verimu 0.0.9 → 0.0.13

package/dist/index.cjs

@@ -37,6 +37,7 @@ __export(index_exports, {
   CveAggregator: () => CveAggregator,
   CveSourceError: () => CveSourceError,
   CycloneDxGenerator: () => CycloneDxGenerator,
+  DenoScanner: () => DenoScanner,
   GoScanner: () => GoScanner,
   LockfileParseError: () => LockfileParseError,
   MavenScanner: () => MavenScanner,
@@ -45,11 +46,18 @@ __export(index_exports, {
   NugetScanner: () => NugetScanner,
   OsvSource: () => OsvSource,
   PipScanner: () => PipScanner,
+  PnpmScanner: () => PnpmScanner,
   RubyScanner: () => RubyScanner,
   ScannerRegistry: () => ScannerRegistry,
+  SpdxJsonGenerator: () => SpdxJsonGenerator,
+  SwidTagGenerator: () => SwidTagGenerator,
   VerimuApiClient: () => VerimuApiClient,
   VerimuError: () => VerimuError,
+  YarnScanner: () => YarnScanner,
   generateSbom: () => generateSbom,
+  generateSbomArtifacts: () => generateSbomArtifacts,
+  generateSpdxSbom: () => generateSpdxSbom,
+  generateSwidTag: () => generateSwidTag,
   printReport: () => printReport,
   scan: () => scan,
   shouldFailCi: () => shouldFailCi,
@@ -59,18 +67,64 @@ module.exports = __toCommonJS(index_exports);
 
 // src/generate-sbom.ts
 var import_crypto = require("crypto");
+
+// src/sbom/shared.ts
+var VERIMU_TOOL_NAME = "verimu";
+var VERIMU_TOOL_WEBSITE = "https://verimu.com";
+var VERIMU_TOOL_DESCRIPTION = "Verimu CRA Compliance Scanner";
+var DEFAULT_TOOL_VERSION = "0.1.0";
+var DEFAULT_PROJECT_VERSION = "0.0.0";
+var DEFAULT_SWID_VERSION = "0.0.0";
+var PURL_TYPE_MAP = {
+  npm: "npm",
+  nuget: "nuget",
+  cargo: "cargo",
+  maven: "maven",
+  pip: "pypi",
+  poetry: "pypi",
+  uv: "pypi",
+  go: "golang",
+  ruby: "gem",
+  composer: "composer",
+  deno: "deno"
+};
+function buildPurl(name, version, ecosystem) {
+  const type = PURL_TYPE_MAP[ecosystem] || ecosystem;
+  if (ecosystem === "npm" && name.startsWith("@")) {
+    return `pkg:${type}/%40${name.slice(1)}@${version}`;
+  }
+  return `pkg:${type}/${name}@${version}`;
+}
+function deriveSupplierName(packageName) {
+  if (packageName.startsWith("@")) {
+    return packageName.split("/")[0];
+  }
+  return packageName;
+}
+function extractProjectName(projectPath) {
+  const parts = projectPath.replace(/\\/g, "/").split("/");
+  return parts[parts.length - 1] || "unknown-project";
+}
+function normalizeDependencies(dependencies) {
+  return dependencies.map((dep) => ({
+    name: dep.name,
+    version: dep.version,
+    ecosystem: dep.ecosystem,
+    direct: dep.direct ?? true,
+    purl: dep.purl ?? buildPurl(dep.name, dep.version, dep.ecosystem),
+    supplierName: deriveSupplierName(dep.name)
+  }));
+}
+
+// src/generate-sbom.ts
 function generateSbom(input) {
   const {
     projectName,
-    projectVersion = "0.0.0",
+    projectVersion = DEFAULT_PROJECT_VERSION,
     dependencies
   } = input;
   const timestamp = (/* @__PURE__ */ new Date()).toISOString();
-  const resolvedDeps = dependencies.map((dep) => ({
-    ...dep,
-    direct: dep.direct ?? true,
-    purl: dep.purl ?? buildPurl(dep.name, dep.version, dep.ecosystem)
-  }));
+  const resolvedDeps = normalizeDependencies(dependencies);
   const rootPurl = buildPurl(projectName, projectVersion, "npm");
   const sbom = {
     $schema: "http://cyclonedx.org/schema/bom-1.7.schema.json",
@@ -84,12 +138,12 @@ function generateSbom(input) {
         components: [
           {
             type: "application",
-            name: "verimu",
+            name: VERIMU_TOOL_NAME,
             version: "0.0.1",
-            description: "Verimu CRA Compliance Scanner",
+            description: VERIMU_TOOL_DESCRIPTION,
             supplier: { name: "Verimu" },
             externalReferences: [
-              { type: "website", url: "https://verimu.com" }
+              { type: "website", url: VERIMU_TOOL_WEBSITE }
             ]
           }
         ]
@@ -110,7 +164,7 @@ function generateSbom(input) {
       purl: dep.purl,
       "bom-ref": dep.purl,
       scope: dep.direct ? "required" : "optional",
-      supplier: { name: deriveSupplierName(dep.name) }
+      supplier: { name: dep.supplierName }
     })),
     dependencies: [
       {
@@ -128,33 +182,130 @@ function generateSbom(input) {
     generatedAt: timestamp
   };
 }
-var PURL_TYPE_MAP = {
-  npm: "npm",
-  nuget: "nuget",
-  cargo: "cargo",
-  maven: "maven",
-  pip: "pypi",
-  go: "golang",
-  ruby: "gem",
-  composer: "composer"
-};
-function buildPurl(name, version, ecosystem) {
-  const type = PURL_TYPE_MAP[ecosystem] || ecosystem;
-  if (ecosystem === "npm" && name.startsWith("@")) {
-    return `pkg:${type}/%40${name.slice(1)}@${version}`;
-  }
-  return `pkg:${type}/${name}@${version}`;
+
+// src/generate-spdx.ts
+var import_crypto2 = require("crypto");
+var SPDX_VERSION = "2.3";
+function generateSpdxSbom(input) {
+  const {
+    projectName,
+    projectVersion = DEFAULT_PROJECT_VERSION,
+    dependencies
+  } = input;
+  const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+  const resolvedDeps = normalizeDependencies(dependencies);
+  const rootPackageId = "SPDXRef-Package-root";
+  const spdx = {
+    spdxVersion: `SPDX-${SPDX_VERSION}`,
+    dataLicense: "CC0-1.0",
+    SPDXID: "SPDXRef-DOCUMENT",
+    name: `${projectName}-sbom`,
+    documentNamespace: `https://verimu.com/spdxdocs/${projectName}-${(0, import_crypto2.randomUUID)()}`,
+    creationInfo: {
+      created: timestamp,
+      creators: [`Tool: ${VERIMU_TOOL_NAME}`]
+    },
+    documentDescribes: [rootPackageId],
+    packages: [
+      {
+        name: projectName,
+        SPDXID: rootPackageId,
+        versionInfo: projectVersion,
+        supplier: `Organization: ${projectName}`,
+        downloadLocation: "NOASSERTION",
+        filesAnalyzed: false,
+        licenseConcluded: "NOASSERTION",
+        licenseDeclared: "NOASSERTION",
+        primaryPackagePurpose: "APPLICATION"
+      },
+      ...resolvedDeps.map((dep, index) => ({
+        name: dep.name,
+        SPDXID: `SPDXRef-Package-${index + 1}`,
+        versionInfo: dep.version,
+        supplier: `Organization: ${dep.supplierName}`,
+        downloadLocation: "NOASSERTION",
+        filesAnalyzed: false,
+        licenseConcluded: "NOASSERTION",
+        licenseDeclared: "NOASSERTION",
+        primaryPackagePurpose: "LIBRARY",
+        externalRefs: [
+          {
+            referenceCategory: "PACKAGE-MANAGER",
+            referenceType: "purl",
+            referenceLocator: dep.purl
+          }
+        ]
+      }))
+    ],
+    relationships: [
+      {
+        spdxElementId: "SPDXRef-DOCUMENT",
+        relationshipType: "DESCRIBES",
+        relatedSpdxElement: rootPackageId
+      },
+      ...resolvedDeps.map((_dep, index) => ({
+        spdxElementId: rootPackageId,
+        relationshipType: "DEPENDS_ON",
+        relatedSpdxElement: `SPDXRef-Package-${index + 1}`
+      }))
+    ]
+  };
+  const content = JSON.stringify(spdx, null, 2);
+  return {
+    sbom: spdx,
+    content,
+    componentCount: resolvedDeps.length,
+    specVersion: SPDX_VERSION,
+    generatedAt: timestamp
+  };
 }
-function deriveSupplierName(packageName) {
-  if (packageName.startsWith("@")) {
-    return packageName.split("/")[0];
-  }
-  return packageName;
+
+// src/generate-swid.ts
+var import_crypto3 = require("crypto");
+var SWID_SPEC_VERSION = "ISO/IEC 19770-2:2015";
+function generateSwidTag(input) {
+  const {
+    projectName,
+    projectVersion = DEFAULT_PROJECT_VERSION
+  } = input;
+  const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+  const tagVersion = 1;
+  const normalizedVersion = projectVersion || DEFAULT_SWID_VERSION;
+  const tagId = `com.verimu:${sanitizeTagId(projectName)}:${normalizedVersion}:${(0, import_crypto3.randomUUID)()}`;
+  const tag = [
+    '<?xml version="1.0" encoding="UTF-8"?>',
+    "<SoftwareIdentity",
+    '  xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd"',
+    `  name="${escapeXml(projectName)}"`,
+    `  tagId="${escapeXml(tagId)}"`,
+    `  tagVersion="${tagVersion}"`,
+    `  version="${escapeXml(normalizedVersion)}"`,
+    '  versionScheme="semver">',
+    `  <Entity name="${escapeXml(projectName)}" role="softwareCreator" />`,
+    '  <Entity name="Verimu" role="tagCreator" />',
+    `  <Meta product="${escapeXml(projectName)}" generator="${VERIMU_TOOL_NAME}" generated="${timestamp}" />`,
+    "  <!-- TODO: Consider adding dependency/package evidence if we need richer SWID coverage. -->",
+    '  <Link rel="describedby" href="https://verimu.com" />',
+    "</SoftwareIdentity>"
+  ].join("\n");
+  return {
+    tag,
+    content: tag,
+    componentCount: 1,
+    specVersion: SWID_SPEC_VERSION,
+    generatedAt: timestamp
+  };
+}
+function escapeXml(value) {
+  return value.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll('"', "&quot;").replaceAll("'", "&apos;");
+}
+function sanitizeTagId(value) {
+  return value.toLowerCase().replace(/[^a-z0-9._-]+/g, "-").replace(/^-+|-+$/g, "");
 }
 
 // src/scan.ts
-var import_promises9 = require("fs/promises");
-var import_path9 = require("path");
+var import_promises14 = require("fs/promises");
+var import_path14 = require("path");
 
 // src/scanners/npm/npm-scanner.ts
 var import_promises = require("fs/promises");
@@ -172,7 +323,7 @@ var VerimuError = class extends Error {
 var NoLockfileError = class extends VerimuError {
   constructor(projectPath) {
     super(
-      `No supported lockfile found in ${projectPath}. Supported: package-lock.json (npm), packages.lock.json (NuGet), Cargo.lock (Rust), requirements.txt / Pipfile.lock (Python), pom.xml (Maven), go.sum (Go), Gemfile.lock (Ruby), composer.lock (Composer)`,
+      `No supported lockfile found in ${projectPath}. Supported: package-lock.json (npm), packages.lock.json (NuGet), Cargo.lock (Rust), requirements.txt / Pipfile.lock (pip), poetry.lock (Poetry), uv.lock (uv), pom.xml (Maven), go.sum (Go), Gemfile.lock (Ruby), composer.lock (Composer), yarn.lock (Yarn), pnpm-lock.yaml (pnpm)`,
       "NO_LOCKFILE"
     );
     this.name = "NoLockfileError";
@@ -1089,159 +1240,1278 @@ var ComposerScanner = class {
   }
 };
 
-// src/scanners/registry.ts
-var ScannerRegistry = class {
-  scanners;
-  constructor() {
-    this.scanners = [
-      new NpmScanner(),
-      new NugetScanner(),
-      new CargoScanner(),
-      new PipScanner(),
-      new MavenScanner(),
-      new GoScanner(),
-      new RubyScanner(),
-      new ComposerScanner()
-    ];
+// src/scanners/yarn/yarn-scanner.ts
+var import_promises9 = require("fs/promises");
+var import_fs9 = require("fs");
+var import_path9 = __toESM(require("path"), 1);
+var import_yaml = require("yaml");
+var YarnScanner = class {
+  ecosystem = "npm";
+  lockfileNames = ["yarn.lock"];
+  async detect(projectPath) {
+    const lockfilePath = import_path9.default.join(projectPath, "yarn.lock");
+    return (0, import_fs9.existsSync)(lockfilePath) ? lockfilePath : null;
+  }
+  async scan(projectPath, lockfilePath) {
+    const [lockfileRaw, packageJsonRaw] = await Promise.all([
+      (0, import_promises9.readFile)(lockfilePath, "utf-8"),
+      (0, import_promises9.readFile)(import_path9.default.join(projectPath, "package.json"), "utf-8").catch(() => null)
+    ]);
+    const directNames = /* @__PURE__ */ new Set();
+    if (packageJsonRaw) {
+      try {
+        const pkg = JSON.parse(packageJsonRaw);
+        for (const name of Object.keys(pkg.dependencies ?? {})) {
+          directNames.add(name);
+        }
+        for (const name of Object.keys(pkg.devDependencies ?? {})) {
+          directNames.add(name);
+        }
+      } catch {
+      }
+    }
+    const dependencies = this.parseLockfile(lockfileRaw, lockfilePath, directNames);
+    return {
+      projectPath,
+      ecosystem: "npm",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
   }
   /**
-   * Auto-detects the project's ecosystem and scans dependencies.
-   * Tries each registered scanner in order until one matches.
+   * Parses yarn.lock file and extracts dependencies.
+   * Automatically detects and handles both v1 (Classic) and v2+ (Berry) formats.
    */
-  async detectAndScan(projectPath) {
-    for (const scanner of this.scanners) {
-      const lockfilePath = await scanner.detect(projectPath);
-      if (lockfilePath) {
-        return scanner.scan(projectPath, lockfilePath);
+  parseLockfile(content, lockfilePath, directNames) {
+    try {
+      const isV2Plus = this.isYarnV2Plus(content);
+      if (isV2Plus) {
+        return this.parseLockfileV2Plus(content, lockfilePath, directNames);
+      } else {
+        return this.parseLockfileV1(content, lockfilePath, directNames);
       }
+    } catch (err) {
+      throw new LockfileParseError(
+        lockfilePath,
+        `Failed to parse yarn.lock: ${err instanceof Error ? err.message : "Unknown error"}`
+      );
     }
-    throw new NoLockfileError(projectPath);
-  }
-  /** Returns a specific scanner by ecosystem name */
-  getScanner(ecosystem) {
-    return this.scanners.find((s) => s.ecosystem === ecosystem);
   }
-  /** Lists all registered ecosystems */
-  listEcosystems() {
-    return this.scanners.map((s) => s.ecosystem);
-  }
-};
-
-// src/sbom/cyclonedx.ts
-var import_crypto2 = require("crypto");
-var CycloneDxGenerator = class {
-  format = "cyclonedx-json";
-  generate(scanResult, toolVersion = "0.1.0") {
-    const bom = this.buildBom(scanResult, toolVersion);
-    const content = JSON.stringify(bom, null, 2);
-    return {
-      format: "cyclonedx-json",
-      specVersion: "1.7",
-      content,
-      componentCount: scanResult.dependencies.length,
-      generatedAt: (/* @__PURE__ */ new Date()).toISOString()
-    };
+  /**
+   * Detects if the lockfile is Yarn v2+ (Berry) format.
+   * v2+ uses YAML format and contains __metadata section.
+   */
+  isYarnV2Plus(content) {
+    return content.startsWith("__metadata:") || content.includes("\n__metadata:");
   }
-  buildBom(scanResult, toolVersion) {
-    const projectName = this.extractProjectName(scanResult.projectPath);
-    return {
-      $schema: "http://cyclonedx.org/schema/bom-1.7.schema.json",
-      bomFormat: "CycloneDX",
-      specVersion: "1.7",
-      serialNumber: `urn:uuid:${(0, import_crypto2.randomUUID)()}`,
-      version: 1,
-      metadata: {
-        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-        tools: {
-          components: [
-            {
-              type: "application",
-              name: "verimu",
-              version: toolVersion,
-              description: "Verimu CRA Compliance Scanner",
-              supplier: { name: "Verimu" },
-              externalReferences: [
-                {
-                  type: "website",
-                  url: "https://verimu.com"
-                }
-              ]
-            }
-          ]
-        },
-        // NTIA: metadata.supplier — the org supplying the root software
-        supplier: {
-          name: projectName
-        },
-        component: {
-          type: "application",
-          name: projectName,
-          "bom-ref": "root-component",
-          supplier: { name: projectName }
+  /**
+   * Parses Yarn v2+ (Berry) lockfile format.
+   * 
+   * Yarn v2+ format (YAML):
+   * ```yaml
+   * __metadata:
+   *   version: 6
+   * 
+   * "package-name@npm:^1.0.0":
+   *   version: 1.2.3
+   *   resolution: "package-name@npm:1.2.3"
+   *   dependencies:
+   *     dep1: ^2.0.0
+   *   checksum: ...
+   *   languageName: node
+   *   linkType: hard
+   * ```
+   */
+  parseLockfileV2Plus(content, lockfilePath, directNames) {
+    const deps = [];
+    const seen = /* @__PURE__ */ new Map();
+    try {
+      const parsed = (0, import_yaml.parse)(content);
+      if (!parsed || typeof parsed !== "object") {
+        throw new Error("Invalid YAML format");
+      }
+      for (const [key, value] of Object.entries(parsed)) {
+        if (key === "__metadata" || key.includes("@workspace:")) {
+          continue;
         }
-      },
-      components: scanResult.dependencies.map((dep) => this.toComponent(dep)),
-      dependencies: this.buildDependencyGraph(scanResult)
-    };
+        if (typeof value !== "object" || value === null) {
+          continue;
+        }
+        const entry = value;
+        let name = null;
+        if (entry.resolution && typeof entry.resolution === "string") {
+          name = this.extractPackageNameFromResolution(entry.resolution);
+        }
+        if (!name) {
+          name = this.extractPackageNameV2Plus(key);
+        }
+        const version = entry.version;
+        if (!name || !version || typeof version !== "string") {
+          continue;
+        }
+        const depKey = `${name}@${version}`;
+        if (seen.has(depKey)) {
+          continue;
+        }
+        seen.set(depKey, true);
+        deps.push({
+          name,
+          version,
+          direct: directNames.has(name),
+          ecosystem: "npm",
+          purl: this.buildPurl(name, version)
+        });
+      }
+    } catch (err) {
+      throw new Error(`Failed to parse Yarn v2+ lockfile: ${err instanceof Error ? err.message : "Unknown error"}`);
+    }
+    return deps;
   }
-  /** Converts a Verimu Dependency to a CycloneDX component */
-  toComponent(dep) {
-    return {
-      type: "library",
-      name: dep.name,
-      version: dep.version,
-      purl: dep.purl,
-      "bom-ref": dep.purl,
-      scope: dep.direct ? "required" : "optional",
-      // NTIA: component.supplier — derived from npm scope or package name
-      supplier: {
-        name: this.deriveSupplierName(dep.name)
+  /**
+   * Extracts package name from Yarn v2+ resolution field.
+   * The resolution field contains the real package name.
+   * Examples:
+   *   "express@npm:4.18.2" → "express"
+   *   "@types/node@npm:20.11.5" → "@types/node"
+   *   "lodash@npm:4.17.21" → "lodash"
+   */
+  extractPackageNameFromResolution(resolution) {
+    if (resolution.startsWith("@")) {
+      const match2 = resolution.match(/^(@[^@]+\/[^@]+)@/);
+      if (match2) {
+        return match2[1];
       }
-    };
+    }
+    const match = resolution.match(/^([^@]+)@/);
+    if (match) {
+      return match[1];
+    }
+    return null;
   }
   /**
-   * Derives a supplier name from a package name.
-   *
-   * For scoped packages like "@vue/reactivity" → "@vue"
-   * For unscoped packages like "express" → "express"
-   *
-   * This is the same heuristic used by Syft, Trivy, and other SBOM tools
-   * when registry metadata (author/publisher) isn't available from the lockfile.
+   * Extracts package name from Yarn v2+ package key.
+   * Examples:
+   *   "express@npm:^4.18.0" → "express"
+   *   "@types/node@npm:^20.0.0" → "@types/node"
+   *   "pkg@npm:other@npm:^1.0.0" → "pkg" (aliased packages)
    */
-  deriveSupplierName(packageName) {
-    if (packageName.startsWith("@")) {
-      const scope = packageName.split("/")[0];
-      return scope;
+  extractPackageNameV2Plus(key) {
+    if (key.startsWith("@")) {
+      const match2 = key.match(/^(@[^@]+\/[^@]+)@/);
+      if (match2) {
+        return match2[1];
+      }
+    }
+    const match = key.match(/^([^@]+)@/);
+    if (match) {
+      return match[1];
     }
-    return packageName;
+    return null;
   }
   /**
-   * Builds the dependency graph section of the SBOM.
-   *
-   * The root component depends on all dependencies (direct + transitive).
-   * This ensures a single root node in the graph, which NTIA validators expect.
+   * Parses Yarn v1 (Classic) lockfile format.
    *
-   * We include ALL deps under root (not just direct) because from a flat lockfile
-   * we can't reliably reconstruct which transitive dep belongs to which direct dep.
-   * This is still valid per the CycloneDX spec — it represents a complete but flat
-   * dependency relationship.
+   * Yarn v1 format:
+   * ```
+   * "package-name@^1.0.0":
+   *   version "1.2.3"
+   *   resolved "https://..."
+   *   integrity sha512-...
+   *   dependencies:
+   *     dep1 "^2.0.0"
+   * ```
    */
-  buildDependencyGraph(scanResult) {
-    const allDepPurls = scanResult.dependencies.map((d) => d.purl);
-    return [
-      {
-        ref: "root-component",
-        dependsOn: allDepPurls
+  parseLockfileV1(content, lockfilePath, directNames) {
+    const deps = [];
+    const seen = /* @__PURE__ */ new Map();
+    const lines = content.split("\n");
+    let currentPackage = null;
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (line.trim().startsWith("#") || line.trim() === "") {
+        continue;
       }
-    ];
-  }
-  /** Extracts project name from path */
-  extractProjectName(projectPath) {
-    const parts = projectPath.replace(/\\/g, "/").split("/");
-    return parts[parts.length - 1] || "unknown-project";
-  }
-};
-
+      if (line.match(/^["\w@]/) && line.includes(":") && !line.startsWith("  ")) {
+        if (currentPackage?.version) {
+          this.addDependency(currentPackage, directNames, seen, deps);
+        }
+        const pkgLine = line.substring(0, line.lastIndexOf(":"));
+        const names = pkgLine.split(",").map((s) => s.trim().replace(/^["']|["']$/g, "")).map((s) => this.extractPackageName(s)).filter((s) => !!s);
+        currentPackage = { names, version: void 0 };
+      } else if (line.trim().startsWith("version ") && currentPackage) {
+        const match = line.match(/version\s+"([^"]+)"/);
+        if (match) {
+          currentPackage.version = match[1];
+        }
+      }
+    }
+    if (currentPackage?.version) {
+      this.addDependency(currentPackage, directNames, seen, deps);
+    }
+    return deps;
+  }
+  /**
+   * Adds a dependency to the result list (deduplicates by name@version)
+   */
+  addDependency(pkg, directNames, seen, deps) {
+    if (!pkg.version) return;
+    const name = pkg.names[0];
+    if (!name) return;
+    const key = `${name}@${pkg.version}`;
+    if (seen.has(key)) return;
+    seen.set(key, true);
+    deps.push({
+      name,
+      version: pkg.version,
+      direct: directNames.has(name),
+      ecosystem: "npm",
+      purl: this.buildPurl(name, pkg.version)
+    });
+  }
+  /**
+   * Extracts package name from yarn.lock package declaration.
+   * Examples:
+   *   "express@^4.18.0" → "express"
+   *   "@types/node@^20.0.0" → "@types/node"
+   *   "pkg@npm:other@^1.0.0" → "pkg" (aliased packages)
+   */
+  extractPackageName(pkgDeclaration) {
+    if (pkgDeclaration.includes("@npm:")) {
+      const beforeAlias = pkgDeclaration.split("@npm:")[0];
+      return beforeAlias || null;
+    }
+    if (pkgDeclaration.startsWith("@")) {
+      const parts = pkgDeclaration.split("@");
+      if (parts.length >= 3) {
+        return `@${parts[1]}`;
+      }
+    } else {
+      const atIndex = pkgDeclaration.indexOf("@");
+      if (atIndex > 0) {
+        return pkgDeclaration.substring(0, atIndex);
+      }
+    }
+    return null;
+  }
+  /**
+   * Builds a purl (Package URL) for an npm package.
+   *
+   * Per the purl spec:
+   * "The npm scope @ sign prefix is always percent encoded."
+   *
+   * So @types/node@20.11.5 → pkg:npm/%40types/node@20.11.5
+   * And express@4.18.2 → pkg:npm/express@4.18.2
+   */
+  buildPurl(name, version) {
+    if (name.startsWith("@")) {
+      return `pkg:npm/%40${name.slice(1)}@${version}`;
+    }
+    return `pkg:npm/${name}@${version}`;
+  }
+};
+
+// src/scanners/pnpm/pnpm-scanner.ts
+var import_promises10 = require("fs/promises");
+var import_fs10 = require("fs");
+var import_path10 = __toESM(require("path"), 1);
+var import_yaml2 = require("yaml");
+var PnpmScanner = class {
+  ecosystem = "npm";
+  lockfileNames = ["pnpm-lock.yaml"];
+  async detect(projectPath) {
+    const lockfilePath = import_path10.default.join(projectPath, "pnpm-lock.yaml");
+    return (0, import_fs10.existsSync)(lockfilePath) ? lockfilePath : null;
+  }
+  async scan(projectPath, lockfilePath) {
+    const lockfileRaw = await (0, import_promises10.readFile)(lockfilePath, "utf-8");
+    const dependencies = this.parseLockfile(lockfileRaw, lockfilePath);
+    return {
+      projectPath,
+      ecosystem: "npm",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Parses pnpm-lock.yaml file and extracts dependencies.
+   * 
+   * pnpm-lock.yaml format (v5.4+):
+   * ```yaml
+   * lockfileVersion: 5.4
+   * 
+   * dependencies:
+   *   express: 4.18.2
+   * 
+   * devDependencies:
+   *   typescript: 5.0.0
+   * 
+   * packages:
+   *   /express/4.18.2:
+   *     resolution: {integrity: sha512-...}
+   *     dependencies:
+   *       accepts: 1.3.8
+   *   /@types/node/20.11.5:
+   *     resolution: {integrity: sha512-...}
+   *     dev: true
+   * ```
+   * 
+   * pnpm-lock.yaml format (v6.0+):
+   * ```yaml
+   * lockfileVersion: '6.0'
+   * 
+   * dependencies:
+   *   express:
+   *     specifier: ^4.18.0
+   *     version: 4.18.2
+   * 
+   * packages:
+   *   /express@4.18.2:
+   *     resolution: {integrity: sha512-...}
+   * ```
+   */
+  parseLockfile(content, lockfilePath) {
+    try {
+      const parsed = (0, import_yaml2.parse)(content);
+      if (!parsed || typeof parsed !== "object") {
+        throw new Error("Invalid YAML format");
+      }
+      const lockfile = parsed;
+      const lockfileVersion = this.parseLockfileVersion(lockfile.lockfileVersion);
+      const directNames = this.extractDirectDependencies(lockfile);
+      return this.extractDependencies(lockfile, lockfileVersion, directNames);
+    } catch (err) {
+      throw new LockfileParseError(
+        lockfilePath,
+        `Failed to parse pnpm-lock.yaml: ${err instanceof Error ? err.message : "Unknown error"}`
+      );
+    }
+  }
+  /**
+   * Extracts direct dependency names from pnpm lockfile.
+   * 
+   * Supports both formats:
+   * - pnpm v5.x: root-level dependencies/devDependencies
+   * - pnpm v6+: importers['.'].dependencies/devDependencies
+   */
+  extractDirectDependencies(lockfile) {
+    const directNames = /* @__PURE__ */ new Set();
+    if (lockfile.importers && typeof lockfile.importers === "object") {
+      const rootImporter = lockfile.importers["."];
+      if (rootImporter && typeof rootImporter === "object") {
+        if (rootImporter.dependencies && typeof rootImporter.dependencies === "object") {
+          for (const name of Object.keys(rootImporter.dependencies)) {
+            directNames.add(name);
+          }
+        }
+        if (rootImporter.devDependencies && typeof rootImporter.devDependencies === "object") {
+          for (const name of Object.keys(rootImporter.devDependencies)) {
+            directNames.add(name);
+          }
+        }
+      }
+    }
+    if (directNames.size === 0) {
+      if (lockfile.dependencies && typeof lockfile.dependencies === "object") {
+        for (const name of Object.keys(lockfile.dependencies)) {
+          directNames.add(name);
+        }
+      }
+      if (lockfile.devDependencies && typeof lockfile.devDependencies === "object") {
+        for (const name of Object.keys(lockfile.devDependencies)) {
+          directNames.add(name);
+        }
+      }
+    }
+    return directNames;
+  }
+  /**
+   * Parses lockfile version (can be string or number)
+   */
+  parseLockfileVersion(version) {
+    if (typeof version === "number") {
+      return version;
+    }
+    if (typeof version === "string") {
+      const parsed = parseFloat(version);
+      return isNaN(parsed) ? 5.4 : parsed;
+    }
+    return 5.4;
+  }
+  /**
+   * Extracts dependencies from the lockfile packages section
+   */
+  extractDependencies(lockfile, lockfileVersion, directNames) {
+    const deps = [];
+    const seen = /* @__PURE__ */ new Map();
+    if (!lockfile.packages || typeof lockfile.packages !== "object") {
+      return deps;
+    }
+    for (const [pkgPath, pkgInfo] of Object.entries(lockfile.packages)) {
+      if (!pkgInfo || typeof pkgInfo !== "object") {
+        continue;
+      }
+      if (pkgPath.includes("@workspace:")) {
+        continue;
+      }
+      const { name, version } = this.parsePackagePath(pkgPath, lockfileVersion);
+      if (!name || !version) {
+        continue;
+      }
+      const depKey = `${name}@${version}`;
+      if (seen.has(depKey)) {
+        continue;
+      }
+      seen.set(depKey, true);
+      deps.push({
+        name,
+        version,
+        direct: directNames.has(name),
+        ecosystem: "npm",
+        purl: this.buildPurl(name, version)
+      });
+    }
+    return deps;
+  }
+  /**
+   * Parses package path to extract name and version.
+   * 
+   * pnpm v5.x format:
+   *   "/express/4.18.2" → name: "express", version: "4.18.2"
+   *   "/@types/node/20.11.5" → name: "@types/node", version: "20.11.5"
+   *   "/accepts/1.3.8" → name: "accepts", version: "1.3.8"
+   * 
+   * pnpm v6+ format:
+   *   "/express@4.18.2" → name: "express", version: "4.18.2"
+   *   "/@types/node@20.11.5" → name: "@types/node", version: "20.11.5"
+   *   "/accepts@1.3.8" → name: "accepts", version: "1.3.8"
+   * 
+   * Also handles peer dependency suffixes:
+   *   "/pkg@1.0.0_dep@2.0.0" → name: "pkg", version: "1.0.0"
+   *   "/pkg@1.0.0(dep@2.0.0)" → name: "pkg", version: "1.0.0"
+   */
+  parsePackagePath(pkgPath, lockfileVersion) {
+    const path14 = pkgPath.startsWith("/") ? pkgPath.slice(1) : pkgPath;
+    const cleanPath = path14.split("_")[0].split("(")[0];
+    if (!cleanPath) {
+      return { name: null, version: null };
+    }
+    if (lockfileVersion >= 6) {
+      return this.parseV6Format(cleanPath);
+    }
+    return this.parseV5Format(cleanPath);
+  }
+  /**
+   * Parses v6+ format: "express@4.18.2" or "@types/node@20.11.5"
+   */
+  parseV6Format(path14) {
+    if (path14.startsWith("@")) {
+      const lastAtIndex = path14.lastIndexOf("@");
+      if (lastAtIndex <= 0) {
+        return { name: null, version: null };
+      }
+      const name2 = path14.substring(0, lastAtIndex);
+      const version2 = path14.substring(lastAtIndex + 1);
+      return { name: name2, version: version2 };
+    }
+    const atIndex = path14.indexOf("@");
+    if (atIndex < 0) {
+      return { name: null, version: null };
+    }
+    const name = path14.substring(0, atIndex);
+    const version = path14.substring(atIndex + 1);
+    return { name, version };
+  }
+  /**
+   * Parses v5.x format: "express/4.18.2" or "@types/node/20.11.5"
+   */
+  parseV5Format(path14) {
+    if (path14.startsWith("@")) {
+      const parts = path14.split("/");
+      if (parts.length < 3) {
+        return { name: null, version: null };
+      }
+      const name2 = `${parts[0]}/${parts[1]}`;
+      const version2 = parts[2];
+      return { name: name2, version: version2 };
+    }
+    const slashIndex = path14.indexOf("/");
+    if (slashIndex < 0) {
+      return { name: null, version: null };
+    }
+    const name = path14.substring(0, slashIndex);
+    const version = path14.substring(slashIndex + 1);
+    return { name, version };
+  }
+  /**
+   * Builds a purl (Package URL) for an npm package.
+   *
+   * Per the purl spec:
+   * "The npm scope @ sign prefix is always percent encoded."
+   *
+   * So @types/node@20.11.5 → pkg:npm/%40types/node@20.11.5
+   * And express@4.18.2 → pkg:npm/express@4.18.2
+   */
+  buildPurl(name, version) {
+    if (name.startsWith("@")) {
+      return `pkg:npm/%40${name.slice(1)}@${version}`;
+    }
+    return `pkg:npm/${name}@${version}`;
+  }
+};
+
+// src/scanners/deno/deno-scanner.ts
+var import_promises11 = require("fs/promises");
+var import_fs11 = require("fs");
+var import_path11 = __toESM(require("path"), 1);
+var DenoScanner = class {
+  ecosystem = "deno";
+  lockfileNames = ["deno.lock"];
+  async detect(projectPath) {
+    for (const name of this.lockfileNames) {
+      const lockfilePath = import_path11.default.join(projectPath, name);
+      if ((0, import_fs11.existsSync)(lockfilePath)) return lockfilePath;
+    }
+    return null;
+  }
+  async scan(projectPath, lockfilePath) {
+    const lockfileRaw = await (0, import_promises11.readFile)(lockfilePath, "utf-8");
+    let lockfile;
+    try {
+      lockfile = JSON.parse(lockfileRaw);
+    } catch {
+      throw new LockfileParseError(lockfilePath, "Invalid JSON");
+    }
+    const dependencies = this.parseLockfile(lockfile);
+    return {
+      projectPath,
+      ecosystem: "deno",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Parses the lockfile and extracts dependencies from both
+   * npm and jsr package registries.
+   *
+   * Supports v3 (packages nested under `packages`), v4, and v5 (top-level jsr/npm sections).
+   * Uses lockfile specifiers to determine direct vs transitive dependencies.
+   */
+  parseLockfile(lockfile) {
+    const deps = [];
+    const directNames = this.extractDirectDependencies(lockfile);
+    const jsrPackages = lockfile.jsr ?? lockfile.packages?.jsr ?? {};
+    const npmPackages = lockfile.npm ?? lockfile.packages?.npm ?? {};
+    for (const key of Object.keys(jsrPackages)) {
+      const parsed = this.parsePackageKey(key);
+      if (!parsed) continue;
+      deps.push({
+        name: parsed.name,
+        version: parsed.version,
+        direct: directNames.has(`jsr:${parsed.name}`),
+        ecosystem: "deno",
+        // JSR packages belong to Deno ecosystem
+        purl: this.buildJsrPurl(parsed.name, parsed.version)
+      });
+    }
+    for (const key of Object.keys(npmPackages)) {
+      const parsed = this.parsePackageKey(key);
+      if (!parsed) continue;
+      deps.push({
+        name: parsed.name,
+        version: parsed.version,
+        direct: directNames.has(`npm:${parsed.name}`),
+        ecosystem: "npm",
+        // npm packages belong to npm ecosystem (for CVE tracking)
+        purl: this.buildNpmPurl(parsed.name, parsed.version)
+      });
+    }
+    return deps;
+  }
+  /**
+   * Extracts direct dependency names from lockfile specifiers.
+   *
+   * Returns a set of ecosystem-qualified package names like "jsr:@std/assert" or "npm:express".
+   * The ecosystem prefix prevents collisions if the same package name exists in both registries.
+   */
+  extractDirectDependencies(lockfile) {
+    const directNames = /* @__PURE__ */ new Set();
+    const specifiers = lockfile.specifiers ?? lockfile.packages?.specifiers ?? {};
+    for (const [constraint, resolved] of Object.entries(specifiers)) {
+      if (resolved.startsWith("file:") || resolved.startsWith("https:") || resolved.startsWith("http:") || resolved.startsWith("data:")) {
+        continue;
+      }
+      let ecosystem = null;
+      if (constraint.startsWith("jsr:")) {
+        ecosystem = "jsr";
+      } else if (constraint.startsWith("npm:")) {
+        ecosystem = "npm";
+      }
+      if (!ecosystem) continue;
+      let resolvedKey = resolved;
+      if (resolved.startsWith("jsr:") || resolved.startsWith("npm:")) {
+        resolvedKey = resolved.replace(/^(jsr:|npm:)/, "");
+        const parsed = this.parsePackageKey(resolvedKey);
+        if (parsed) {
+          directNames.add(`${ecosystem}:${parsed.name}`);
+        }
+      } else {
+        const name = this.extractNameFromSpecifier(constraint);
+        if (name) {
+          directNames.add(`${ecosystem}:${name}`);
+        }
+      }
+    }
+    return directNames;
+  }
+  /**
+   * Parses a package key like "@std/assert@1.0.10" or "express@4.21.2"
+   * into { name, version }.
+   *
+   * Handles scoped packages where the name starts with @ (e.g., @std/assert).
+   * In that case the version separator is the LAST @ sign.
+   */
+  parsePackageKey(key) {
+    const lastAtIndex = key.lastIndexOf("@");
+    if (lastAtIndex <= 0) return null;
+    const name = key.slice(0, lastAtIndex);
+    const version = key.slice(lastAtIndex + 1);
+    if (!name || !version) return null;
+    return { name, version };
+  }
+  /**
+   * Extracts the package name from a Deno import specifier.
+   *
+   * Examples:
+   *   "jsr:@std/assert@^1.0.0" → "@std/assert"
+   *   "npm:express@^4.18.0"    → "express"
+   *   "npm:@hono/hono@^4.0.0"  → "@hono/hono"
+   *   "lodash" (bare)          → "lodash"
+   */
+  extractNameFromSpecifier(specifier) {
+    const withoutPrefix = specifier.replace(/^(jsr:|npm:)/, "");
+    if (!withoutPrefix) return null;
+    if (withoutPrefix.startsWith("@")) {
+      const slashIndex = withoutPrefix.indexOf("/");
+      if (slashIndex === -1) return null;
+      const afterSlash = withoutPrefix.indexOf("@", slashIndex);
+      if (afterSlash === -1) return withoutPrefix;
+      return withoutPrefix.slice(0, afterSlash);
+    }
+    const atIndex = withoutPrefix.indexOf("@");
+    if (atIndex === -1) return withoutPrefix;
+    return withoutPrefix.slice(0, atIndex);
+  }
+  /**
+   * Builds a purl for a JSR package.
+   *
+   * JSR packages use the "jsr" purl type (non-standard but descriptive).
+   * For scoped packages, both @ and all / characters are percent-encoded.
+   * Example: `pkg:jsr/%40std%2Fassert@1.0.10`
+   */
+  buildJsrPurl(name, version) {
+    if (name.startsWith("@")) {
+      const encoded = "%40" + name.slice(1).replace(/\//g, "%2F");
+      return `pkg:jsr/${encoded}@${version}`;
+    }
+    return `pkg:jsr/${name}@${version}`;
+  }
+  /**
+   * Builds a purl for an npm package used via Deno.
+   *
+   * Uses the standard npm purl type since these are npm packages.
+   * Per npm purl spec, only @ is encoded, / remains as namespace separator.
+   * Example: `pkg:npm/%40std/assert@1.0.10` or `pkg:npm/express@4.21.2`
+   */
+  buildNpmPurl(name, version) {
+    if (name.startsWith("@")) {
+      return `pkg:npm/%40${name.slice(1)}@${version}`;
+    }
+    return `pkg:npm/${name}@${version}`;
+  }
+};
+
+// src/scanners/poetry/poetry-scanner.ts
+var import_promises12 = require("fs/promises");
+var import_fs12 = require("fs");
+var import_path12 = __toESM(require("path"), 1);
+var PoetryScanner = class {
+  ecosystem = "poetry";
+  lockfileNames = ["poetry.lock"];
+  async detect(projectPath) {
+    const lockfilePath = import_path12.default.join(projectPath, "poetry.lock");
+    return (0, import_fs12.existsSync)(lockfilePath) ? lockfilePath : null;
+  }
+  async scan(projectPath, lockfilePath) {
+    const [lockfileRaw, pyprojectRaw] = await Promise.all([
+      (0, import_promises12.readFile)(lockfilePath, "utf-8"),
+      (0, import_promises12.readFile)(import_path12.default.join(projectPath, "pyproject.toml"), "utf-8").catch(() => null)
+    ]);
+    const packages = this.parseLockfile(lockfileRaw, lockfilePath);
+    const directNames = pyprojectRaw ? this.parsePyprojectToml(pyprojectRaw) : /* @__PURE__ */ new Set();
+    const dependencies = [];
+    for (const pkg of packages) {
+      dependencies.push({
+        name: this.normalizePipName(pkg.name),
+        version: pkg.version,
+        direct: directNames.size > 0 ? directNames.has(this.normalizePipName(pkg.name)) : true,
+        ecosystem: "poetry",
+        purl: this.buildPurl(pkg.name, pkg.version)
+      });
+    }
+    return {
+      projectPath,
+      ecosystem: "poetry",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Parses poetry.lock by splitting on [[package]] blocks.
+   * Lightweight parser that handles the regular structure
+   * without needing a full TOML library.
+   */
+  parseLockfile(content, lockfilePath) {
+    const packages = [];
+    const blocks = content.split(/^\[\[package\]\]$/m);
+    for (const block of blocks) {
+      if (!block.trim()) continue;
+      const name = this.extractField(block, "name");
+      const version = this.extractField(block, "version");
+      if (name && version) {
+        packages.push({ name, version });
+      }
+    }
+    if (packages.length === 0 && content.includes("[[package]]")) {
+      throw new LockfileParseError(lockfilePath, "Failed to parse any packages from poetry.lock");
+    }
+    return packages;
+  }
+  /**
+   * Extracts a string field value from a TOML block.
+   * Handles: `name = "value"` format.
+   */
+  extractField(block, fieldName) {
+    const regex = new RegExp(`^${fieldName}\\s*=\\s*"([^"]*)"`, "m");
+    const match = block.match(regex);
+    return match ? match[1] : null;
+  }
+  /**
+   * Parses `pyproject.toml` to extract direct dependency names.
+   *
+   * Looks for:
+   *   - `[tool.poetry.dependencies]` — main dependencies
+   *   - `[tool.poetry.group.dev.dependencies]` — dev dependencies
+   *   - `[tool.poetry.group.*.dependencies]` — other groups
+   *
+   * Supports formats:
+   *   - `requests = "^2.31.0"`
+   *   - `requests = { version = "^2.31.0", optional = true }`
+   *   - `python = "^3.12"` — skipped (the Python interpreter itself)
+   */
+  parsePyprojectToml(content) {
+    const directNames = /* @__PURE__ */ new Set();
+    let inDepsSection = false;
+    for (const rawLine of content.split("\n")) {
+      const line = rawLine.trim();
+      if (line.startsWith("[")) {
+        inDepsSection = line === "[tool.poetry.dependencies]" || /^\[tool\.poetry\.group\.[^\]]+\.dependencies\]$/.test(line);
+        continue;
+      }
+      if (inDepsSection && line && !line.startsWith("#")) {
+        const match = line.match(/^([a-zA-Z0-9_][a-zA-Z0-9._-]*)\s*=/);
+        if (match && match[1]) {
+          const name = this.normalizePipName(match[1]);
+          if (name !== "python") {
+            directNames.add(name);
+          }
+        }
+      }
+    }
+    return directNames;
+  }
+  /**
+   * Normalizes a pip package name per PEP 503.
+   * Converts to lowercase and replaces any run of [-_.] with a single hyphen.
+   */
+  normalizePipName(name) {
+    return name.toLowerCase().replace(/[-_.]+/g, "-");
+  }
+  /**
+   * Builds a purl for a PyPI package.
+   * Per purl spec, the type is "pypi" (not "poetry").
+   */
+  buildPurl(name, version) {
+    return `pkg:pypi/${this.normalizePipName(name)}@${version}`;
+  }
+};
+
+// src/scanners/uv/uv-scanner.ts
+var import_promises13 = require("fs/promises");
+var import_fs13 = require("fs");
+var import_path13 = __toESM(require("path"), 1);
+var UvScanner = class {
+  ecosystem = "uv";
+  lockfileNames = ["uv.lock"];
+  async detect(projectPath) {
+    const lockfilePath = import_path13.default.join(projectPath, "uv.lock");
+    return (0, import_fs13.existsSync)(lockfilePath) ? lockfilePath : null;
+  }
+  async scan(projectPath, lockfilePath) {
+    const [lockfileRaw, pyprojectRaw] = await Promise.all([
+      (0, import_promises13.readFile)(lockfilePath, "utf-8"),
+      (0, import_promises13.readFile)(import_path13.default.join(projectPath, "pyproject.toml"), "utf-8").catch(() => null)
+    ]);
+    const packages = this.parseLockfile(lockfileRaw, lockfilePath);
+    const projectName = pyprojectRaw ? this.extractProjectName(pyprojectRaw) : null;
+    const directNames = pyprojectRaw ? this.parsePyprojectDeps(pyprojectRaw) : /* @__PURE__ */ new Set();
+    const dependencies = [];
+    for (const pkg of packages) {
+      if (pkg.isEditable) continue;
+      if (projectName && this.normalizePipName(pkg.name) === this.normalizePipName(projectName)) {
+        continue;
+      }
+      dependencies.push({
+        name: this.normalizePipName(pkg.name),
+        version: pkg.version,
+        direct: directNames.size > 0 ? directNames.has(this.normalizePipName(pkg.name)) : true,
+        ecosystem: "uv",
+        purl: this.buildPurl(pkg.name, pkg.version)
+      });
+    }
+    return {
+      projectPath,
+      ecosystem: "uv",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Parses uv.lock by splitting on [[package]] blocks.
+   * Lightweight parser that handles the regular structure
+   * without needing a full TOML library.
+   */
+  parseLockfile(content, lockfilePath) {
+    const packages = [];
+    const blocks = content.split(/^\[\[package\]\]$/m);
+    for (const block of blocks) {
+      if (!block.trim()) continue;
+      const name = this.extractField(block, "name");
+      const version = this.extractField(block, "version");
+      if (name && version) {
+        const isEditable = /source\s*=\s*\{[^}]*editable\s*=/.test(block) || /source\s*=\s*\{[^}]*virtual\s*=/.test(block);
+        packages.push({ name, version, isEditable });
+      }
+    }
+    if (packages.length === 0 && content.includes("[[package]]")) {
+      throw new LockfileParseError(lockfilePath, "Failed to parse any packages from uv.lock");
+    }
+    return packages;
+  }
+  /**
+   * Extracts a string field value from a TOML block.
+   * Handles: `name = "value"` format.
+   */
+  extractField(block, fieldName) {
+    const regex = new RegExp(`^${fieldName}\\s*=\\s*"([^"]*)"`, "m");
+    const match = block.match(regex);
+    return match ? match[1] : null;
+  }
+  /**
+   * Extracts the project name from `pyproject.toml`.
+   * Looks for `name = "..."` under `[project]`.
+   */
+  extractProjectName(content) {
+    let inProjectSection = false;
+    for (const rawLine of content.split("\n")) {
+      const line = rawLine.trim();
+      if (line.startsWith("[")) {
+        inProjectSection = line === "[project]";
+        continue;
+      }
+      if (inProjectSection) {
+        const match = line.match(/^name\s*=\s*"([^"]*)"/);
+        if (match) return match[1];
+      }
+    }
+    return null;
+  }
+  /**
+   * Parses `pyproject.toml` to extract direct dependency names.
+   *
+   * Looks for:
+   *   - `[project]` → `dependencies = [...]` (PEP 621)
+   *   - `[project.optional-dependencies]` (extras)
+   *   - `[dependency-groups]` (PEP 735, used by uv for dev deps)
+   *
+   * Dependency strings follow PEP 508:
+   *   - `"requests>=2.31.0"`
+   *   - `"flask[dotenv]>=3.0"`
+   *   - `"black"` (bare name)
+   */
+  parsePyprojectDeps(content) {
+    const directNames = /* @__PURE__ */ new Set();
+    this.extractInlineArray(content, directNames);
+    this.extractDependencyGroups(content, directNames);
+    return directNames;
+  }
+  /**
+   * Extracts dependency names from PEP 621 `dependencies = [...]` arrays
+   * and `[project.optional-dependencies]` sections.
+   */
+  extractInlineArray(content, directNames) {
+    const arrayRegex = /(?:^dependencies|^[a-zA-Z0-9_-]+)\s*=\s*\[([^\]]*)\]/gm;
+    let match;
+    while ((match = arrayRegex.exec(content)) !== null) {
+      const arrayContent = match[1];
+      this.extractPepNames(arrayContent, directNames);
+    }
+  }
+  /**
+   * Extracts dependency names from [dependency-groups] sections.
+   * Format:
+   * ```toml
+   * [dependency-groups]
+   * dev = ["pytest>=7.0", "black"]
+   * ```
+   */
+  extractDependencyGroups(content, directNames) {
+    let inDepGroups = false;
+    for (const rawLine of content.split("\n")) {
+      const line = rawLine.trim();
+      if (line.startsWith("[")) {
+        inDepGroups = line === "[dependency-groups]";
+        continue;
+      }
+      if (inDepGroups && line && !line.startsWith("#")) {
+        const arrayMatch = line.match(/^[a-zA-Z0-9_-]+\s*=\s*\[([^\]]*)\]/);
+        if (arrayMatch) {
+          this.extractPepNames(arrayMatch[1], directNames);
+        }
+      }
+    }
+  }
+  /**
+   * Extracts PEP 508 package names from a comma-separated
+   * list of quoted dependency strings.
+   */
+  extractPepNames(content, directNames) {
+    const depStrings = content.match(/"([^"]*)"/g);
+    if (!depStrings) return;
+    for (const quoted of depStrings) {
+      const depStr = quoted.replace(/"/g, "").trim();
+      if (!depStr) continue;
+      const nameMatch = depStr.match(/^([a-zA-Z0-9_][a-zA-Z0-9._-]*)/);
+      if (nameMatch && nameMatch[1]) {
+        directNames.add(this.normalizePipName(nameMatch[1]));
+      }
+    }
+  }
+  /**
+   * Normalizes a pip package name per PEP 503.
+   * Converts to lowercase and replaces any run of [-_.] with a single hyphen.
+   */
+  normalizePipName(name) {
+    return name.toLowerCase().replace(/[-_.]+/g, "-");
+  }
+  /**
+   * Builds a purl for a PyPI package.
+   * Per purl spec, the type is "pypi" (not "uv").
+   */
+  buildPurl(name, version) {
+    return `pkg:pypi/${this.normalizePipName(name)}@${version}`;
+  }
+};
+
+// src/scanners/registry.ts
+var ScannerRegistry = class {
+  scanners;
+  constructor() {
+    this.scanners = [
+      new NpmScanner(),
+      new NugetScanner(),
+      new CargoScanner(),
+      new PipScanner(),
+      new PoetryScanner(),
+      new UvScanner(),
+      new MavenScanner(),
+      new GoScanner(),
+      new RubyScanner(),
+      new ComposerScanner(),
+      new YarnScanner(),
+      new PnpmScanner(),
+      new DenoScanner()
+    ];
+  }
+  /**
+   * Auto-detects the project's ecosystem and scans dependencies.
+   * Tries each registered scanner in order until one matches.
+   */
+  async detectAndScan(projectPath) {
+    for (const scanner of this.scanners) {
+      const lockfilePath = await scanner.detect(projectPath);
+      if (lockfilePath) {
+        return scanner.scan(projectPath, lockfilePath);
+      }
+    }
+    throw new NoLockfileError(projectPath);
+  }
+  /** Returns a specific scanner by ecosystem name */
+  getScanner(ecosystem) {
+    return this.scanners.find((s) => s.ecosystem === ecosystem);
+  }
+  /** Lists all registered ecosystems */
+  listEcosystems() {
+    return this.scanners.map((s) => s.ecosystem);
+  }
+};
+
+// src/sbom/cyclonedx.ts
+var import_crypto4 = require("crypto");
+var SCHEMA_URLS = {
+  "1.4": "http://cyclonedx.org/schema/bom-1.4.schema.json",
+  "1.5": "http://cyclonedx.org/schema/bom-1.5.schema.json",
+  "1.6": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "1.7": "http://cyclonedx.org/schema/bom-1.7.schema.json"
+};
+var CycloneDxGenerator = class {
+  constructor(specVersion = "1.7") {
+    this.specVersion = specVersion;
+  }
+  format = "cyclonedx-json";
+  generate(scanResult, toolVersion = DEFAULT_TOOL_VERSION) {
+    const bom = this.buildBom(scanResult, toolVersion);
+    const content = JSON.stringify(bom, null, 2);
+    return {
+      format: "cyclonedx-json",
+      specVersion: this.specVersion,
+      content,
+      componentCount: scanResult.dependencies.length,
+      generatedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  buildBom(scanResult, toolVersion) {
+    const projectName = extractProjectName(scanResult.projectPath);
+    return {
+      $schema: SCHEMA_URLS[this.specVersion],
+      bomFormat: "CycloneDX",
+      specVersion: this.specVersion,
+      serialNumber: `urn:uuid:${(0, import_crypto4.randomUUID)()}`,
+      version: 1,
+      metadata: {
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        tools: this.buildTools(toolVersion),
+        // NTIA: metadata.supplier — the org supplying the root software
+        supplier: {
+          name: projectName
+        },
+        component: {
+          type: "application",
+          name: projectName,
+          "bom-ref": "root-component",
+          supplier: { name: projectName }
+        }
+      },
+      components: scanResult.dependencies.map((dep) => this.toComponent(dep)),
+      dependencies: this.buildDependencyGraph(scanResult)
+    };
+  }
+  /** Converts a Verimu Dependency to a CycloneDX component */
+  toComponent(dep) {
+    return {
+      type: "library",
+      name: dep.name,
+      version: dep.version,
+      purl: dep.purl,
+      "bom-ref": dep.purl,
+      scope: dep.direct ? "required" : "optional",
+      // NTIA: component.supplier — derived from npm scope or package name
+      supplier: {
+        name: deriveSupplierName(dep.name)
+      }
+    };
+  }
+  /**
+   * Builds the dependency graph section of the SBOM.
+   *
+   * The root component depends on all dependencies (direct + transitive).
+   * This ensures a single root node in the graph, which NTIA validators expect.
+   *
+   * We include ALL deps under root (not just direct) because from a flat lockfile
+   * we can't reliably reconstruct which transitive dep belongs to which direct dep.
+   * This is still valid per the CycloneDX spec — it represents a complete but flat
+   * dependency relationship.
+   */
+  buildDependencyGraph(scanResult) {
+    const allDepPurls = scanResult.dependencies.map((d) => d.purl);
+    return [
+      {
+        ref: "root-component",
+        dependsOn: allDepPurls
+      }
+    ];
+  }
+  /**
+   * Builds the tools metadata section.
+   *
+   * CycloneDX 1.4: tools is a flat array of { vendor, name, version, ... }
+   * CycloneDX 1.5+: tools is an object { components: [...] }
+   */
+  buildTools(toolVersion) {
+    if (this.specVersion === "1.4") {
+      return [
+        {
+          vendor: "Verimu",
+          name: VERIMU_TOOL_NAME,
+          version: toolVersion,
+          externalReferences: [{ type: "website", url: VERIMU_TOOL_WEBSITE }]
+        }
+      ];
+    }
+    return {
+      components: [
+        {
+          type: "application",
+          name: VERIMU_TOOL_NAME,
+          version: toolVersion,
+          description: VERIMU_TOOL_DESCRIPTION,
+          supplier: { name: "Verimu" },
+          externalReferences: [{ type: "website", url: VERIMU_TOOL_WEBSITE }]
+        }
+      ]
+    };
+  }
+};
+
+// src/sbom/spdx.ts
+var import_crypto5 = require("crypto");
+var SPDX_VERSION2 = "2.3";
+var SpdxJsonGenerator = class {
+  format = "spdx-json";
+  generate(scanResult, toolVersion = DEFAULT_TOOL_VERSION) {
+    const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+    const projectName = extractProjectName(scanResult.projectPath);
+    const rootPackageId = "SPDXRef-Package-root";
+    const dependencies = normalizeDependencies(scanResult.dependencies);
+    const document = {
+      spdxVersion: `SPDX-${SPDX_VERSION2}`,
+      dataLicense: "CC0-1.0",
+      SPDXID: "SPDXRef-DOCUMENT",
+      name: `${projectName}-sbom`,
+      documentNamespace: `https://verimu.com/spdxdocs/${projectName}-${(0, import_crypto5.randomUUID)()}`,
+      creationInfo: {
+        created: timestamp,
+        creators: [`Tool: ${VERIMU_TOOL_NAME}@${toolVersion}`]
+      },
+      documentDescribes: [rootPackageId],
+      packages: [
+        {
+          name: projectName,
+          SPDXID: rootPackageId,
+          versionInfo: "NOASSERTION",
+          supplier: `Organization: ${projectName}`,
+          downloadLocation: "NOASSERTION",
+          filesAnalyzed: false,
+          licenseConcluded: "NOASSERTION",
+          licenseDeclared: "NOASSERTION",
+          primaryPackagePurpose: "APPLICATION"
+        },
+        ...dependencies.map((dep, index) => ({
+          name: dep.name,
+          SPDXID: `SPDXRef-Package-${index + 1}`,
+          versionInfo: dep.version,
+          supplier: `Organization: ${dep.supplierName}`,
+          downloadLocation: "NOASSERTION",
+          filesAnalyzed: false,
+          licenseConcluded: "NOASSERTION",
+          licenseDeclared: "NOASSERTION",
+          primaryPackagePurpose: "LIBRARY",
+          externalRefs: [
+            {
+              referenceCategory: "PACKAGE-MANAGER",
+              referenceType: "purl",
+              referenceLocator: dep.purl
+            }
+          ]
+        }))
+      ],
+      relationships: [
+        {
+          spdxElementId: "SPDXRef-DOCUMENT",
+          relationshipType: "DESCRIBES",
+          relatedSpdxElement: rootPackageId
+        },
+        ...dependencies.map((_dep, index) => ({
+          spdxElementId: rootPackageId,
+          relationshipType: "DEPENDS_ON",
+          relatedSpdxElement: `SPDXRef-Package-${index + 1}`
+        }))
+      ]
+    };
+    return {
+      format: "spdx-json",
+      specVersion: SPDX_VERSION2,
+      content: JSON.stringify(document, null, 2),
+      componentCount: scanResult.dependencies.length,
+      generatedAt: timestamp
+    };
+  }
+};
+
+// src/sbom/swid.ts
+var import_crypto6 = require("crypto");
+var SWID_SPEC_VERSION2 = "ISO/IEC 19770-2:2015";
+var SwidTagGenerator = class {
+  format = "swid-xml";
+  generate(scanResult, toolVersion = DEFAULT_TOOL_VERSION) {
+    const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+    const projectName = extractProjectName(scanResult.projectPath);
+    const tagId = `com.verimu:${sanitizeTagId2(projectName)}:${DEFAULT_SWID_VERSION}:${(0, import_crypto6.randomUUID)()}`;
+    const content = [
+      '<?xml version="1.0" encoding="UTF-8"?>',
+      "<SoftwareIdentity",
+      '  xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd"',
+      `  name="${escapeXml2(projectName)}"`,
+      `  tagId="${escapeXml2(tagId)}"`,
+      '  tagVersion="1"',
+      `  version="${DEFAULT_SWID_VERSION}"`,
+      '  versionScheme="semver">',
+      `  <Entity name="${escapeXml2(projectName)}" role="softwareCreator" />`,
+      '  <Entity name="Verimu" role="tagCreator" />',
+      `  <Meta product="${escapeXml2(projectName)}" generator="${VERIMU_TOOL_NAME}" toolVersion="${toolVersion}" generated="${timestamp}" />`,
+      "  <!-- TODO: Consider adding dependency/package evidence if we need richer SWID coverage. -->",
+      '  <Link rel="describedby" href="https://verimu.com" />',
+      "</SoftwareIdentity>"
+    ].join("\n");
+    return {
+      format: "swid-xml",
+      specVersion: SWID_SPEC_VERSION2,
+      content,
+      componentCount: 1,
+      generatedAt: timestamp
+    };
+  }
+};
+function escapeXml2(value) {
+  return value.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll('"', "&quot;").replaceAll("'", "&apos;");
+}
+function sanitizeTagId2(value) {
+  return value.toLowerCase().replace(/[^a-z0-9._-]+/g, "-").replace(/^-+|-+$/g, "");
+}
+
+// src/sbom/artifacts.ts
+function generateSbomArtifacts(scanResult, toolVersion = DEFAULT_TOOL_VERSION, cyclonedxVersion = "1.7") {
+  return {
+    cyclonedx: new CycloneDxGenerator(cyclonedxVersion).generate(scanResult, toolVersion),
+    spdx: new SpdxJsonGenerator().generate(scanResult, toolVersion),
+    swid: new SwidTagGenerator().generate(scanResult, toolVersion)
+  };
+}
+
 // src/cve/osv.ts
 var OSV_API_BASE = "https://api.osv.dev/v1";
 var BATCH_SIZE = 1e3;
@@ -1509,9 +2779,13 @@ var OsvSource = class {
       cargo: "crates.io",
       maven: "Maven",
       pip: "PyPI",
+      poetry: "PyPI",
+      uv: "PyPI",
       go: "Go",
       ruby: "RubyGems",
-      composer: "Packagist"
+      composer: "Packagist",
+      deno: "JSR"
+      // JSR packages (Deno registry)
     };
     return map[ecosystem] ?? ecosystem;
   }
@@ -1618,6 +2892,9 @@ var ConsoleReporter = class {
     lines.push("");
     lines.push(`  \u2713 SBOM generated (${result.sbom.format}, ${result.sbom.specVersion})`);
     lines.push(`    Components: ${result.sbom.componentCount}`);
+    if (result.artifacts) {
+      lines.push(`    Also wrote: ${result.artifacts.spdx.format}, ${result.artifacts.swid.format}`);
+    }
     lines.push("");
     const vulns = result.cveCheck.vulnerabilities;
     if (vulns.length === 0) {
@@ -1707,18 +2984,22 @@ var VerimuApiClient = class {
     return res.json();
   }
   /**
-   * Upload a CycloneDX SBOM to a project and trigger CVE scanning.
+   * Upload a software inventory artifact payload to a project and trigger CVE scanning.
+   *
+   * Backward-compatible:
+   * - string payloads are treated as legacy raw CycloneDX JSON
+   * - object payloads can include CycloneDX + SPDX + SWID together
    */
-  async uploadSbom(projectId, sbomContent) {
-    const sbomJson = JSON.parse(sbomContent);
+  async uploadSbom(projectId, payload) {
+    const body = typeof payload === "string" ? JSON.stringify(JSON.parse(payload)) : JSON.stringify(payload);
     const res = await fetch(`${this.baseUrl}/api/projects/${projectId}/scan`, {
       method: "POST",
       headers: this.headers(),
-      body: JSON.stringify(sbomJson)
+      body
     });
     if (!res.ok) {
-      const body = await res.text();
-      throw new Error(`Verimu API: upload SBOM failed (${res.status}): ${body}`);
+      const body2 = await res.text();
+      throw new Error(`Verimu API: upload SBOM failed (${res.status}): ${body2}`);
     }
     return res.json();
   }
@@ -1736,12 +3017,15 @@ var VerimuApiClient = class {
     const map = {
       npm: "npm",
       pip: "pip",
+      poetry: "poetry",
+      uv: "uv",
       maven: "maven",
       nuget: "nuget",
       go: "gomod",
       cargo: "cargo",
       ruby: "bundler",
-      composer: "composer"
+      composer: "composer",
+      deno: "deno"
     };
     return map[eco] ?? eco;
   }
@@ -1752,13 +3036,19 @@ async function scan(config) {
   const {
     projectPath,
     sbomOutput = "./sbom.cdx.json",
-    skipCveCheck = false
+    skipCveCheck = false,
+    cyclonedxVersion = "1.7"
   } = config;
   const registry = new ScannerRegistry();
   const scanResult = await registry.detectAndScan(projectPath);
-  const sbomGenerator = new CycloneDxGenerator();
-  const sbom = sbomGenerator.generate(scanResult);
-  await (0, import_promises9.writeFile)(sbomOutput, sbom.content, "utf-8");
+  const artifacts = generateSbomArtifacts(scanResult, void 0, cyclonedxVersion);
+  const sbom = artifacts.cyclonedx;
+  const outputPaths = deriveArtifactOutputPaths(sbomOutput);
+  await Promise.all([
+    (0, import_promises14.writeFile)(outputPaths.cyclonedx, artifacts.cyclonedx.content, "utf-8"),
+    (0, import_promises14.writeFile)(outputPaths.spdx, artifacts.spdx.content, "utf-8"),
+    (0, import_promises14.writeFile)(outputPaths.swid, artifacts.swid.content, "utf-8")
+  ]);
   let cveCheck;
   if (skipCveCheck) {
     cveCheck = {
@@ -1787,6 +3077,7 @@ async function scan(config) {
       dependencyCount: scanResult.dependencies.length
     },
     sbom,
+    artifacts,
     cveCheck,
     summary,
     generatedAt: (/* @__PURE__ */ new Date()).toISOString()
@@ -1805,13 +3096,13 @@ async function uploadToVerimu(report, config) {
     throw new Error("API key required for upload");
   }
   const client = new VerimuApiClient(config.apiKey, config.apiBaseUrl);
-  const projectName = (0, import_path9.basename)(config.projectPath);
+  const projectName = (0, import_path14.basename)(config.projectPath);
   const upsertRes = await client.upsertProject({
     name: projectName,
     ecosystem: report.project.ecosystem
   });
   const projectId = upsertRes.project.id;
-  const scanRes = await client.uploadSbom(projectId, report.sbom.content);
+  const scanRes = await client.uploadSbom(projectId, buildUploadPayload(report));
   return {
     projectId,
     projectCreated: upsertRes.created,
@@ -1838,6 +3129,28 @@ function printReport(report) {
   const reporter = new ConsoleReporter();
   console.log(reporter.report(report));
 }
+function deriveArtifactOutputPaths(cycloneDxOutput) {
+  const parsed = (0, import_path14.parse)(cycloneDxOutput);
+  let baseName = parsed.name;
+  if (parsed.ext === ".json" && baseName.endsWith(".cdx")) {
+    baseName = baseName.slice(0, -4);
+  }
+  return {
+    cyclonedx: cycloneDxOutput,
+    spdx: (0, import_path14.join)(parsed.dir, `${baseName}.spdx.json`),
+    swid: (0, import_path14.join)(parsed.dir, `${baseName}.swid.xml`)
+  };
+}
+function buildUploadPayload(report) {
+  if (!report.artifacts) {
+    return report.sbom.content;
+  }
+  return {
+    cyclonedx: JSON.parse(report.artifacts.cyclonedx.content),
+    spdx: JSON.parse(report.artifacts.spdx.content),
+    swid: report.artifacts.swid.content
+  };
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   ApiKeyRequiredError,
@@ -1847,6 +3160,7 @@ function printReport(report) {
   CveAggregator,
   CveSourceError,
   CycloneDxGenerator,
+  DenoScanner,
   GoScanner,
   LockfileParseError,
   MavenScanner,
@@ -1855,11 +3169,18 @@ function printReport(report) {
   NugetScanner,
   OsvSource,
   PipScanner,
+  PnpmScanner,
   RubyScanner,
   ScannerRegistry,
+  SpdxJsonGenerator,
+  SwidTagGenerator,
   VerimuApiClient,
   VerimuError,
+  YarnScanner,
   generateSbom,
+  generateSbomArtifacts,
+  generateSpdxSbom,
+  generateSwidTag,
   printReport,
   scan,
   shouldFailCi,