returns {Promise<{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}>}
      */
-    async _getDependencyData(manifestDir, parsed, opts) {
+    async _getDependencyData(manifestDir, workspaceDir, parsed, opts) {
         let projectName = this._getProjectName(parsed);
         let uvOutput = this._getUvExportOutput(manifestDir, opts);
-        return this._parseUvExport(uvOutput, projectName);
+        return this._parseUvExport(uvOutput, projectName, workspaceDir);
     }
     /**
      * Get the uv export output, either from env var or by running the command.
@@ -32,7 +36,7 @@ export default class Python_uv extends Base_pyproject {
             return Buffer.from(process.env['TRUSTIFY_DA_UV_EXPORT'], 'base64').toString('ascii');
         }
         let uvBin = getCustomPath('uv', opts);
-        return invokeCommand(uvBin, ['export', '--format', 'requirements.txt', '--frozen', '--no-hashes'], { cwd: manifestDir }).toString();
+        return invokeCommand(uvBin, ['export', '--format', 'requirements.txt', '--frozen', '--no-hashes', '--no-dev', '--no-emit-project'], { cwd: manifestDir }).toString();
     }
     /**
      * Parse uv export output into a dependency graph using tree-sitter-requirements
@@ -40,9 +44,10 @@ export default class Python_uv extends Base_pyproject {
      *
      * @param {string} output
      * @param {string} projectName - canonical project name to identify direct deps
+     * @param {string} workspaceDir - workspace root (for resolving editable install paths)
      * @returns {Promise<{directDeps: string[], graph: Map<string, {name: string, version: string, children: string[]}>}>}
      */
-    async _parseUvExport(output, projectName) {
+    async _parseUvExport(output, projectName, workspaceDir) {
         let [parser, pinnedVersionQuery] = await Promise.all([
             getParser(), getPinnedVersionQuery()
         ]);
@@ -53,6 +58,32 @@ export default class Python_uv extends Base_pyproject {
         let currentPkg = null;
         let collectingVia = false;
         for (let child of root.children) {
+            if (child.type === 'global_opt') {
+                let optNode = child.children.find(c => c.type === 'option');
+                let pathNode = child.children.find(c => c.type === 'path');
+                if (optNode?.text === '-e' && pathNode && workspaceDir) {
+                    let memberDir = path.resolve(workspaceDir, pathNode.text);
+                    let memberManifest = path.join(memberDir, 'pyproject.toml');
+                    if (fs.existsSync(memberManifest)) {
+                        let memberParsed = parseToml(fs.readFileSync(memberManifest, 'utf-8'));
+                        let name = memberParsed.project?.name || memberParsed.tool?.poetry?.name;
+                        let version = memberParsed.project?.version || memberParsed.tool?.poetry?.version;
+                        if (name && version) {
+                            let key = this._canonicalize(name);
+                            if (key === canonProjectName) {
+                                continue;
+                            }
+                            currentPkg = { name, version, parents: new Set() };
+                            packages.set(key, currentPkg);
+                            collectingVia = false;
+                            continue;
+                        }
+                    }
+                }
+                currentPkg = null;
+                collectingVia = false;
+                continue;
+            }
             if (child.type === 'requirement') {
                 let nameNode = child.children.find(c => c.type === 'package');
                 if (!nameNode) {

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@trustify-da/trustify-da-javascript-client",
-	"version": "0.3.0-ea.e5bb86c",
+	"version": "0.3.0-ea.f136061",
 	"description": "Code-Ready Dependency Analytics JavaScript API.",
 	"license": "Apache-2.0",
 	"homepage": "https://github.com/guacsec/trustify-da-javascript-client#README.md",