preship 2.1.1 → 2.2.0

package/dist/cli.js

@@ -41,6 +41,58 @@ function getCliVersion() {
     return "0.0.0";
   }
 }
+function getOsvEcosystem(projectType) {
+  switch (projectType) {
+    case "npm":
+    case "yarn":
+    case "pnpm":
+      return "npm";
+    case "flutter":
+      return "Pub";
+    case "maven":
+    case "gradle":
+      return "Maven";
+    case "cocoapods":
+      return "CocoaPods";
+    case "spm":
+      return "SwiftURL";
+    default:
+      return "npm";
+  }
+}
+function parseProjectDeps(project) {
+  const manifestMap = {
+    npm: "package.json",
+    yarn: "package.json",
+    pnpm: "package.json",
+    flutter: "pubspec.yaml",
+    maven: "pom.xml",
+    gradle: "build.gradle",
+    cocoapods: "Podfile",
+    spm: "Package.swift"
+  };
+  const manifest = path.join(project.path, manifestMap[project.type] || "package.json");
+  switch (project.type) {
+    case "npm":
+      return (0, import_core.parseNpmLockfile)(project.lockFile, manifest);
+    case "yarn":
+      return (0, import_core.parseYarnLockfile)(project.lockFile, manifest);
+    case "pnpm":
+      return (0, import_core.parsePnpmLockfile)(project.lockFile, manifest);
+    case "flutter":
+      return (0, import_core.parsePubspecLockfile)(project.lockFile, manifest);
+    case "maven":
+      return (0, import_core.parseMavenPom)(project.lockFile, manifest);
+    case "gradle":
+      return (0, import_core.parseGradleLockfile)(project.lockFile, manifest);
+    case "cocoapods":
+      return (0, import_core.parsePodfileLock)(project.lockFile, manifest);
+    case "spm":
+      return (0, import_core.parsePackageResolved)(project.lockFile, manifest);
+    default:
+      throw new Error(`Unsupported project type: ${project.type}`);
+  }
+}
 async function scan(options) {
   const startTime = Date.now();
   const projectPath = path.resolve(options?.projectPath ?? process.cwd());
@@ -50,26 +102,14 @@ async function scan(options) {
   }
   const projects = (0, import_core.detectProjects)(projectPath);
   const project = projects[0];
-  const packageJsonPath = path.join(project.path, "package.json");
   let parsedDeps;
-  switch (project.type) {
-    case "npm":
-      parsedDeps = (0, import_core.parseNpmLockfile)(project.lockFile, packageJsonPath);
-      break;
-    case "yarn":
-      parsedDeps = (0, import_core.parseYarnLockfile)(project.lockFile, packageJsonPath);
-      break;
-    case "pnpm":
-      parsedDeps = (0, import_core.parsePnpmLockfile)(project.lockFile, packageJsonPath);
-      break;
-    default:
-      throw new Error(`Unsupported project type: ${project.type}`);
-  }
+  parsedDeps = parseProjectDeps(project);
   if (!config.scanDevDependencies) {
     parsedDeps = parsedDeps.filter((dep) => !dep.isDevDependency);
   }
   const dependencies = await (0, import_license.resolveLicenses)(parsedDeps, projectPath, {
     mode: config.mode ?? "auto",
+    ecosystem: project.type,
     networkTimeout: config.networkTimeout ?? 5e3,
     networkConcurrency: config.networkConcurrency ?? 10,
     cache: config.cache ?? true,
@@ -125,21 +165,7 @@ async function unifiedScan(options) {
   const projects = (0, import_core.detectProjects)(projectPath);
   const project = projects[0];
   progress(`Parsing ${project.type} lockfile...`);
-  const packageJsonPath = path.join(project.path, "package.json");
-  let parsedDeps;
-  switch (project.type) {
-    case "npm":
-      parsedDeps = (0, import_core.parseNpmLockfile)(project.lockFile, packageJsonPath);
-      break;
-    case "yarn":
-      parsedDeps = (0, import_core.parseYarnLockfile)(project.lockFile, packageJsonPath);
-      break;
-    case "pnpm":
-      parsedDeps = (0, import_core.parsePnpmLockfile)(project.lockFile, packageJsonPath);
-      break;
-    default:
-      throw new Error(`Unsupported project type: ${project.type}`);
-  }
+  let parsedDeps = parseProjectDeps(project);
   if (!config.scanDevDependencies) {
     parsedDeps = parsedDeps.filter((dep) => !dep.isDevDependency);
   }
@@ -154,6 +180,7 @@ async function unifiedScan(options) {
         const licenseStart = Date.now();
         const dependencies = await (0, import_license.resolveLicenses)(parsedDeps, projectPath, {
           mode,
+          ecosystem: project.type,
           networkTimeout: config.networkTimeout ?? 5e3,
           networkConcurrency: config.networkConcurrency ?? 10,
           cache: config.cache ?? true,
@@ -186,7 +213,7 @@ async function unifiedScan(options) {
       (async () => {
         progress("Checking security vulnerabilities...");
         const securityConfig = (0, import_security.mergeSecurityConfig)(config.security);
-        securityResult = await (0, import_security.scanSecurity)(parsedDeps, projectPath, securityConfig, mode);
+        securityResult = await (0, import_security.scanSecurity)(parsedDeps, projectPath, securityConfig, mode, getOsvEcosystem(project.type));
       })()
     );
   }
@@ -1180,18 +1207,40 @@ var path3 = __toESM(require("path"));
 var crypto = __toESM(require("crypto"));
 
 // src/formatters/purl.ts
-function generatePurl(name, version) {
+function getPurlType(ecosystem) {
+  switch (ecosystem) {
+    case "flutter":
+      return "pub";
+    case "maven":
+    case "gradle":
+      return "maven";
+    case "cocoapods":
+      return "cocoapods";
+    case "spm":
+      return "swift";
+    case "npm":
+    case "yarn":
+    case "pnpm":
+    default:
+      return "npm";
+  }
+}
+function generatePurl(name, version, ecosystem) {
+  const purlType = getPurlType(ecosystem);
   let encodedName;
-  if (name.startsWith("@")) {
+  if (purlType === "npm" && name.startsWith("@")) {
     const withoutAt = name.slice(1);
     encodedName = `%40${withoutAt}`;
+  } else if (purlType === "maven" && name.includes(":")) {
+    const [groupId, artifactId] = name.split(":");
+    encodedName = `${groupId}/${artifactId}`;
   } else {
     encodedName = name;
   }
   if (version) {
-    return `pkg:npm/${encodedName}@${version}`;
+    return `pkg:${purlType}/${encodedName}@${version}`;
   }
-  return `pkg:npm/${encodedName}`;
+  return `pkg:${purlType}/${encodedName}`;
 }
 function sanitizeSpdxId(value) {
   return value.replace(/[^a-zA-Z0-9.-]/g, "-");
@@ -1204,10 +1253,12 @@ function formatCycloneDx(result) {
 }
 function generateCycloneDxBom(result) {
   const projectName = getProjectName2(result.projectPath);
-  const rootBomRef = `pkg:npm/${projectName}`;
+  const ecosystem = result.projectType;
+  const purlType = ecosystem === "flutter" ? "pub" : "npm";
+  const rootBomRef = `pkg:${purlType}/${projectName}`;
   const allPolicyResults = getLicenseResults(result);
-  const components = allPolicyResults.map((pr) => buildComponent(pr));
-  const directDeps = allPolicyResults.filter((pr) => pr.dependency.isDirect).map((pr) => generateBomRef(pr.dependency.name, pr.dependency.version));
+  const components = allPolicyResults.map((pr) => buildComponent(pr, ecosystem));
+  const directDeps = allPolicyResults.filter((pr) => pr.dependency.isDirect).map((pr) => generateBomRef(pr.dependency.name, pr.dependency.version, ecosystem));
   const dependencies = [
     {
       ref: rootBomRef,
@@ -1218,7 +1269,7 @@ function generateCycloneDxBom(result) {
       ref: c["bom-ref"]
     }))
   ];
-  const vulnerabilities = getVulnerabilities(result, allPolicyResults);
+  const vulnerabilities = getVulnerabilities(result, allPolicyResults, ecosystem);
   const bom = {
     bomFormat: "CycloneDX",
     specVersion: "1.6",
@@ -1265,17 +1316,17 @@ function getLicenseResults(result) {
     ...license.unknown
   ];
 }
-function generateBomRef(name, version) {
-  return generatePurl(name, version);
+function generateBomRef(name, version, ecosystem) {
+  return generatePurl(name, version, ecosystem);
 }
-function buildComponent(pr) {
+function buildComponent(pr, ecosystem) {
   const dep = pr.dependency;
   const component = {
     type: "library",
     name: dep.name,
     version: dep.version,
-    purl: generatePurl(dep.name, dep.version),
-    "bom-ref": generatePurl(dep.name, dep.version)
+    purl: generatePurl(dep.name, dep.version, ecosystem),
+    "bom-ref": generatePurl(dep.name, dep.version, ecosystem)
   };
   if (dep.isDevDependency) {
     component.scope = "optional";
@@ -1293,12 +1344,12 @@ function buildComponent(pr) {
   }
   return component;
 }
-function getVulnerabilities(result, allPolicyResults) {
+function getVulnerabilities(result, allPolicyResults, ecosystem) {
   if (!result.modules.security) return [];
   const security = result.modules.security;
   const vulnerabilities = [];
   for (const vuln of security.vulnerabilities) {
-    const bomRef = findBomRefForPackage(vuln.package, vuln.version, allPolicyResults);
+    const bomRef = findBomRefForPackage(vuln.package, vuln.version, allPolicyResults, ecosystem);
     const cdxVuln = {
       id: vuln.id,
       source: {
@@ -1322,12 +1373,12 @@ function getVulnerabilities(result, allPolicyResults) {
   }
   return vulnerabilities;
 }
-function findBomRefForPackage(packageName, version, allPolicyResults) {
+function findBomRefForPackage(packageName, version, allPolicyResults, ecosystem) {
   const found = allPolicyResults.find(
     (pr) => pr.dependency.name === packageName && pr.dependency.version === version
   );
   if (found) {
-    return generatePurl(found.dependency.name, found.dependency.version);
+    return generatePurl(found.dependency.name, found.dependency.version, ecosystem);
   }
   return void 0;
 }
@@ -1366,7 +1417,8 @@ function generateSpdxDocument(result) {
     supplier: "NOASSERTION",
     externalRefs: []
   };
-  const depPackages = allPolicyResults.map((pr) => buildSpdxPackage(pr));
+  const ecosystem = result.projectType;
+  const depPackages = allPolicyResults.map((pr) => buildSpdxPackage(pr, ecosystem));
   const relationships = [];
   relationships.push({
     spdxElementId: "SPDXRef-DOCUMENT",
@@ -1429,12 +1481,12 @@ function generateSpdxPackageId(name, version) {
   const sanitizedVersion = sanitizeSpdxId(version);
   return `SPDXRef-Package-${sanitizedName}-${sanitizedVersion}`;
 }
-function buildSpdxPackage(pr) {
+function buildSpdxPackage(pr, ecosystem) {
   const dep = pr.dependency;
   const spdxId = generateSpdxPackageId(dep.name, dep.version);
-  const purl = generatePurl(dep.name, dep.version);
+  const purl = generatePurl(dep.name, dep.version, ecosystem);
   const license = dep.license === "UNKNOWN" ? "NOASSERTION" : dep.license;
-  const downloadLocation = `https://registry.npmjs.org/${dep.name}/-/${getPackageBasename(dep.name)}-${dep.version}.tgz`;
+  const downloadLocation = ecosystem === "flutter" ? `https://pub.dev/packages/${dep.name}/versions/${dep.version}` : `https://registry.npmjs.org/${dep.name}/-/${getPackageBasename(dep.name)}-${dep.version}.tgz`;
   return {
     SPDXID: spdxId,
     name: dep.name,

package/dist/index.js

@@ -51,6 +51,58 @@ function getCliVersion() {
     return "0.0.0";
   }
 }
+function getOsvEcosystem(projectType) {
+  switch (projectType) {
+    case "npm":
+    case "yarn":
+    case "pnpm":
+      return "npm";
+    case "flutter":
+      return "Pub";
+    case "maven":
+    case "gradle":
+      return "Maven";
+    case "cocoapods":
+      return "CocoaPods";
+    case "spm":
+      return "SwiftURL";
+    default:
+      return "npm";
+  }
+}
+function parseProjectDeps(project) {
+  const manifestMap = {
+    npm: "package.json",
+    yarn: "package.json",
+    pnpm: "package.json",
+    flutter: "pubspec.yaml",
+    maven: "pom.xml",
+    gradle: "build.gradle",
+    cocoapods: "Podfile",
+    spm: "Package.swift"
+  };
+  const manifest = path.join(project.path, manifestMap[project.type] || "package.json");
+  switch (project.type) {
+    case "npm":
+      return (0, import_core.parseNpmLockfile)(project.lockFile, manifest);
+    case "yarn":
+      return (0, import_core.parseYarnLockfile)(project.lockFile, manifest);
+    case "pnpm":
+      return (0, import_core.parsePnpmLockfile)(project.lockFile, manifest);
+    case "flutter":
+      return (0, import_core.parsePubspecLockfile)(project.lockFile, manifest);
+    case "maven":
+      return (0, import_core.parseMavenPom)(project.lockFile, manifest);
+    case "gradle":
+      return (0, import_core.parseGradleLockfile)(project.lockFile, manifest);
+    case "cocoapods":
+      return (0, import_core.parsePodfileLock)(project.lockFile, manifest);
+    case "spm":
+      return (0, import_core.parsePackageResolved)(project.lockFile, manifest);
+    default:
+      throw new Error(`Unsupported project type: ${project.type}`);
+  }
+}
 async function scan(options) {
   const startTime = Date.now();
   const projectPath = path.resolve(options?.projectPath ?? process.cwd());
@@ -60,26 +112,14 @@ async function scan(options) {
   }
   const projects = (0, import_core.detectProjects)(projectPath);
   const project = projects[0];
-  const packageJsonPath = path.join(project.path, "package.json");
   let parsedDeps;
-  switch (project.type) {
-    case "npm":
-      parsedDeps = (0, import_core.parseNpmLockfile)(project.lockFile, packageJsonPath);
-      break;
-    case "yarn":
-      parsedDeps = (0, import_core.parseYarnLockfile)(project.lockFile, packageJsonPath);
-      break;
-    case "pnpm":
-      parsedDeps = (0, import_core.parsePnpmLockfile)(project.lockFile, packageJsonPath);
-      break;
-    default:
-      throw new Error(`Unsupported project type: ${project.type}`);
-  }
+  parsedDeps = parseProjectDeps(project);
   if (!config.scanDevDependencies) {
     parsedDeps = parsedDeps.filter((dep) => !dep.isDevDependency);
   }
   const dependencies = await (0, import_license.resolveLicenses)(parsedDeps, projectPath, {
     mode: config.mode ?? "auto",
+    ecosystem: project.type,
     networkTimeout: config.networkTimeout ?? 5e3,
     networkConcurrency: config.networkConcurrency ?? 10,
     cache: config.cache ?? true,
@@ -135,21 +175,7 @@ async function unifiedScan(options) {
   const projects = (0, import_core.detectProjects)(projectPath);
   const project = projects[0];
   progress(`Parsing ${project.type} lockfile...`);
-  const packageJsonPath = path.join(project.path, "package.json");
-  let parsedDeps;
-  switch (project.type) {
-    case "npm":
-      parsedDeps = (0, import_core.parseNpmLockfile)(project.lockFile, packageJsonPath);
-      break;
-    case "yarn":
-      parsedDeps = (0, import_core.parseYarnLockfile)(project.lockFile, packageJsonPath);
-      break;
-    case "pnpm":
-      parsedDeps = (0, import_core.parsePnpmLockfile)(project.lockFile, packageJsonPath);
-      break;
-    default:
-      throw new Error(`Unsupported project type: ${project.type}`);
-  }
+  let parsedDeps = parseProjectDeps(project);
   if (!config.scanDevDependencies) {
     parsedDeps = parsedDeps.filter((dep) => !dep.isDevDependency);
   }
@@ -164,6 +190,7 @@ async function unifiedScan(options) {
         const licenseStart = Date.now();
         const dependencies = await (0, import_license.resolveLicenses)(parsedDeps, projectPath, {
           mode,
+          ecosystem: project.type,
           networkTimeout: config.networkTimeout ?? 5e3,
           networkConcurrency: config.networkConcurrency ?? 10,
           cache: config.cache ?? true,
@@ -196,7 +223,7 @@ async function unifiedScan(options) {
       (async () => {
         progress("Checking security vulnerabilities...");
         const securityConfig = (0, import_security.mergeSecurityConfig)(config.security);
-        securityResult = await (0, import_security.scanSecurity)(parsedDeps, projectPath, securityConfig, mode);
+        securityResult = await (0, import_security.scanSecurity)(parsedDeps, projectPath, securityConfig, mode, getOsvEcosystem(project.type));
       })()
     );
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "preship",
-  "version": "2.1.1",
+  "version": "2.2.0",
   "description": "Pre-ship verification for modern dev teams. License compliance, security vulnerability scanning, and secret detection — all in one CLI. Zero config. Fully offline. Free forever.",
   "keywords": [
     "license",
@@ -59,10 +59,10 @@
     "lint": "tsc --noEmit"
   },
   "dependencies": {
-    "@preship/core": "2.0.1",
-    "@preship/license": "2.0.1",
-    "@preship/security": "1.0.2",
-    "@preship/secrets": "1.0.4",
+    "@preship/core": "2.1.0",
+    "@preship/license": "2.1.0",
+    "@preship/security": "1.1.0",
+    "@preship/secrets": "1.0.6",
     "chalk": "^4.1.2",
     "cli-table3": "^0.6.5",
     "commander": "^12.1.0"