@trustify-da/trustify-da-javascript-client 0.3.0-ea.f2c4df7 → 0.3.0-ea.f2d5d72

package/README.md

@@ -32,6 +32,11 @@ let stackAnalysis = await client.stackAnalysis('/path/to/pom.xml')
 let stackAnalysisHtml = await client.stackAnalysis('/path/to/pom.xml', true)
 // Get component analysis in JSON format
 let componentAnalysis = await client.componentAnalysis('/path/to/pom.xml')
+// For monorepos, pass workspace root so the client finds the lock file
+let monorepoOpts = { workspaceDir: '/path/to/workspace-root' }
+let stackAnalysisMonorepo = await client.stackAnalysis('/path/to/package.json', false, monorepoOpts)
+// Batch analysis for entire workspace (Cargo or JS/TS); optional parallel SBOM generation
+let batchReport = await client.stackAnalysisBatch('/path/to/workspace-root', false, { batchConcurrency: 10 })
 // Get image analysis in JSON format
 let imageAnalysis = await client.imageAnalysis(['docker.io/library/node:18'])
 // Get image analysis in HTML format (string)
@@ -49,7 +54,7 @@ let imageAnalysisWithArch = await client.imageAnalysis(['httpd:2.4.49^^amd64'])
 The client automatically detects your project's license with intelligent fallback:
 </p>
 <ul>
-<li><strong>Manifest-first:</strong> For ecosystems with license support (Maven, JavaScript), reads from manifest file (<code>pom.xml</code>, <code>package.json</code>)</li>
+<li><strong>Manifest-first:</strong> For ecosystems with license support (Maven, JavaScript, Rust Cargo), reads from manifest file (<code>pom.xml</code>, <code>package.json</code>, <code>Cargo.toml</code>)</li>
 <li><strong>LICENSE file fallback:</strong> If no license in manifest, or for ecosystems without license support (Gradle, Go, Python), automatically reads from <code>LICENSE</code>, <code>LICENSE.md</code>, or <code>LICENSE.txt</code></li>
 <li><strong>SBOM integration:</strong> Detected licenses are included in generated SBOMs for all ecosystems</li>
 <li><strong>SPDX support:</strong> Automatically detects common licenses (Apache-2.0, MIT, GPL, BSD) from LICENSE file content</li>
@@ -101,8 +106,9 @@ $ npx @trustify-da/trustify-da-javascript-client help
 Usage: trustify-da-javascript-client {component|stack|image|validate-token|license}
 
 Commands:
-  trustify-da-javascript-client stack </path/to/manifest> [--html|--summary]               produce stack report for manifest path
-  trustify-da-javascript-client component <path/to/manifest> [--summary]   produce component report for a manifest type and content
+  trustify-da-javascript-client stack </path/to/manifest> [--workspace-dir <path>] [--html|--summary]               produce stack report for manifest path
+  trustify-da-javascript-client stack-batch </path/to/workspace-root> [--html|--summary]   produce stack report for all packages/crates in workspace
+  trustify-da-javascript-client component <path/to/manifest> [--workspace-dir <path>]   produce component report for a manifest type and content
   trustify-da-javascript-client image <image-refs..> [--html|--summary]               produce image analysis report for OCI image references
   trustify-da-javascript-client license </path/to/manifest>               display project license information from manifest and LICENSE file in JSON format
 
@@ -121,9 +127,21 @@ $ npx @trustify-da/trustify-da-javascript-client stack /path/to/pom.xml --summar
 # get stack analysis in html format format
 $ npx @trustify-da/trustify-da-javascript-client stack /path/to/pom.xml --html
 
+# get stack analysis for monorepo (lock file at workspace root)
+$ npx @trustify-da/trustify-da-javascript-client stack /path/to/package.json --workspace-dir /path/to/workspace-root
+
 # get component analysis
 $ npx @trustify-da/trustify-da-javascript-client component /path/to/pom.xml
 
+# get component analysis for monorepo
+$ npx @trustify-da/trustify-da-javascript-client component /path/to/package.json -w /path/to/workspace-root
+
+# batch stack analysis for entire workspace (Cargo or JS/TS)
+$ npx @trustify-da/trustify-da-javascript-client stack-batch /path/to/workspace-root
+
+# optional: extra discovery excludes (merged with defaults); repeat --ignore or use TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE
+$ npx @trustify-da/trustify-da-javascript-client stack-batch /path/to/workspace-root --ignore '**/fixtures/**'
+
 # get image analysis in json format
 $ npx @trustify-da/trustify-da-javascript-client image docker.io/library/node:18
 
@@ -162,9 +180,21 @@ $ trustify-da-javascript-client stack /path/to/pom.xml --summary
 # get stack analysis in html format format
 $ trustify-da-javascript-client stack /path/to/pom.xml --html
 
+# get stack analysis for monorepo (lock file at workspace root)
+$ trustify-da-javascript-client stack /path/to/package.json --workspace-dir /path/to/workspace-root
+
 # get component analysis
 $ trustify-da-javascript-client component /path/to/pom.xml
 
+# get component analysis for monorepo
+$ trustify-da-javascript-client component /path/to/package.json -w /path/to/workspace-root
+
+# batch stack analysis for entire workspace
+$ trustify-da-javascript-client stack-batch /path/to/workspace-root
+
+# with extra discovery excludes
+$ trustify-da-javascript-client stack-batch /path/to/workspace-root -i '**/vendor/**'
+
 # get image analysis in json format
 $ trustify-da-javascript-client image docker.io/library/node:18
 
@@ -194,8 +224,10 @@ $ trustify-da-javascript-client license /path/to/package.json
 <li><a href="https://www.javascript.com/">JavaScript</a> - <a href="https://pnpm.io/">pnpm</a></li>
 <li><a href="https://www.javascript.com/">JavaScript</a> - <a href="https://classic.yarnpkg.com/">Yarn Classic</a> /  <a href="https://yarnpkg.com/">Yarn Berry</a></li>
 <li><a href="https://go.dev/">Golang</a> - <a href="https://go.dev/blog/using-go-modules/">Go Modules</a></li>
-<li><a href="https://www.python.org/">Python</a> - <a href="https://pypi.org/project/pip/">pip Installer</a></li>
+<li><a href="https://www.python.org/">Python</a> - <a href="https://pypi.org/project/pip/">pip Installer</a> (<code>requirements.txt</code>)</li>
+<li><a href="https://www.python.org/">Python</a> - <a href="https://python-poetry.org/">Poetry</a> / <a href="https://docs.astral.sh/uv/">uv</a> (<code>pyproject.toml</code>)</li>
 <li><a href="https://gradle.org/">Gradle (Groovy and Kotlin DSL)</a> - <a href="https://gradle.org/install/">Gradle Installation</a></li>
+<li><a href="https://www.rust-lang.org/">Rust</a> - <a href="https://doc.rust-lang.org/cargo/">Cargo</a></li>
 </ul>
 
 <h3>License Detection</h3>
@@ -203,7 +235,7 @@ $ trustify-da-javascript-client license /path/to/package.json
 The client automatically detects your project's license with intelligent fallback:
 </p>
 <ul>
-<li><strong>Manifest-first:</strong> For ecosystems with license support (Maven, JavaScript), reads from manifest file (<code>pom.xml</code>, <code>package.json</code>)</li>
+<li><strong>Manifest-first:</strong> For ecosystems with license support (Maven, JavaScript, Rust Cargo), reads from manifest file (<code>pom.xml</code>, <code>package.json</code>, <code>Cargo.toml</code>)</li>
 <li><strong>LICENSE file fallback:</strong> If no license in manifest, or for ecosystems without license support (Gradle, Go, Python), automatically reads from <code>LICENSE</code>, <code>LICENSE.md</code>, or <code>LICENSE.txt</code></li>
 <li><strong>SBOM integration:</strong> Detected licenses are included in generated SBOMs for all ecosystems</li>
 <li><strong>SPDX support:</strong> Automatically detects common licenses (Apache-2.0, MIT, GPL, BSD) from LICENSE file content</li>
@@ -256,8 +288,11 @@ Excluding a package from any analysis can be achieved by marking the package for
   ]
 }
 ```
+</li>
+
+<li>
+<em>Golang</em> users can add in go.mod a comment with <code>// exhortignore</code> next to the package to be ignored, or to "piggyback" on existing comment ( e.g - <code>// indirect</code>), for example:
 
-<em>Golang</em> users can add in go.mod a comment with //exhortignore next to the package to be ignored, or to "piggyback" on existing comment ( e.g - //indirect) , for example:
 ```go
 module github.com/trustify-da/SaaSi/deployer
 
@@ -266,7 +301,7 @@ go 1.19
 require (
         github.com/gin-gonic/gin v1.9.1
         github.com/google/uuid v1.1.2
-        github.com/jessevdk/go-flags v1.5.0 //exhortignore
+        github.com/jessevdk/go-flags v1.5.0 // exhortignore
         github.com/kr/pretty v0.3.1
         gopkg.in/yaml.v2 v2.4.0
         k8s.io/apimachinery v0.26.1
@@ -274,14 +309,20 @@ require (
 )
 
 require (
-        github.com/davecgh/go-spew v1.1.1 // indirect exhortignore
+        github.com/davecgh/go-spew v1.1.1 // indirect; exhortignore
         github.com/emicklei/go-restful/v3 v3.9.0 // indirect
-        github.com/go-logr/logr v1.2.3 // indirect //exhortignore
+        github.com/go-logr/logr v1.2.3 // indirect; exhortignore
 
 )
 ```
 
+<b>NOTE</b>: It is important to format <code>exhortignore</code> markers on indirect dependencies as shown above, otherwise the Go tooling (as well as this library) may incorrectly parse dependencies marked as indirect as being direct dependencies instead.
+</li>
+
+
+<li>
 <em>Python pip</em> users can add in requirements.txt a comment with #exhortignore(or # exhortignore) to the right of the same artifact to be ignored, for example:
+
 ```properties
 anyio==3.6.2
 asgiref==3.4.1
@@ -312,11 +353,14 @@ Werkzeug==2.0.3
 zipp==3.6.0
 
 ```
+</li>
 
+<li>
 <em>Gradle</em> users can add in build.gradle a comment with //exhortignore next to the package to be ignored:
+
 ```build.gradle
 plugins {
-id 'java'
+    id 'java'
 }
 
 group = 'groupName'
@@ -334,9 +378,45 @@ test {
 }
 ```
 
-All of the 5 above examples are valid for marking a package to be ignored
-</li>
+<em>Rust Cargo</em> users can add a comment with <code># trustify-da-ignore</code> (or <code># exhortignore</code>) in <em>Cargo.toml</em> next to the dependency to be ignored. This works for inline declarations, table-based declarations, and workspace-level dependency sections:
+
+```toml
+[dependencies]
+serde = "1.0" # trustify-da-ignore
+tokio = { version = "1.35", features = ["full"] }
+
+[dependencies.regex] # trustify-da-ignore
+version = "1.10"
+
+[workspace.dependencies]
+log = "0.4" # trustify-da-ignore
+```
+
+
+<em>Python pyproject.toml</em> users can add a comment with <code>#exhortignore</code> (or <code># trustify-da-ignore</code>) next to the dependency in <code>pyproject.toml</code>.
+
+PEP 621 style (<code>[project]</code> dependencies):
+```toml
+[project]
+dependencies = [
+    "flask>=2.0.3",
+    "requests>=2.25.1",
+    "uvicorn>=0.17.0", #exhortignore
+    "click>=8.0.4", # trustify-da-ignore
+]
+```
 
+Poetry style (<code>[tool.poetry.dependencies]</code>):
+```toml
+[tool.poetry.dependencies]
+flask = "^2.0.3"
+requests = "^2.25.1"
+uvicorn = "^0.17.0" #exhortignore
+click = "^8.0.4" # trustify-da-ignore
+```
+
+All of the above examples are valid for marking a package to be ignored
+</li>
 </ul>
 
 <h3>Customization</h3>
@@ -365,7 +445,12 @@ let options = {
   'TRUSTIFY_DA_PIP3_PATH' : '/path/to/pip3',
   'TRUSTIFY_DA_PYTHON_PATH' : '/path/to/python',
   'TRUSTIFY_DA_PIP_PATH' : '/path/to/pip',
+  'TRUSTIFY_DA_UV_PATH' : '/path/to/uv',
+  'TRUSTIFY_DA_POETRY_PATH' : '/path/to/poetry',
   'TRUSTIFY_DA_GRADLE_PATH' : '/path/to/gradle',
+  'TRUSTIFY_DA_CARGO_PATH' : '/path/to/cargo',
+  // Workspace root for monorepos (Cargo, npm/pnpm/yarn); lock file expected here
+  'workspaceDir': '/path/to/workspace-root',
   // Configure proxy for all requests
   'TRUSTIFY_DA_PROXY_URL': 'http://proxy.example.com:8080'
 }
@@ -388,6 +473,21 @@ let imageAnalysisWithArch = await client.imageAnalysis(['httpd:2.4.49^^amd64'],
  **_Environment variables takes precedence._**
 </p>
 
+<h4>Monorepo / Workspace Support</h4>
+<p>
+For monorepos (Cargo workspaces, npm/pnpm/yarn workspaces) where the lock file lives at the workspace root rather than next to the manifest, pass the workspace root via <code>workspaceDir</code> or <code>TRUSTIFY_DA_WORKSPACE_DIR</code>:
+</p>
+<ul>
+<li><strong>Cargo:</strong> When set, the client checks only the given directory for <code>Cargo.lock</code> instead of walking up from the manifest.</li>
+<li><strong>JavaScript (npm, pnpm, yarn):</strong> When set, the client looks for the lock file (<code>package-lock.json</code>, <code>pnpm-lock.yaml</code>, <code>yarn.lock</code>) at the workspace root.</li>
+</ul>
+<p>
+Use <code>stackAnalysisBatch(workspaceRoot, html, opts)</code> to analyze all packages/crates in a workspace in one request. Supports Cargo workspaces and JS/TS workspaces (pnpm, npm, yarn). Optional <code>batchConcurrency</code> (or <code>TRUSTIFY_DA_BATCH_CONCURRENCY</code>) limits parallel SBOM generation (default 10). For JS/TS, each <code>package.json</code> must have non-empty <code>name</code> and <code>version</code>; invalid manifests are skipped (warnings). Per-manifest SBOM failures are skipped if at least one SBOM succeeds (unless <code>continueOnError: false</code>). Set <code>batchMetadata: true</code> (or <code>TRUSTIFY_DA_BATCH_METADATA</code>) to receive <code>{ analysis, metadata }</code> with <code>errors[]</code>. CLI: <code>stack-batch --metadata</code>, <code>--fail-fast</code>. See <a href="./docs/monorepo-implementation-plan.md">monorepo implementation plan</a> §2.3 and §3.5.
+</p>
+<p>
+See <a href="./docs/vscode-extension-integration-requirements.md">VS Code Extension Integration Requirements</a> for integration details.
+</p>
+
 <h4>Proxy Configuration</h4>
 <p>
 You can configure a proxy for all HTTP/HTTPS requests made by the API. This is useful when your environment requires going through a proxy to access external services.
@@ -411,7 +511,7 @@ The proxy URL should be in the format: `http://host:port` or `https://host:port`
 
 <h4>License resolution and dependency license compliance</h4>
 <p>
-The client can resolve the <strong>project license</strong> from the manifest (e.g. <code>package.json</code> <code>license</code>, <code>pom.xml</code> <code>&lt;licenses&gt;</code>) and from a <code>LICENSE</code> or <code>LICENSE.md</code> file in the project, and report when they differ. For <strong>component analysis</strong>, you can optionally run a license check: the client fetches dependency licenses from the backend (by purl) and reports dependencies whose licenses are incompatible with the project license. See <a href="docs/license-resolution-and-compliance.md">License resolution and compliance</a> for design and behavior. To disable the check on component analysis, set <code>TRUSTIFY_DA_LICENSE_CHECK=false</code> or pass <code>licenseCheck: false</code> in the options.
+The client can resolve the <strong>project license</strong> from the manifest (e.g. <code>package.json</code> <code>license</code>, <code>pom.xml</code> <code>&lt;licenses&gt;</code>, <code>Cargo.toml</code> <code>license</code>) and from a <code>LICENSE</code> or <code>LICENSE.md</code> file in the project, and report when they differ. For <strong>component analysis</strong>, you can optionally run a license check: the client fetches dependency licenses from the backend (by purl) and reports dependencies whose licenses are incompatible with the project license. See <a href="docs/license-resolution-and-compliance.md">License resolution and compliance</a> for design and behavior. To disable the check on component analysis, set <code>TRUSTIFY_DA_LICENSE_CHECK=false</code> or pass <code>licenseCheck: false</code> in the options.
 </p>
 
 <h4>Customizing Executables</h4>
@@ -487,6 +587,26 @@ following keys for setting custom paths for the said executables.
 <td><em>gradle</em></td>
 <td>TRUSTIFY_DA_PREFER_GRADLEW</td>
 </tr>
+<tr>
+<td><a href="https://www.rust-lang.org/">Rust Cargo</a></td>
+<td><em>cargo</em></td>
+<td>TRUSTIFY_DA_CARGO_PATH</td>
+</tr>
+<tr>
+<td><a href="https://docs.astral.sh/uv/">uv</a></td>
+<td><em>uv</em></td>
+<td>TRUSTIFY_DA_UV_PATH</td>
+</tr>
+<tr>
+<td><a href="https://python-poetry.org/">Poetry</a></td>
+<td><em>poetry</em></td>
+<td>TRUSTIFY_DA_POETRY_PATH</td>
+</tr>
+<tr>
+<td>Workspace root (monorepos)</td>
+<td>—</td>
+<td>workspaceDir / TRUSTIFY_DA_WORKSPACE_DIR</td>
+</tr>
 </table>
 
 #### Match Manifest Versions Feature
@@ -535,6 +655,24 @@ TRUSTIFY_DA_GO_MVS_LOGIC_ENABLED=false
 
 #### Python Support
 
+The client supports two Python manifest formats:
+
+- **`requirements.txt`** — uses pip/pip3 to resolve dependencies
+- **`pyproject.toml`** — uses [uv](https://docs.astral.sh/uv/) or [Poetry](https://python-poetry.org/) to resolve dependencies
+
+##### pyproject.toml
+
+For `pyproject.toml` projects, the client detects which tool manages the project by checking for lock files:
+- If `poetry.lock` is present and `[tool.poetry]` is defined, **Poetry** is used (`poetry show --tree` and `poetry show --all`)
+- If `uv.lock` is present, **uv** is used (`uv export --format requirements.txt --frozen --no-hashes`)
+- If neither lock file is found, an error is thrown
+
+Both PEP 621 (`[project]` dependencies) and Poetry-style (`[tool.poetry.dependencies]`) are supported.
+
+Custom executable paths can be set via `TRUSTIFY_DA_UV_PATH` and `TRUSTIFY_DA_POETRY_PATH`.
+
+##### requirements.txt
+
 By default, For python support, the api assumes that the package is installed using the pip/pip3 binary on the system PATH, or using the customized
 Binaries passed to environment variables. In any case, If the package is not installed , then an error will be thrown.
 

package/dist/package.json

@@ -40,22 +40,30 @@
         "test": "c8 npm run tests",
         "tests": "mocha --config .mocharc.json --grep \".*analysis module.*\" --invert",
         "tests:rep": "mocha --reporter-option maxDiffSize=0 --reporter json > unit-tests-result.json",
+        "pretest": "cp node_modules/tree-sitter-requirements/tree-sitter-requirements.wasm src/providers/tree-sitter-requirements.wasm && cp node_modules/tree-sitter-gomod/tree-sitter-gomod.wasm src/providers/tree-sitter-gomod.wasm",
         "precompile": "rm -rf dist",
         "compile": "tsc -p tsconfig.json",
-        "compile:dev": "tsc -p tsconfig.dev.json"
+        "compile:dev": "tsc -p tsconfig.dev.json",
+        "postcompile": "cp node_modules/tree-sitter-requirements/tree-sitter-requirements.wasm dist/src/providers/tree-sitter-requirements.wasm && cp node_modules/tree-sitter-gomod/tree-sitter-gomod.wasm dist/src/providers/tree-sitter-gomod.wasm"
     },
     "dependencies": {
         "@babel/core": "^7.23.2",
         "@cyclonedx/cyclonedx-library": "^6.13.0",
         "eslint-import-resolver-typescript": "^4.4.4",
+        "fast-glob": "^3.3.3",
         "fast-toml": "^0.5.4",
         "fast-xml-parser": "^5.3.4",
         "help": "^3.0.2",
         "https-proxy-agent": "^7.0.6",
+        "js-yaml": "^4.1.1",
+        "micromatch": "^4.0.8",
         "node-fetch": "^3.3.2",
+        "p-limit": "^4.0.0",
         "packageurl-js": "~1.0.2",
+        "smol-toml": "^1.6.0",
+        "tree-sitter-gomod": "github:strum355/tree-sitter-go-mod#56326f2ad478892ace58ff247a97d492a3cbcdda",
         "tree-sitter-requirements": "github:Strum355/tree-sitter-requirements#d0261ee76b84253997fe70d7d397e78c006c3801",
-        "web-tree-sitter": "^0.26.6",
+        "web-tree-sitter": "^0.26.7",
         "yargs": "^18.0.0"
     },
     "devDependencies": {

package/dist/src/analysis.d.ts

@@ -1,6 +1,9 @@
+/** Media type for CycloneDX JSON batch payloads (batch-analysis API). */
+export const CYCLONEDX_JSON_MEDIA_TYPE: "application/vnd.cyclonedx+json";
 declare namespace _default {
     export { requestComponent };
     export { requestStack };
+    export { requestStackBatch };
     export { requestImages };
     export { validateToken };
 }
@@ -24,6 +27,19 @@ declare function requestComponent(provider: import("./provider").Provider, manif
  * @returns {Promise<string|import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>}
  */
 declare function requestStack(provider: import("./provider").Provider, manifest: string, url: string, html?: boolean, opts?: import("index.js").Options): Promise<string | import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport>;
+/**
+ * Send a batch stack analysis request for multiple manifests (SBOMs keyed by purl).
+ * @param {Object.<string, object>} sbomByPurl - Map of root purl to CycloneDX SBOM object
+ * @param {string} url - the backend url
+ * @param {boolean} [html=false] - true returns HTML, false returns JSON
+ * @param {import("index.js").Options} [opts={}]
+ * @returns {Promise<string|Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>>}
+ */
+declare function requestStackBatch(sbomByPurl: {
+    [x: string]: any;
+}, url: string, html?: boolean, opts?: import("index.js").Options): Promise<string | {
+    [x: string]: import("@trustify-da/trustify-da-api-model/model/v5/AnalysisReport").AnalysisReport;
+}>;
 /**
  *
  * @param {Array<string>} imageRefs

package/dist/src/analysis.js

@@ -4,7 +4,9 @@ import { EOL } from "os";
 import { runLicenseCheck } from "./license/index.js";
 import { generateImageSBOM, parseImageRef } from "./oci_image/utils.js";
 import { addProxyAgent, getCustom, getTokenHeaders, TRUSTIFY_DA_OPERATION_TYPE_HEADER, TRUSTIFY_DA_PACKAGE_MANAGER_HEADER } from "./tools.js";
-export default { requestComponent, requestStack, requestImages, validateToken };
+/** Media type for CycloneDX JSON batch payloads (batch-analysis API). */
+export const CYCLONEDX_JSON_MEDIA_TYPE = 'application/vnd.cyclonedx+json';
+export default { requestComponent, requestStack, requestStackBatch, requestImages, validateToken };
 /**
  * Send a stack analysis request and get the report as 'text/html' or 'application/json'.
  * @param {import('./provider').Provider} provider - the provided data for constructing the request
@@ -124,6 +126,52 @@ async function requestComponent(provider, manifest, url, opts = {}) {
     }
     return Promise.resolve(result);
 }
+/**
+ * Send a batch stack analysis request for multiple manifests (SBOMs keyed by purl).
+ * @param {Object.<string, object>} sbomByPurl - Map of root purl to CycloneDX SBOM object
+ * @param {string} url - the backend url
+ * @param {boolean} [html=false] - true returns HTML, false returns JSON
+ * @param {import("index.js").Options} [opts={}]
+ * @returns {Promise<string|Object.<string, import('@trustify-da/trustify-da-api-model/model/v5/AnalysisReport').AnalysisReport>>}
+ */
+async function requestStackBatch(sbomByPurl, url, html = false, opts = {}) {
+    const finalUrl = new URL(`${url}/api/v5/batch-analysis`);
+    if (opts['TRUSTIFY_DA_RECOMMENDATIONS_ENABLED'] === 'false') {
+        finalUrl.searchParams.append('recommend', 'false');
+    }
+    const fetchOptions = addProxyAgent({
+        method: 'POST',
+        headers: {
+            'Accept': html ? 'text/html' : 'application/json',
+            'Content-Type': CYCLONEDX_JSON_MEDIA_TYPE,
+            ...getTokenHeaders(opts)
+        },
+        body: JSON.stringify(sbomByPurl)
+    }, opts);
+    const resp = await fetch(finalUrl, fetchOptions);
+    if (resp.status === 200) {
+        let result;
+        if (!html) {
+            result = await resp.json();
+        }
+        else {
+            result = await resp.text();
+        }
+        if (process.env["TRUSTIFY_DA_DEBUG"] === "true") {
+            const exRequestId = resp.headers.get("ex-request-id");
+            if (exRequestId) {
+                console.log("Unique Identifier associated with this request - ex-request-id=" + exRequestId);
+            }
+            console.log("Response body received from Trustify DA backend server : " + EOL + EOL);
+            console.log(JSON.stringify(result, null, 4));
+            console.log("Ending time of sending batch stack analysis request to Trustify DA backend server= " + new Date());
+        }
+        return result;
+    }
+    else {
+        throw new Error(`Got error response from Trustify DA backend - http return code : ${resp.status}, ex-request-id: ${resp.headers.get("ex-request-id")}  error message =>  ${await resp.text()}`);
+    }
+}
 /**
  *
  * @param {Array<string>} imageRefs
@@ -145,7 +193,7 @@ async function requestImages(imageRefs, url, html = false, opts = {}) {
         method: 'POST',
         headers: {
             'Accept': html ? 'text/html' : 'application/json',
-            'Content-Type': 'application/vnd.cyclonedx+json',
+            'Content-Type': CYCLONEDX_JSON_MEDIA_TYPE,
             ...getTokenHeaders(opts)
         },
         body: JSON.stringify(imageSboms),

package/dist/src/batch_opts.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Whether to skip failed manifests and continue (default), or fail on first SBOM/validation error.
+ * `opts.continueOnError` overrides; env `TRUSTIFY_DA_CONTINUE_ON_ERROR=false` disables continuation.
+ *
+ * @param {{ continueOnError?: boolean, TRUSTIFY_DA_CONTINUE_ON_ERROR?: string, [key: string]: unknown }} [opts={}]
+ * @returns {boolean} true = collect errors (default), false = fail-fast
+ */
+export function resolveContinueOnError(opts?: {
+    continueOnError?: boolean;
+    TRUSTIFY_DA_CONTINUE_ON_ERROR?: string;
+    [key: string]: unknown;
+}): boolean;
+/**
+ * When true, `stackAnalysisBatch` returns `{ analysis, metadata }` instead of the backend response only.
+ * `opts.batchMetadata` overrides; env `TRUSTIFY_DA_BATCH_METADATA=true` enables.
+ *
+ * @param {{ batchMetadata?: boolean, TRUSTIFY_DA_BATCH_METADATA?: string, [key: string]: unknown }} [opts={}]
+ * @returns {boolean}
+ */
+export function resolveBatchMetadata(opts?: {
+    batchMetadata?: boolean;
+    TRUSTIFY_DA_BATCH_METADATA?: string;
+    [key: string]: unknown;
+}): boolean;

package/dist/src/batch_opts.js

@@ -0,0 +1,35 @@
+import { getCustom } from './tools.js';
+/**
+ * Whether to skip failed manifests and continue (default), or fail on first SBOM/validation error.
+ * `opts.continueOnError` overrides; env `TRUSTIFY_DA_CONTINUE_ON_ERROR=false` disables continuation.
+ *
+ * @param {{ continueOnError?: boolean, TRUSTIFY_DA_CONTINUE_ON_ERROR?: string, [key: string]: unknown }} [opts={}]
+ * @returns {boolean} true = collect errors (default), false = fail-fast
+ */
+export function resolveContinueOnError(opts = {}) {
+    if (typeof opts.continueOnError === 'boolean') {
+        return opts.continueOnError;
+    }
+    const v = getCustom('TRUSTIFY_DA_CONTINUE_ON_ERROR', null, opts);
+    if (v != null && String(v).trim() !== '') {
+        return String(v).toLowerCase() !== 'false';
+    }
+    return true;
+}
+/**
+ * When true, `stackAnalysisBatch` returns `{ analysis, metadata }` instead of the backend response only.
+ * `opts.batchMetadata` overrides; env `TRUSTIFY_DA_BATCH_METADATA=true` enables.
+ *
+ * @param {{ batchMetadata?: boolean, TRUSTIFY_DA_BATCH_METADATA?: string, [key: string]: unknown }} [opts={}]
+ * @returns {boolean}
+ */
+export function resolveBatchMetadata(opts = {}) {
+    if (typeof opts.batchMetadata === 'boolean') {
+        return opts.batchMetadata;
+    }
+    const v = getCustom('TRUSTIFY_DA_BATCH_METADATA', null, opts);
+    if (v != null && String(v).trim() !== '') {
+        return String(v).toLowerCase() === 'true';
+    }
+    return false;
+}