npm - verimu - Versions diffs - 0.0.9 → 0.0.13 - Mend

verimu 0.0.9 → 0.0.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/README.md +9 -6
package/dist/{cli.mjs → cli.js} +1295 -65
package/dist/cli.js.map +1 -0
package/dist/index.cjs +1503 -182
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +415 -24
package/dist/index.d.ts +415 -24
package/dist/index.mjs +1495 -182
package/dist/index.mjs.map +1 -1
package/package.json +9 -3
package/dist/cli.mjs.map +0 -1

package/dist/index.mjs CHANGED Viewed

@@ -1,17 +1,63 @@
 // src/generate-sbom.ts
 import { randomUUID } from "crypto";
+// src/sbom/shared.ts
+var VERIMU_TOOL_NAME = "verimu";
+var VERIMU_TOOL_WEBSITE = "https://verimu.com";
+var VERIMU_TOOL_DESCRIPTION = "Verimu CRA Compliance Scanner";
+var DEFAULT_TOOL_VERSION = "0.1.0";
+var DEFAULT_PROJECT_VERSION = "0.0.0";
+var DEFAULT_SWID_VERSION = "0.0.0";
+var PURL_TYPE_MAP = {
+  npm: "npm",
+  nuget: "nuget",
+  cargo: "cargo",
+  maven: "maven",
+  pip: "pypi",
+  poetry: "pypi",
+  uv: "pypi",
+  go: "golang",
+  ruby: "gem",
+  composer: "composer",
+  deno: "deno"
+};
+function buildPurl(name, version, ecosystem) {
+  const type = PURL_TYPE_MAP[ecosystem] || ecosystem;
+  if (ecosystem === "npm" && name.startsWith("@")) {
+    return `pkg:${type}/%40${name.slice(1)}@${version}`;
+  }
+  return `pkg:${type}/${name}@${version}`;
+}
+function deriveSupplierName(packageName) {
+  if (packageName.startsWith("@")) {
+    return packageName.split("/")[0];
+  }
+  return packageName;
+}
+function extractProjectName(projectPath) {
+  const parts = projectPath.replace(/\\/g, "/").split("/");
+  return parts[parts.length - 1] || "unknown-project";
+}
+function normalizeDependencies(dependencies) {
+  return dependencies.map((dep) => ({
+    name: dep.name,
+    version: dep.version,
+    ecosystem: dep.ecosystem,
+    direct: dep.direct ?? true,
+    purl: dep.purl ?? buildPurl(dep.name, dep.version, dep.ecosystem),
+    supplierName: deriveSupplierName(dep.name)
+  }));
+}
+// src/generate-sbom.ts
 function generateSbom(input) {
   const {
     projectName,
-    projectVersion = "0.0.0",
+    projectVersion = DEFAULT_PROJECT_VERSION,
     dependencies
   } = input;
   const timestamp = (/* @__PURE__ */ new Date()).toISOString();
-  const resolvedDeps = dependencies.map((dep) => ({
-    ...dep,
-    direct: dep.direct ?? true,
-    purl: dep.purl ?? buildPurl(dep.name, dep.version, dep.ecosystem)
-  }));
+  const resolvedDeps = normalizeDependencies(dependencies);
   const rootPurl = buildPurl(projectName, projectVersion, "npm");
   const sbom = {
     $schema: "http://cyclonedx.org/schema/bom-1.7.schema.json",
@@ -25,12 +71,12 @@ function generateSbom(input) {
         components: [
           {
             type: "application",
-            name: "verimu",
+            name: VERIMU_TOOL_NAME,
             version: "0.0.1",
-            description: "Verimu CRA Compliance Scanner",
+            description: VERIMU_TOOL_DESCRIPTION,
             supplier: { name: "Verimu" },
             externalReferences: [
-              { type: "website", url: "https://verimu.com" }
+              { type: "website", url: VERIMU_TOOL_WEBSITE }
             ]
           }
         ]
@@ -51,7 +97,7 @@ function generateSbom(input) {
       purl: dep.purl,
       "bom-ref": dep.purl,
       scope: dep.direct ? "required" : "optional",
-      supplier: { name: deriveSupplierName(dep.name) }
+      supplier: { name: dep.supplierName }
     })),
     dependencies: [
       {
@@ -69,33 +115,130 @@ function generateSbom(input) {
     generatedAt: timestamp
   };
 }
-var PURL_TYPE_MAP = {
-  npm: "npm",
-  nuget: "nuget",
-  cargo: "cargo",
-  maven: "maven",
-  pip: "pypi",
-  go: "golang",
-  ruby: "gem",
-  composer: "composer"
-};
-function buildPurl(name, version, ecosystem) {
-  const type = PURL_TYPE_MAP[ecosystem] || ecosystem;
-  if (ecosystem === "npm" && name.startsWith("@")) {
-    return `pkg:${type}/%40${name.slice(1)}@${version}`;
-  }
-  return `pkg:${type}/${name}@${version}`;
+// src/generate-spdx.ts
+import { randomUUID as randomUUID2 } from "crypto";
+var SPDX_VERSION = "2.3";
+function generateSpdxSbom(input) {
+  const {
+    projectName,
+    projectVersion = DEFAULT_PROJECT_VERSION,
+    dependencies
+  } = input;
+  const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+  const resolvedDeps = normalizeDependencies(dependencies);
+  const rootPackageId = "SPDXRef-Package-root";
+  const spdx = {
+    spdxVersion: `SPDX-${SPDX_VERSION}`,
+    dataLicense: "CC0-1.0",
+    SPDXID: "SPDXRef-DOCUMENT",
+    name: `${projectName}-sbom`,
+    documentNamespace: `https://verimu.com/spdxdocs/${projectName}-${randomUUID2()}`,
+    creationInfo: {
+      created: timestamp,
+      creators: [`Tool: ${VERIMU_TOOL_NAME}`]
+    },
+    documentDescribes: [rootPackageId],
+    packages: [
+      {
+        name: projectName,
+        SPDXID: rootPackageId,
+        versionInfo: projectVersion,
+        supplier: `Organization: ${projectName}`,
+        downloadLocation: "NOASSERTION",
+        filesAnalyzed: false,
+        licenseConcluded: "NOASSERTION",
+        licenseDeclared: "NOASSERTION",
+        primaryPackagePurpose: "APPLICATION"
+      },
+      ...resolvedDeps.map((dep, index) => ({
+        name: dep.name,
+        SPDXID: `SPDXRef-Package-${index + 1}`,
+        versionInfo: dep.version,
+        supplier: `Organization: ${dep.supplierName}`,
+        downloadLocation: "NOASSERTION",
+        filesAnalyzed: false,
+        licenseConcluded: "NOASSERTION",
+        licenseDeclared: "NOASSERTION",
+        primaryPackagePurpose: "LIBRARY",
+        externalRefs: [
+          {
+            referenceCategory: "PACKAGE-MANAGER",
+            referenceType: "purl",
+            referenceLocator: dep.purl
+          }
+        ]
+      }))
+    ],
+    relationships: [
+      {
+        spdxElementId: "SPDXRef-DOCUMENT",
+        relationshipType: "DESCRIBES",
+        relatedSpdxElement: rootPackageId
+      },
+      ...resolvedDeps.map((_dep, index) => ({
+        spdxElementId: rootPackageId,
+        relationshipType: "DEPENDS_ON",
+        relatedSpdxElement: `SPDXRef-Package-${index + 1}`
+      }))
+    ]
+  };
+  const content = JSON.stringify(spdx, null, 2);
+  return {
+    sbom: spdx,
+    content,
+    componentCount: resolvedDeps.length,
+    specVersion: SPDX_VERSION,
+    generatedAt: timestamp
+  };
 }
-function deriveSupplierName(packageName) {
-  if (packageName.startsWith("@")) {
-    return packageName.split("/")[0];
-  }
-  return packageName;
+// src/generate-swid.ts
+import { randomUUID as randomUUID3 } from "crypto";
+var SWID_SPEC_VERSION = "ISO/IEC 19770-2:2015";
+function generateSwidTag(input) {
+  const {
+    projectName,
+    projectVersion = DEFAULT_PROJECT_VERSION
+  } = input;
+  const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+  const tagVersion = 1;
+  const normalizedVersion = projectVersion || DEFAULT_SWID_VERSION;
+  const tagId = `com.verimu:${sanitizeTagId(projectName)}:${normalizedVersion}:${randomUUID3()}`;
+  const tag = [
+    '<?xml version="1.0" encoding="UTF-8"?>',
+    "<SoftwareIdentity",
+    '  xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd"',
+    `  name="${escapeXml(projectName)}"`,
+    `  tagId="${escapeXml(tagId)}"`,
+    `  tagVersion="${tagVersion}"`,
+    `  version="${escapeXml(normalizedVersion)}"`,
+    '  versionScheme="semver">',
+    `  <Entity name="${escapeXml(projectName)}" role="softwareCreator" />`,
+    '  <Entity name="Verimu" role="tagCreator" />',
+    `  <Meta product="${escapeXml(projectName)}" generator="${VERIMU_TOOL_NAME}" generated="${timestamp}" />`,
+    "  <!-- TODO: Consider adding dependency/package evidence if we need richer SWID coverage. -->",
+    '  <Link rel="describedby" href="https://verimu.com" />',
+    "</SoftwareIdentity>"
+  ].join("\n");
+  return {
+    tag,
+    content: tag,
+    componentCount: 1,
+    specVersion: SWID_SPEC_VERSION,
+    generatedAt: timestamp
+  };
+}
+function escapeXml(value) {
+  return value.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll('"', "&quot;").replaceAll("'", "&apos;");
+}
+function sanitizeTagId(value) {
+  return value.toLowerCase().replace(/[^a-z0-9._-]+/g, "-").replace(/^-+|-+$/g, "");
 }
 // src/scan.ts
 import { writeFile } from "fs/promises";
-import { basename } from "path";
+import { basename, join, parse } from "path";
 // src/scanners/npm/npm-scanner.ts
 import { readFile } from "fs/promises";
@@ -113,7 +256,7 @@ var VerimuError = class extends Error {
 var NoLockfileError = class extends VerimuError {
   constructor(projectPath) {
     super(
-      `No supported lockfile found in ${projectPath}. Supported: package-lock.json (npm), packages.lock.json (NuGet), Cargo.lock (Rust), requirements.txt / Pipfile.lock (Python), pom.xml (Maven), go.sum (Go), Gemfile.lock (Ruby), composer.lock (Composer)`,
+      `No supported lockfile found in ${projectPath}. Supported: package-lock.json (npm), packages.lock.json (NuGet), Cargo.lock (Rust), requirements.txt / Pipfile.lock (pip), poetry.lock (Poetry), uv.lock (uv), pom.xml (Maven), go.sum (Go), Gemfile.lock (Ruby), composer.lock (Composer), yarn.lock (Yarn), pnpm-lock.yaml (pnpm)`,
       "NO_LOCKFILE"
     );
     this.name = "NoLockfileError";
@@ -1030,161 +1173,1280 @@ var ComposerScanner = class {
   }
 };
-// src/scanners/registry.ts
-var ScannerRegistry = class {
-  scanners;
-  constructor() {
-    this.scanners = [
-      new NpmScanner(),
-      new NugetScanner(),
-      new CargoScanner(),
-      new PipScanner(),
-      new MavenScanner(),
-      new GoScanner(),
-      new RubyScanner(),
-      new ComposerScanner()
-    ];
+// src/scanners/yarn/yarn-scanner.ts
+import { readFile as readFile9 } from "fs/promises";
+import { existsSync as existsSync9 } from "fs";
+import path9 from "path";
+import { parse as parseYaml } from "yaml";
+var YarnScanner = class {
+  ecosystem = "npm";
+  lockfileNames = ["yarn.lock"];
+  async detect(projectPath) {
+    const lockfilePath = path9.join(projectPath, "yarn.lock");
+    return existsSync9(lockfilePath) ? lockfilePath : null;
+  }
+  async scan(projectPath, lockfilePath) {
+    const [lockfileRaw, packageJsonRaw] = await Promise.all([
+      readFile9(lockfilePath, "utf-8"),
+      readFile9(path9.join(projectPath, "package.json"), "utf-8").catch(() => null)
+    ]);
+    const directNames = /* @__PURE__ */ new Set();
+    if (packageJsonRaw) {
+      try {
+        const pkg = JSON.parse(packageJsonRaw);
+        for (const name of Object.keys(pkg.dependencies ?? {})) {
+          directNames.add(name);
+        }
+        for (const name of Object.keys(pkg.devDependencies ?? {})) {
+          directNames.add(name);
+        }
+      } catch {
+      }
+    }
+    const dependencies = this.parseLockfile(lockfileRaw, lockfilePath, directNames);
+    return {
+      projectPath,
+      ecosystem: "npm",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
   }
   /**
-   * Auto-detects the project's ecosystem and scans dependencies.
-   * Tries each registered scanner in order until one matches.
+   * Parses yarn.lock file and extracts dependencies.
+   * Automatically detects and handles both v1 (Classic) and v2+ (Berry) formats.
    */
-  async detectAndScan(projectPath) {
-    for (const scanner of this.scanners) {
-      const lockfilePath = await scanner.detect(projectPath);
-      if (lockfilePath) {
-        return scanner.scan(projectPath, lockfilePath);
+  parseLockfile(content, lockfilePath, directNames) {
+    try {
+      const isV2Plus = this.isYarnV2Plus(content);
+      if (isV2Plus) {
+        return this.parseLockfileV2Plus(content, lockfilePath, directNames);
+      } else {
+        return this.parseLockfileV1(content, lockfilePath, directNames);
       }
+    } catch (err) {
+      throw new LockfileParseError(
+        lockfilePath,
+        `Failed to parse yarn.lock: ${err instanceof Error ? err.message : "Unknown error"}`
+      );
     }
-    throw new NoLockfileError(projectPath);
-  }
-  /** Returns a specific scanner by ecosystem name */
-  getScanner(ecosystem) {
-    return this.scanners.find((s) => s.ecosystem === ecosystem);
-  }
-  /** Lists all registered ecosystems */
-  listEcosystems() {
-    return this.scanners.map((s) => s.ecosystem);
   }
-};
-// src/sbom/cyclonedx.ts
-import { randomUUID as randomUUID2 } from "crypto";
-var CycloneDxGenerator = class {
-  format = "cyclonedx-json";
-  generate(scanResult, toolVersion = "0.1.0") {
-    const bom = this.buildBom(scanResult, toolVersion);
-    const content = JSON.stringify(bom, null, 2);
-    return {
-      format: "cyclonedx-json",
-      specVersion: "1.7",
-      content,
-      componentCount: scanResult.dependencies.length,
-      generatedAt: (/* @__PURE__ */ new Date()).toISOString()
-    };
+  /**
+   * Detects if the lockfile is Yarn v2+ (Berry) format.
+   * v2+ uses YAML format and contains __metadata section.
+   */
+  isYarnV2Plus(content) {
+    return content.startsWith("__metadata:") || content.includes("\n__metadata:");
   }
-  buildBom(scanResult, toolVersion) {
-    const projectName = this.extractProjectName(scanResult.projectPath);
-    return {
-      $schema: "http://cyclonedx.org/schema/bom-1.7.schema.json",
-      bomFormat: "CycloneDX",
-      specVersion: "1.7",
-      serialNumber: `urn:uuid:${randomUUID2()}`,
-      version: 1,
-      metadata: {
-        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-        tools: {
-          components: [
-            {
-              type: "application",
-              name: "verimu",
-              version: toolVersion,
-              description: "Verimu CRA Compliance Scanner",
-              supplier: { name: "Verimu" },
-              externalReferences: [
-                {
-                  type: "website",
-                  url: "https://verimu.com"
-                }
-              ]
-            }
-          ]
-        },
-        // NTIA: metadata.supplier — the org supplying the root software
-        supplier: {
-          name: projectName
-        },
-        component: {
-          type: "application",
-          name: projectName,
-          "bom-ref": "root-component",
-          supplier: { name: projectName }
+  /**
+   * Parses Yarn v2+ (Berry) lockfile format.
+   *
+   * Yarn v2+ format (YAML):
+   * ```yaml
+   * __metadata:
+   *   version: 6
+   *
+   * "package-name@npm:^1.0.0":
+   *   version: 1.2.3
+   *   resolution: "package-name@npm:1.2.3"
+   *   dependencies:
+   *     dep1: ^2.0.0
+   *   checksum: ...
+   *   languageName: node
+   *   linkType: hard
+   * ```
+   */
+  parseLockfileV2Plus(content, lockfilePath, directNames) {
+    const deps = [];
+    const seen = /* @__PURE__ */ new Map();
+    try {
+      const parsed = parseYaml(content);
+      if (!parsed || typeof parsed !== "object") {
+        throw new Error("Invalid YAML format");
+      }
+      for (const [key, value] of Object.entries(parsed)) {
+        if (key === "__metadata" || key.includes("@workspace:")) {
+          continue;
         }
-      },
-      components: scanResult.dependencies.map((dep) => this.toComponent(dep)),
-      dependencies: this.buildDependencyGraph(scanResult)
-    };
+        if (typeof value !== "object" || value === null) {
+          continue;
+        }
+        const entry = value;
+        let name = null;
+        if (entry.resolution && typeof entry.resolution === "string") {
+          name = this.extractPackageNameFromResolution(entry.resolution);
+        }
+        if (!name) {
+          name = this.extractPackageNameV2Plus(key);
+        }
+        const version = entry.version;
+        if (!name || !version || typeof version !== "string") {
+          continue;
+        }
+        const depKey = `${name}@${version}`;
+        if (seen.has(depKey)) {
+          continue;
+        }
+        seen.set(depKey, true);
+        deps.push({
+          name,
+          version,
+          direct: directNames.has(name),
+          ecosystem: "npm",
+          purl: this.buildPurl(name, version)
+        });
+      }
+    } catch (err) {
+      throw new Error(`Failed to parse Yarn v2+ lockfile: ${err instanceof Error ? err.message : "Unknown error"}`);
+    }
+    return deps;
   }
-  /** Converts a Verimu Dependency to a CycloneDX component */
-  toComponent(dep) {
-    return {
-      type: "library",
-      name: dep.name,
-      version: dep.version,
-      purl: dep.purl,
-      "bom-ref": dep.purl,
-      scope: dep.direct ? "required" : "optional",
-      // NTIA: component.supplier — derived from npm scope or package name
-      supplier: {
-        name: this.deriveSupplierName(dep.name)
+  /**
+   * Extracts package name from Yarn v2+ resolution field.
+   * The resolution field contains the real package name.
+   * Examples:
+   *   "express@npm:4.18.2" → "express"
+   *   "@types/node@npm:20.11.5" → "@types/node"
+   *   "lodash@npm:4.17.21" → "lodash"
+   */
+  extractPackageNameFromResolution(resolution) {
+    if (resolution.startsWith("@")) {
+      const match2 = resolution.match(/^(@[^@]+\/[^@]+)@/);
+      if (match2) {
+        return match2[1];
       }
-    };
+    }
+    const match = resolution.match(/^([^@]+)@/);
+    if (match) {
+      return match[1];
+    }
+    return null;
   }
   /**
-   * Derives a supplier name from a package name.
-   *
-   * For scoped packages like "@vue/reactivity" → "@vue"
-   * For unscoped packages like "express" → "express"
-   *
-   * This is the same heuristic used by Syft, Trivy, and other SBOM tools
-   * when registry metadata (author/publisher) isn't available from the lockfile.
+   * Extracts package name from Yarn v2+ package key.
+   * Examples:
+   *   "express@npm:^4.18.0" → "express"
+   *   "@types/node@npm:^20.0.0" → "@types/node"
+   *   "pkg@npm:other@npm:^1.0.0" → "pkg" (aliased packages)
    */
-  deriveSupplierName(packageName) {
-    if (packageName.startsWith("@")) {
-      const scope = packageName.split("/")[0];
-      return scope;
+  extractPackageNameV2Plus(key) {
+    if (key.startsWith("@")) {
+      const match2 = key.match(/^(@[^@]+\/[^@]+)@/);
+      if (match2) {
+        return match2[1];
+      }
+    }
+    const match = key.match(/^([^@]+)@/);
+    if (match) {
+      return match[1];
     }
-    return packageName;
+    return null;
   }
   /**
-   * Builds the dependency graph section of the SBOM.
+   * Parses Yarn v1 (Classic) lockfile format.
    *
-   * The root component depends on all dependencies (direct + transitive).
-   * This ensures a single root node in the graph, which NTIA validators expect.
-   *
-   * We include ALL deps under root (not just direct) because from a flat lockfile
-   * we can't reliably reconstruct which transitive dep belongs to which direct dep.
-   * This is still valid per the CycloneDX spec — it represents a complete but flat
-   * dependency relationship.
+   * Yarn v1 format:
+   * ```
+   * "package-name@^1.0.0":
+   *   version "1.2.3"
+   *   resolved "https://..."
+   *   integrity sha512-...
+   *   dependencies:
+   *     dep1 "^2.0.0"
+   * ```
    */
-  buildDependencyGraph(scanResult) {
-    const allDepPurls = scanResult.dependencies.map((d) => d.purl);
-    return [
-      {
-        ref: "root-component",
-        dependsOn: allDepPurls
+  parseLockfileV1(content, lockfilePath, directNames) {
+    const deps = [];
+    const seen = /* @__PURE__ */ new Map();
+    const lines = content.split("\n");
+    let currentPackage = null;
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (line.trim().startsWith("#") || line.trim() === "") {
+        continue;
       }
-    ];
-  }
-  /** Extracts project name from path */
-  extractProjectName(projectPath) {
-    const parts = projectPath.replace(/\\/g, "/").split("/");
-    return parts[parts.length - 1] || "unknown-project";
-  }
-};
-// src/cve/osv.ts
-var OSV_API_BASE = "https://api.osv.dev/v1";
+      if (line.match(/^["\w@]/) && line.includes(":") && !line.startsWith("  ")) {
+        if (currentPackage?.version) {
+          this.addDependency(currentPackage, directNames, seen, deps);
+        }
+        const pkgLine = line.substring(0, line.lastIndexOf(":"));
+        const names = pkgLine.split(",").map((s) => s.trim().replace(/^["']|["']$/g, "")).map((s) => this.extractPackageName(s)).filter((s) => !!s);
+        currentPackage = { names, version: void 0 };
+      } else if (line.trim().startsWith("version ") && currentPackage) {
+        const match = line.match(/version\s+"([^"]+)"/);
+        if (match) {
+          currentPackage.version = match[1];
+        }
+      }
+    }
+    if (currentPackage?.version) {
+      this.addDependency(currentPackage, directNames, seen, deps);
+    }
+    return deps;
+  }
+  /**
+   * Adds a dependency to the result list (deduplicates by name@version)
+   */
+  addDependency(pkg, directNames, seen, deps) {
+    if (!pkg.version) return;
+    const name = pkg.names[0];
+    if (!name) return;
+    const key = `${name}@${pkg.version}`;
+    if (seen.has(key)) return;
+    seen.set(key, true);
+    deps.push({
+      name,
+      version: pkg.version,
+      direct: directNames.has(name),
+      ecosystem: "npm",
+      purl: this.buildPurl(name, pkg.version)
+    });
+  }
+  /**
+   * Extracts package name from yarn.lock package declaration.
+   * Examples:
+   *   "express@^4.18.0" → "express"
+   *   "@types/node@^20.0.0" → "@types/node"
+   *   "pkg@npm:other@^1.0.0" → "pkg" (aliased packages)
+   */
+  extractPackageName(pkgDeclaration) {
+    if (pkgDeclaration.includes("@npm:")) {
+      const beforeAlias = pkgDeclaration.split("@npm:")[0];
+      return beforeAlias || null;
+    }
+    if (pkgDeclaration.startsWith("@")) {
+      const parts = pkgDeclaration.split("@");
+      if (parts.length >= 3) {
+        return `@${parts[1]}`;
+      }
+    } else {
+      const atIndex = pkgDeclaration.indexOf("@");
+      if (atIndex > 0) {
+        return pkgDeclaration.substring(0, atIndex);
+      }
+    }
+    return null;
+  }
+  /**
+   * Builds a purl (Package URL) for an npm package.
+   *
+   * Per the purl spec:
+   * "The npm scope @ sign prefix is always percent encoded."
+   *
+   * So @types/node@20.11.5 → pkg:npm/%40types/node@20.11.5
+   * And express@4.18.2 → pkg:npm/express@4.18.2
+   */
+  buildPurl(name, version) {
+    if (name.startsWith("@")) {
+      return `pkg:npm/%40${name.slice(1)}@${version}`;
+    }
+    return `pkg:npm/${name}@${version}`;
+  }
+};
+// src/scanners/pnpm/pnpm-scanner.ts
+import { readFile as readFile10 } from "fs/promises";
+import { existsSync as existsSync10 } from "fs";
+import path10 from "path";
+import { parse as parseYaml2 } from "yaml";
+var PnpmScanner = class {
+  ecosystem = "npm";
+  lockfileNames = ["pnpm-lock.yaml"];
+  async detect(projectPath) {
+    const lockfilePath = path10.join(projectPath, "pnpm-lock.yaml");
+    return existsSync10(lockfilePath) ? lockfilePath : null;
+  }
+  async scan(projectPath, lockfilePath) {
+    const lockfileRaw = await readFile10(lockfilePath, "utf-8");
+    const dependencies = this.parseLockfile(lockfileRaw, lockfilePath);
+    return {
+      projectPath,
+      ecosystem: "npm",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Parses pnpm-lock.yaml file and extracts dependencies.
+   *
+   * pnpm-lock.yaml format (v5.4+):
+   * ```yaml
+   * lockfileVersion: 5.4
+   *
+   * dependencies:
+   *   express: 4.18.2
+   *
+   * devDependencies:
+   *   typescript: 5.0.0
+   *
+   * packages:
+   *   /express/4.18.2:
+   *     resolution: {integrity: sha512-...}
+   *     dependencies:
+   *       accepts: 1.3.8
+   *   /@types/node/20.11.5:
+   *     resolution: {integrity: sha512-...}
+   *     dev: true
+   * ```
+   *
+   * pnpm-lock.yaml format (v6.0+):
+   * ```yaml
+   * lockfileVersion: '6.0'
+   *
+   * dependencies:
+   *   express:
+   *     specifier: ^4.18.0
+   *     version: 4.18.2
+   *
+   * packages:
+   *   /express@4.18.2:
+   *     resolution: {integrity: sha512-...}
+   * ```
+   */
+  parseLockfile(content, lockfilePath) {
+    try {
+      const parsed = parseYaml2(content);
+      if (!parsed || typeof parsed !== "object") {
+        throw new Error("Invalid YAML format");
+      }
+      const lockfile = parsed;
+      const lockfileVersion = this.parseLockfileVersion(lockfile.lockfileVersion);
+      const directNames = this.extractDirectDependencies(lockfile);
+      return this.extractDependencies(lockfile, lockfileVersion, directNames);
+    } catch (err) {
+      throw new LockfileParseError(
+        lockfilePath,
+        `Failed to parse pnpm-lock.yaml: ${err instanceof Error ? err.message : "Unknown error"}`
+      );
+    }
+  }
+  /**
+   * Extracts direct dependency names from pnpm lockfile.
+   *
+   * Supports both formats:
+   * - pnpm v5.x: root-level dependencies/devDependencies
+   * - pnpm v6+: importers['.'].dependencies/devDependencies
+   */
+  extractDirectDependencies(lockfile) {
+    const directNames = /* @__PURE__ */ new Set();
+    if (lockfile.importers && typeof lockfile.importers === "object") {
+      const rootImporter = lockfile.importers["."];
+      if (rootImporter && typeof rootImporter === "object") {
+        if (rootImporter.dependencies && typeof rootImporter.dependencies === "object") {
+          for (const name of Object.keys(rootImporter.dependencies)) {
+            directNames.add(name);
+          }
+        }
+        if (rootImporter.devDependencies && typeof rootImporter.devDependencies === "object") {
+          for (const name of Object.keys(rootImporter.devDependencies)) {
+            directNames.add(name);
+          }
+        }
+      }
+    }
+    if (directNames.size === 0) {
+      if (lockfile.dependencies && typeof lockfile.dependencies === "object") {
+        for (const name of Object.keys(lockfile.dependencies)) {
+          directNames.add(name);
+        }
+      }
+      if (lockfile.devDependencies && typeof lockfile.devDependencies === "object") {
+        for (const name of Object.keys(lockfile.devDependencies)) {
+          directNames.add(name);
+        }
+      }
+    }
+    return directNames;
+  }
+  /**
+   * Parses lockfile version (can be string or number)
+   */
+  parseLockfileVersion(version) {
+    if (typeof version === "number") {
+      return version;
+    }
+    if (typeof version === "string") {
+      const parsed = parseFloat(version);
+      return isNaN(parsed) ? 5.4 : parsed;
+    }
+    return 5.4;
+  }
+  /**
+   * Extracts dependencies from the lockfile packages section
+   */
+  extractDependencies(lockfile, lockfileVersion, directNames) {
+    const deps = [];
+    const seen = /* @__PURE__ */ new Map();
+    if (!lockfile.packages || typeof lockfile.packages !== "object") {
+      return deps;
+    }
+    for (const [pkgPath, pkgInfo] of Object.entries(lockfile.packages)) {
+      if (!pkgInfo || typeof pkgInfo !== "object") {
+        continue;
+      }
+      if (pkgPath.includes("@workspace:")) {
+        continue;
+      }
+      const { name, version } = this.parsePackagePath(pkgPath, lockfileVersion);
+      if (!name || !version) {
+        continue;
+      }
+      const depKey = `${name}@${version}`;
+      if (seen.has(depKey)) {
+        continue;
+      }
+      seen.set(depKey, true);
+      deps.push({
+        name,
+        version,
+        direct: directNames.has(name),
+        ecosystem: "npm",
+        purl: this.buildPurl(name, version)
+      });
+    }
+    return deps;
+  }
+  /**
+   * Parses package path to extract name and version.
+   *
+   * pnpm v5.x format:
+   *   "/express/4.18.2" → name: "express", version: "4.18.2"
+   *   "/@types/node/20.11.5" → name: "@types/node", version: "20.11.5"
+   *   "/accepts/1.3.8" → name: "accepts", version: "1.3.8"
+   *
+   * pnpm v6+ format:
+   *   "/express@4.18.2" → name: "express", version: "4.18.2"
+   *   "/@types/node@20.11.5" → name: "@types/node", version: "20.11.5"
+   *   "/accepts@1.3.8" → name: "accepts", version: "1.3.8"
+   *
+   * Also handles peer dependency suffixes:
+   *   "/pkg@1.0.0_dep@2.0.0" → name: "pkg", version: "1.0.0"
+   *   "/pkg@1.0.0(dep@2.0.0)" → name: "pkg", version: "1.0.0"
+   */
+  parsePackagePath(pkgPath, lockfileVersion) {
+    const path14 = pkgPath.startsWith("/") ? pkgPath.slice(1) : pkgPath;
+    const cleanPath = path14.split("_")[0].split("(")[0];
+    if (!cleanPath) {
+      return { name: null, version: null };
+    }
+    if (lockfileVersion >= 6) {
+      return this.parseV6Format(cleanPath);
+    }
+    return this.parseV5Format(cleanPath);
+  }
+  /**
+   * Parses v6+ format: "express@4.18.2" or "@types/node@20.11.5"
+   */
+  parseV6Format(path14) {
+    if (path14.startsWith("@")) {
+      const lastAtIndex = path14.lastIndexOf("@");
+      if (lastAtIndex <= 0) {
+        return { name: null, version: null };
+      }
+      const name2 = path14.substring(0, lastAtIndex);
+      const version2 = path14.substring(lastAtIndex + 1);
+      return { name: name2, version: version2 };
+    }
+    const atIndex = path14.indexOf("@");
+    if (atIndex < 0) {
+      return { name: null, version: null };
+    }
+    const name = path14.substring(0, atIndex);
+    const version = path14.substring(atIndex + 1);
+    return { name, version };
+  }
+  /**
+   * Parses v5.x format: "express/4.18.2" or "@types/node/20.11.5"
+   */
+  parseV5Format(path14) {
+    if (path14.startsWith("@")) {
+      const parts = path14.split("/");
+      if (parts.length < 3) {
+        return { name: null, version: null };
+      }
+      const name2 = `${parts[0]}/${parts[1]}`;
+      const version2 = parts[2];
+      return { name: name2, version: version2 };
+    }
+    const slashIndex = path14.indexOf("/");
+    if (slashIndex < 0) {
+      return { name: null, version: null };
+    }
+    const name = path14.substring(0, slashIndex);
+    const version = path14.substring(slashIndex + 1);
+    return { name, version };
+  }
+  /**
+   * Builds a purl (Package URL) for an npm package.
+   *
+   * Per the purl spec:
+   * "The npm scope @ sign prefix is always percent encoded."
+   *
+   * So @types/node@20.11.5 → pkg:npm/%40types/node@20.11.5
+   * And express@4.18.2 → pkg:npm/express@4.18.2
+   */
+  buildPurl(name, version) {
+    if (name.startsWith("@")) {
+      return `pkg:npm/%40${name.slice(1)}@${version}`;
+    }
+    return `pkg:npm/${name}@${version}`;
+  }
+};
+// src/scanners/deno/deno-scanner.ts
+import { readFile as readFile11 } from "fs/promises";
+import { existsSync as existsSync11 } from "fs";
+import path11 from "path";
+var DenoScanner = class {
+  ecosystem = "deno";
+  lockfileNames = ["deno.lock"];
+  async detect(projectPath) {
+    for (const name of this.lockfileNames) {
+      const lockfilePath = path11.join(projectPath, name);
+      if (existsSync11(lockfilePath)) return lockfilePath;
+    }
+    return null;
+  }
+  async scan(projectPath, lockfilePath) {
+    const lockfileRaw = await readFile11(lockfilePath, "utf-8");
+    let lockfile;
+    try {
+      lockfile = JSON.parse(lockfileRaw);
+    } catch {
+      throw new LockfileParseError(lockfilePath, "Invalid JSON");
+    }
+    const dependencies = this.parseLockfile(lockfile);
+    return {
+      projectPath,
+      ecosystem: "deno",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Parses the lockfile and extracts dependencies from both
+   * npm and jsr package registries.
+   *
+   * Supports v3 (packages nested under `packages`), v4, and v5 (top-level jsr/npm sections).
+   * Uses lockfile specifiers to determine direct vs transitive dependencies.
+   */
+  parseLockfile(lockfile) {
+    const deps = [];
+    const directNames = this.extractDirectDependencies(lockfile);
+    const jsrPackages = lockfile.jsr ?? lockfile.packages?.jsr ?? {};
+    const npmPackages = lockfile.npm ?? lockfile.packages?.npm ?? {};
+    for (const key of Object.keys(jsrPackages)) {
+      const parsed = this.parsePackageKey(key);
+      if (!parsed) continue;
+      deps.push({
+        name: parsed.name,
+        version: parsed.version,
+        direct: directNames.has(`jsr:${parsed.name}`),
+        ecosystem: "deno",
+        // JSR packages belong to Deno ecosystem
+        purl: this.buildJsrPurl(parsed.name, parsed.version)
+      });
+    }
+    for (const key of Object.keys(npmPackages)) {
+      const parsed = this.parsePackageKey(key);
+      if (!parsed) continue;
+      deps.push({
+        name: parsed.name,
+        version: parsed.version,
+        direct: directNames.has(`npm:${parsed.name}`),
+        ecosystem: "npm",
+        // npm packages belong to npm ecosystem (for CVE tracking)
+        purl: this.buildNpmPurl(parsed.name, parsed.version)
+      });
+    }
+    return deps;
+  }
+  /**
+   * Extracts direct dependency names from lockfile specifiers.
+   *
+   * Returns a set of ecosystem-qualified package names like "jsr:@std/assert" or "npm:express".
+   * The ecosystem prefix prevents collisions if the same package name exists in both registries.
+   */
+  extractDirectDependencies(lockfile) {
+    const directNames = /* @__PURE__ */ new Set();
+    const specifiers = lockfile.specifiers ?? lockfile.packages?.specifiers ?? {};
+    for (const [constraint, resolved] of Object.entries(specifiers)) {
+      if (resolved.startsWith("file:") || resolved.startsWith("https:") || resolved.startsWith("http:") || resolved.startsWith("data:")) {
+        continue;
+      }
+      let ecosystem = null;
+      if (constraint.startsWith("jsr:")) {
+        ecosystem = "jsr";
+      } else if (constraint.startsWith("npm:")) {
+        ecosystem = "npm";
+      }
+      if (!ecosystem) continue;
+      let resolvedKey = resolved;
+      if (resolved.startsWith("jsr:") || resolved.startsWith("npm:")) {
+        resolvedKey = resolved.replace(/^(jsr:|npm:)/, "");
+        const parsed = this.parsePackageKey(resolvedKey);
+        if (parsed) {
+          directNames.add(`${ecosystem}:${parsed.name}`);
+        }
+      } else {
+        const name = this.extractNameFromSpecifier(constraint);
+        if (name) {
+          directNames.add(`${ecosystem}:${name}`);
+        }
+      }
+    }
+    return directNames;
+  }
+  /**
+   * Parses a package key like "@std/assert@1.0.10" or "express@4.21.2"
+   * into { name, version }.
+   *
+   * Handles scoped packages where the name starts with @ (e.g., @std/assert).
+   * In that case the version separator is the LAST @ sign.
+   */
+  parsePackageKey(key) {
+    const lastAtIndex = key.lastIndexOf("@");
+    if (lastAtIndex <= 0) return null;
+    const name = key.slice(0, lastAtIndex);
+    const version = key.slice(lastAtIndex + 1);
+    if (!name || !version) return null;
+    return { name, version };
+  }
+  /**
+   * Extracts the package name from a Deno import specifier.
+   *
+   * Examples:
+   *   "jsr:@std/assert@^1.0.0" → "@std/assert"
+   *   "npm:express@^4.18.0"    → "express"
+   *   "npm:@hono/hono@^4.0.0"  → "@hono/hono"
+   *   "lodash" (bare)          → "lodash"
+   */
+  extractNameFromSpecifier(specifier) {
+    const withoutPrefix = specifier.replace(/^(jsr:|npm:)/, "");
+    if (!withoutPrefix) return null;
+    if (withoutPrefix.startsWith("@")) {
+      const slashIndex = withoutPrefix.indexOf("/");
+      if (slashIndex === -1) return null;
+      const afterSlash = withoutPrefix.indexOf("@", slashIndex);
+      if (afterSlash === -1) return withoutPrefix;
+      return withoutPrefix.slice(0, afterSlash);
+    }
+    const atIndex = withoutPrefix.indexOf("@");
+    if (atIndex === -1) return withoutPrefix;
+    return withoutPrefix.slice(0, atIndex);
+  }
+  /**
+   * Builds a purl for a JSR package.
+   *
+   * JSR packages use the "jsr" purl type (non-standard but descriptive).
+   * For scoped packages, both @ and all / characters are percent-encoded.
+   * Example: `pkg:jsr/%40std%2Fassert@1.0.10`
+   */
+  buildJsrPurl(name, version) {
+    if (name.startsWith("@")) {
+      const encoded = "%40" + name.slice(1).replace(/\//g, "%2F");
+      return `pkg:jsr/${encoded}@${version}`;
+    }
+    return `pkg:jsr/${name}@${version}`;
+  }
+  /**
+   * Builds a purl for an npm package used via Deno.
+   *
+   * Uses the standard npm purl type since these are npm packages.
+   * Per npm purl spec, only @ is encoded, / remains as namespace separator.
+   * Example: `pkg:npm/%40std/assert@1.0.10` or `pkg:npm/express@4.21.2`
+   */
+  buildNpmPurl(name, version) {
+    if (name.startsWith("@")) {
+      return `pkg:npm/%40${name.slice(1)}@${version}`;
+    }
+    return `pkg:npm/${name}@${version}`;
+  }
+};
+// src/scanners/poetry/poetry-scanner.ts
+import { readFile as readFile12 } from "fs/promises";
+import { existsSync as existsSync12 } from "fs";
+import path12 from "path";
+var PoetryScanner = class {
+  ecosystem = "poetry";
+  lockfileNames = ["poetry.lock"];
+  async detect(projectPath) {
+    const lockfilePath = path12.join(projectPath, "poetry.lock");
+    return existsSync12(lockfilePath) ? lockfilePath : null;
+  }
+  async scan(projectPath, lockfilePath) {
+    const [lockfileRaw, pyprojectRaw] = await Promise.all([
+      readFile12(lockfilePath, "utf-8"),
+      readFile12(path12.join(projectPath, "pyproject.toml"), "utf-8").catch(() => null)
+    ]);
+    const packages = this.parseLockfile(lockfileRaw, lockfilePath);
+    const directNames = pyprojectRaw ? this.parsePyprojectToml(pyprojectRaw) : /* @__PURE__ */ new Set();
+    const dependencies = [];
+    for (const pkg of packages) {
+      dependencies.push({
+        name: this.normalizePipName(pkg.name),
+        version: pkg.version,
+        direct: directNames.size > 0 ? directNames.has(this.normalizePipName(pkg.name)) : true,
+        ecosystem: "poetry",
+        purl: this.buildPurl(pkg.name, pkg.version)
+      });
+    }
+    return {
+      projectPath,
+      ecosystem: "poetry",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Parses poetry.lock by splitting on [[package]] blocks.
+   * Lightweight parser that handles the regular structure
+   * without needing a full TOML library.
+   */
+  parseLockfile(content, lockfilePath) {
+    const packages = [];
+    const blocks = content.split(/^\[\[package\]\]$/m);
+    for (const block of blocks) {
+      if (!block.trim()) continue;
+      const name = this.extractField(block, "name");
+      const version = this.extractField(block, "version");
+      if (name && version) {
+        packages.push({ name, version });
+      }
+    }
+    if (packages.length === 0 && content.includes("[[package]]")) {
+      throw new LockfileParseError(lockfilePath, "Failed to parse any packages from poetry.lock");
+    }
+    return packages;
+  }
+  /**
+   * Extracts a string field value from a TOML block.
+   * Handles: `name = "value"` format.
+   */
+  extractField(block, fieldName) {
+    const regex = new RegExp(`^${fieldName}\\s*=\\s*"([^"]*)"`, "m");
+    const match = block.match(regex);
+    return match ? match[1] : null;
+  }
+  /**
+   * Parses `pyproject.toml` to extract direct dependency names.
+   *
+   * Looks for:
+   *   - `[tool.poetry.dependencies]` — main dependencies
+   *   - `[tool.poetry.group.dev.dependencies]` — dev dependencies
+   *   - `[tool.poetry.group.*.dependencies]` — other groups
+   *
+   * Supports formats:
+   *   - `requests = "^2.31.0"`
+   *   - `requests = { version = "^2.31.0", optional = true }`
+   *   - `python = "^3.12"` — skipped (the Python interpreter itself)
+   */
+  parsePyprojectToml(content) {
+    const directNames = /* @__PURE__ */ new Set();
+    let inDepsSection = false;
+    for (const rawLine of content.split("\n")) {
+      const line = rawLine.trim();
+      if (line.startsWith("[")) {
+        inDepsSection = line === "[tool.poetry.dependencies]" || /^\[tool\.poetry\.group\.[^\]]+\.dependencies\]$/.test(line);
+        continue;
+      }
+      if (inDepsSection && line && !line.startsWith("#")) {
+        const match = line.match(/^([a-zA-Z0-9_][a-zA-Z0-9._-]*)\s*=/);
+        if (match && match[1]) {
+          const name = this.normalizePipName(match[1]);
+          if (name !== "python") {
+            directNames.add(name);
+          }
+        }
+      }
+    }
+    return directNames;
+  }
+  /**
+   * Normalizes a pip package name per PEP 503.
+   * Converts to lowercase and replaces any run of [-_.] with a single hyphen.
+   */
+  normalizePipName(name) {
+    return name.toLowerCase().replace(/[-_.]+/g, "-");
+  }
+  /**
+   * Builds a purl for a PyPI package.
+   * Per purl spec, the type is "pypi" (not "poetry").
+   */
+  buildPurl(name, version) {
+    return `pkg:pypi/${this.normalizePipName(name)}@${version}`;
+  }
+};
+// src/scanners/uv/uv-scanner.ts
+import { readFile as readFile13 } from "fs/promises";
+import { existsSync as existsSync13 } from "fs";
+import path13 from "path";
+var UvScanner = class {
+  ecosystem = "uv";
+  lockfileNames = ["uv.lock"];
+  async detect(projectPath) {
+    const lockfilePath = path13.join(projectPath, "uv.lock");
+    return existsSync13(lockfilePath) ? lockfilePath : null;
+  }
+  async scan(projectPath, lockfilePath) {
+    const [lockfileRaw, pyprojectRaw] = await Promise.all([
+      readFile13(lockfilePath, "utf-8"),
+      readFile13(path13.join(projectPath, "pyproject.toml"), "utf-8").catch(() => null)
+    ]);
+    const packages = this.parseLockfile(lockfileRaw, lockfilePath);
+    const projectName = pyprojectRaw ? this.extractProjectName(pyprojectRaw) : null;
+    const directNames = pyprojectRaw ? this.parsePyprojectDeps(pyprojectRaw) : /* @__PURE__ */ new Set();
+    const dependencies = [];
+    for (const pkg of packages) {
+      if (pkg.isEditable) continue;
+      if (projectName && this.normalizePipName(pkg.name) === this.normalizePipName(projectName)) {
+        continue;
+      }
+      dependencies.push({
+        name: this.normalizePipName(pkg.name),
+        version: pkg.version,
+        direct: directNames.size > 0 ? directNames.has(this.normalizePipName(pkg.name)) : true,
+        ecosystem: "uv",
+        purl: this.buildPurl(pkg.name, pkg.version)
+      });
+    }
+    return {
+      projectPath,
+      ecosystem: "uv",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Parses uv.lock by splitting on [[package]] blocks.
+   * Lightweight parser that handles the regular structure
+   * without needing a full TOML library.
+   */
+  parseLockfile(content, lockfilePath) {
+    const packages = [];
+    const blocks = content.split(/^\[\[package\]\]$/m);
+    for (const block of blocks) {
+      if (!block.trim()) continue;
+      const name = this.extractField(block, "name");
+      const version = this.extractField(block, "version");
+      if (name && version) {
+        const isEditable = /source\s*=\s*\{[^}]*editable\s*=/.test(block) || /source\s*=\s*\{[^}]*virtual\s*=/.test(block);
+        packages.push({ name, version, isEditable });
+      }
+    }
+    if (packages.length === 0 && content.includes("[[package]]")) {
+      throw new LockfileParseError(lockfilePath, "Failed to parse any packages from uv.lock");
+    }
+    return packages;
+  }
+  /**
+   * Extracts a string field value from a TOML block.
+   * Handles: `name = "value"` format.
+   */
+  extractField(block, fieldName) {
+    const regex = new RegExp(`^${fieldName}\\s*=\\s*"([^"]*)"`, "m");
+    const match = block.match(regex);
+    return match ? match[1] : null;
+  }
+  /**
+   * Extracts the project name from `pyproject.toml`.
+   * Looks for `name = "..."` under `[project]`.
+   */
+  extractProjectName(content) {
+    let inProjectSection = false;
+    for (const rawLine of content.split("\n")) {
+      const line = rawLine.trim();
+      if (line.startsWith("[")) {
+        inProjectSection = line === "[project]";
+        continue;
+      }
+      if (inProjectSection) {
+        const match = line.match(/^name\s*=\s*"([^"]*)"/);
+        if (match) return match[1];
+      }
+    }
+    return null;
+  }
+  /**
+   * Parses `pyproject.toml` to extract direct dependency names.
+   *
+   * Looks for:
+   *   - `[project]` → `dependencies = [...]` (PEP 621)
+   *   - `[project.optional-dependencies]` (extras)
+   *   - `[dependency-groups]` (PEP 735, used by uv for dev deps)
+   *
+   * Dependency strings follow PEP 508:
+   *   - `"requests>=2.31.0"`
+   *   - `"flask[dotenv]>=3.0"`
+   *   - `"black"` (bare name)
+   */
+  parsePyprojectDeps(content) {
+    const directNames = /* @__PURE__ */ new Set();
+    this.extractInlineArray(content, directNames);
+    this.extractDependencyGroups(content, directNames);
+    return directNames;
+  }
+  /**
+   * Extracts dependency names from PEP 621 `dependencies = [...]` arrays
+   * and `[project.optional-dependencies]` sections.
+   */
+  extractInlineArray(content, directNames) {
+    const arrayRegex = /(?:^dependencies|^[a-zA-Z0-9_-]+)\s*=\s*\[([^\]]*)\]/gm;
+    let match;
+    while ((match = arrayRegex.exec(content)) !== null) {
+      const arrayContent = match[1];
+      this.extractPepNames(arrayContent, directNames);
+    }
+  }
+  /**
+   * Extracts dependency names from [dependency-groups] sections.
+   * Format:
+   * ```toml
+   * [dependency-groups]
+   * dev = ["pytest>=7.0", "black"]
+   * ```
+   */
+  extractDependencyGroups(content, directNames) {
+    let inDepGroups = false;
+    for (const rawLine of content.split("\n")) {
+      const line = rawLine.trim();
+      if (line.startsWith("[")) {
+        inDepGroups = line === "[dependency-groups]";
+        continue;
+      }
+      if (inDepGroups && line && !line.startsWith("#")) {
+        const arrayMatch = line.match(/^[a-zA-Z0-9_-]+\s*=\s*\[([^\]]*)\]/);
+        if (arrayMatch) {
+          this.extractPepNames(arrayMatch[1], directNames);
+        }
+      }
+    }
+  }
+  /**
+   * Extracts PEP 508 package names from a comma-separated
+   * list of quoted dependency strings.
+   */
+  extractPepNames(content, directNames) {
+    const depStrings = content.match(/"([^"]*)"/g);
+    if (!depStrings) return;
+    for (const quoted of depStrings) {
+      const depStr = quoted.replace(/"/g, "").trim();
+      if (!depStr) continue;
+      const nameMatch = depStr.match(/^([a-zA-Z0-9_][a-zA-Z0-9._-]*)/);
+      if (nameMatch && nameMatch[1]) {
+        directNames.add(this.normalizePipName(nameMatch[1]));
+      }
+    }
+  }
+  /**
+   * Normalizes a pip package name per PEP 503.
+   * Converts to lowercase and replaces any run of [-_.] with a single hyphen.
+   */
+  normalizePipName(name) {
+    return name.toLowerCase().replace(/[-_.]+/g, "-");
+  }
+  /**
+   * Builds a purl for a PyPI package.
+   * Per purl spec, the type is "pypi" (not "uv").
+   */
+  buildPurl(name, version) {
+    return `pkg:pypi/${this.normalizePipName(name)}@${version}`;
+  }
+};
+// src/scanners/registry.ts
+var ScannerRegistry = class {
+  scanners;
+  constructor() {
+    this.scanners = [
+      new NpmScanner(),
+      new NugetScanner(),
+      new CargoScanner(),
+      new PipScanner(),
+      new PoetryScanner(),
+      new UvScanner(),
+      new MavenScanner(),
+      new GoScanner(),
+      new RubyScanner(),
+      new ComposerScanner(),
+      new YarnScanner(),
+      new PnpmScanner(),
+      new DenoScanner()
+    ];
+  }
+  /**
+   * Auto-detects the project's ecosystem and scans dependencies.
+   * Tries each registered scanner in order until one matches.
+   */
+  async detectAndScan(projectPath) {
+    for (const scanner of this.scanners) {
+      const lockfilePath = await scanner.detect(projectPath);
+      if (lockfilePath) {
+        return scanner.scan(projectPath, lockfilePath);
+      }
+    }
+    throw new NoLockfileError(projectPath);
+  }
+  /** Returns a specific scanner by ecosystem name */
+  getScanner(ecosystem) {
+    return this.scanners.find((s) => s.ecosystem === ecosystem);
+  }
+  /** Lists all registered ecosystems */
+  listEcosystems() {
+    return this.scanners.map((s) => s.ecosystem);
+  }
+};
+// src/sbom/cyclonedx.ts
+import { randomUUID as randomUUID4 } from "crypto";
+var SCHEMA_URLS = {
+  "1.4": "http://cyclonedx.org/schema/bom-1.4.schema.json",
+  "1.5": "http://cyclonedx.org/schema/bom-1.5.schema.json",
+  "1.6": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "1.7": "http://cyclonedx.org/schema/bom-1.7.schema.json"
+};
+var CycloneDxGenerator = class {
+  constructor(specVersion = "1.7") {
+    this.specVersion = specVersion;
+  }
+  format = "cyclonedx-json";
+  generate(scanResult, toolVersion = DEFAULT_TOOL_VERSION) {
+    const bom = this.buildBom(scanResult, toolVersion);
+    const content = JSON.stringify(bom, null, 2);
+    return {
+      format: "cyclonedx-json",
+      specVersion: this.specVersion,
+      content,
+      componentCount: scanResult.dependencies.length,
+      generatedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  buildBom(scanResult, toolVersion) {
+    const projectName = extractProjectName(scanResult.projectPath);
+    return {
+      $schema: SCHEMA_URLS[this.specVersion],
+      bomFormat: "CycloneDX",
+      specVersion: this.specVersion,
+      serialNumber: `urn:uuid:${randomUUID4()}`,
+      version: 1,
+      metadata: {
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        tools: this.buildTools(toolVersion),
+        // NTIA: metadata.supplier — the org supplying the root software
+        supplier: {
+          name: projectName
+        },
+        component: {
+          type: "application",
+          name: projectName,
+          "bom-ref": "root-component",
+          supplier: { name: projectName }
+        }
+      },
+      components: scanResult.dependencies.map((dep) => this.toComponent(dep)),
+      dependencies: this.buildDependencyGraph(scanResult)
+    };
+  }
+  /** Converts a Verimu Dependency to a CycloneDX component */
+  toComponent(dep) {
+    return {
+      type: "library",
+      name: dep.name,
+      version: dep.version,
+      purl: dep.purl,
+      "bom-ref": dep.purl,
+      scope: dep.direct ? "required" : "optional",
+      // NTIA: component.supplier — derived from npm scope or package name
+      supplier: {
+        name: deriveSupplierName(dep.name)
+      }
+    };
+  }
+  /**
+   * Builds the dependency graph section of the SBOM.
+   *
+   * The root component depends on all dependencies (direct + transitive).
+   * This ensures a single root node in the graph, which NTIA validators expect.
+   *
+   * We include ALL deps under root (not just direct) because from a flat lockfile
+   * we can't reliably reconstruct which transitive dep belongs to which direct dep.
+   * This is still valid per the CycloneDX spec — it represents a complete but flat
+   * dependency relationship.
+   */
+  buildDependencyGraph(scanResult) {
+    const allDepPurls = scanResult.dependencies.map((d) => d.purl);
+    return [
+      {
+        ref: "root-component",
+        dependsOn: allDepPurls
+      }
+    ];
+  }
+  /**
+   * Builds the tools metadata section.
+   *
+   * CycloneDX 1.4: tools is a flat array of { vendor, name, version, ... }
+   * CycloneDX 1.5+: tools is an object { components: [...] }
+   */
+  buildTools(toolVersion) {
+    if (this.specVersion === "1.4") {
+      return [
+        {
+          vendor: "Verimu",
+          name: VERIMU_TOOL_NAME,
+          version: toolVersion,
+          externalReferences: [{ type: "website", url: VERIMU_TOOL_WEBSITE }]
+        }
+      ];
+    }
+    return {
+      components: [
+        {
+          type: "application",
+          name: VERIMU_TOOL_NAME,
+          version: toolVersion,
+          description: VERIMU_TOOL_DESCRIPTION,
+          supplier: { name: "Verimu" },
+          externalReferences: [{ type: "website", url: VERIMU_TOOL_WEBSITE }]
+        }
+      ]
+    };
+  }
+};
+// src/sbom/spdx.ts
+import { randomUUID as randomUUID5 } from "crypto";
+var SPDX_VERSION2 = "2.3";
+var SpdxJsonGenerator = class {
+  format = "spdx-json";
+  generate(scanResult, toolVersion = DEFAULT_TOOL_VERSION) {
+    const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+    const projectName = extractProjectName(scanResult.projectPath);
+    const rootPackageId = "SPDXRef-Package-root";
+    const dependencies = normalizeDependencies(scanResult.dependencies);
+    const document = {
+      spdxVersion: `SPDX-${SPDX_VERSION2}`,
+      dataLicense: "CC0-1.0",
+      SPDXID: "SPDXRef-DOCUMENT",
+      name: `${projectName}-sbom`,
+      documentNamespace: `https://verimu.com/spdxdocs/${projectName}-${randomUUID5()}`,
+      creationInfo: {
+        created: timestamp,
+        creators: [`Tool: ${VERIMU_TOOL_NAME}@${toolVersion}`]
+      },
+      documentDescribes: [rootPackageId],
+      packages: [
+        {
+          name: projectName,
+          SPDXID: rootPackageId,
+          versionInfo: "NOASSERTION",
+          supplier: `Organization: ${projectName}`,
+          downloadLocation: "NOASSERTION",
+          filesAnalyzed: false,
+          licenseConcluded: "NOASSERTION",
+          licenseDeclared: "NOASSERTION",
+          primaryPackagePurpose: "APPLICATION"
+        },
+        ...dependencies.map((dep, index) => ({
+          name: dep.name,
+          SPDXID: `SPDXRef-Package-${index + 1}`,
+          versionInfo: dep.version,
+          supplier: `Organization: ${dep.supplierName}`,
+          downloadLocation: "NOASSERTION",
+          filesAnalyzed: false,
+          licenseConcluded: "NOASSERTION",
+          licenseDeclared: "NOASSERTION",
+          primaryPackagePurpose: "LIBRARY",
+          externalRefs: [
+            {
+              referenceCategory: "PACKAGE-MANAGER",
+              referenceType: "purl",
+              referenceLocator: dep.purl
+            }
+          ]
+        }))
+      ],
+      relationships: [
+        {
+          spdxElementId: "SPDXRef-DOCUMENT",
+          relationshipType: "DESCRIBES",
+          relatedSpdxElement: rootPackageId
+        },
+        ...dependencies.map((_dep, index) => ({
+          spdxElementId: rootPackageId,
+          relationshipType: "DEPENDS_ON",
+          relatedSpdxElement: `SPDXRef-Package-${index + 1}`
+        }))
+      ]
+    };
+    return {
+      format: "spdx-json",
+      specVersion: SPDX_VERSION2,
+      content: JSON.stringify(document, null, 2),
+      componentCount: scanResult.dependencies.length,
+      generatedAt: timestamp
+    };
+  }
+};
+// src/sbom/swid.ts
+import { randomUUID as randomUUID6 } from "crypto";
+var SWID_SPEC_VERSION2 = "ISO/IEC 19770-2:2015";
+var SwidTagGenerator = class {
+  format = "swid-xml";
+  generate(scanResult, toolVersion = DEFAULT_TOOL_VERSION) {
+    const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+    const projectName = extractProjectName(scanResult.projectPath);
+    const tagId = `com.verimu:${sanitizeTagId2(projectName)}:${DEFAULT_SWID_VERSION}:${randomUUID6()}`;
+    const content = [
+      '<?xml version="1.0" encoding="UTF-8"?>',
+      "<SoftwareIdentity",
+      '  xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd"',
+      `  name="${escapeXml2(projectName)}"`,
+      `  tagId="${escapeXml2(tagId)}"`,
+      '  tagVersion="1"',
+      `  version="${DEFAULT_SWID_VERSION}"`,
+      '  versionScheme="semver">',
+      `  <Entity name="${escapeXml2(projectName)}" role="softwareCreator" />`,
+      '  <Entity name="Verimu" role="tagCreator" />',
+      `  <Meta product="${escapeXml2(projectName)}" generator="${VERIMU_TOOL_NAME}" toolVersion="${toolVersion}" generated="${timestamp}" />`,
+      "  <!-- TODO: Consider adding dependency/package evidence if we need richer SWID coverage. -->",
+      '  <Link rel="describedby" href="https://verimu.com" />',
+      "</SoftwareIdentity>"
+    ].join("\n");
+    return {
+      format: "swid-xml",
+      specVersion: SWID_SPEC_VERSION2,
+      content,
+      componentCount: 1,
+      generatedAt: timestamp
+    };
+  }
+};
+function escapeXml2(value) {
+  return value.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll('"', "&quot;").replaceAll("'", "&apos;");
+}
+function sanitizeTagId2(value) {
+  return value.toLowerCase().replace(/[^a-z0-9._-]+/g, "-").replace(/^-+|-+$/g, "");
+}
+// src/sbom/artifacts.ts
+function generateSbomArtifacts(scanResult, toolVersion = DEFAULT_TOOL_VERSION, cyclonedxVersion = "1.7") {
+  return {
+    cyclonedx: new CycloneDxGenerator(cyclonedxVersion).generate(scanResult, toolVersion),
+    spdx: new SpdxJsonGenerator().generate(scanResult, toolVersion),
+    swid: new SwidTagGenerator().generate(scanResult, toolVersion)
+  };
+}
+// src/cve/osv.ts
+var OSV_API_BASE = "https://api.osv.dev/v1";
 var BATCH_SIZE = 1e3;
 var OsvSource = class {
   sourceId = "osv";
@@ -1450,9 +2712,13 @@ var OsvSource = class {
       cargo: "crates.io",
       maven: "Maven",
       pip: "PyPI",
+      poetry: "PyPI",
+      uv: "PyPI",
       go: "Go",
       ruby: "RubyGems",
-      composer: "Packagist"
+      composer: "Packagist",
+      deno: "JSR"
+      // JSR packages (Deno registry)
     };
     return map[ecosystem] ?? ecosystem;
   }
@@ -1559,6 +2825,9 @@ var ConsoleReporter = class {
     lines.push("");
     lines.push(`  \u2713 SBOM generated (${result.sbom.format}, ${result.sbom.specVersion})`);
     lines.push(`    Components: ${result.sbom.componentCount}`);
+    if (result.artifacts) {
+      lines.push(`    Also wrote: ${result.artifacts.spdx.format}, ${result.artifacts.swid.format}`);
+    }
     lines.push("");
     const vulns = result.cveCheck.vulnerabilities;
     if (vulns.length === 0) {
@@ -1648,18 +2917,22 @@ var VerimuApiClient = class {
     return res.json();
   }
   /**
-   * Upload a CycloneDX SBOM to a project and trigger CVE scanning.
+   * Upload a software inventory artifact payload to a project and trigger CVE scanning.
+   *
+   * Backward-compatible:
+   * - string payloads are treated as legacy raw CycloneDX JSON
+   * - object payloads can include CycloneDX + SPDX + SWID together
    */
-  async uploadSbom(projectId, sbomContent) {
-    const sbomJson = JSON.parse(sbomContent);
+  async uploadSbom(projectId, payload) {
+    const body = typeof payload === "string" ? JSON.stringify(JSON.parse(payload)) : JSON.stringify(payload);
     const res = await fetch(`${this.baseUrl}/api/projects/${projectId}/scan`, {
       method: "POST",
       headers: this.headers(),
-      body: JSON.stringify(sbomJson)
+      body
     });
     if (!res.ok) {
-      const body = await res.text();
-      throw new Error(`Verimu API: upload SBOM failed (${res.status}): ${body}`);
+      const body2 = await res.text();
+      throw new Error(`Verimu API: upload SBOM failed (${res.status}): ${body2}`);
     }
     return res.json();
   }
@@ -1677,12 +2950,15 @@ var VerimuApiClient = class {
     const map = {
       npm: "npm",
       pip: "pip",
+      poetry: "poetry",
+      uv: "uv",
       maven: "maven",
       nuget: "nuget",
       go: "gomod",
       cargo: "cargo",
       ruby: "bundler",
-      composer: "composer"
+      composer: "composer",
+      deno: "deno"
     };
     return map[eco] ?? eco;
   }
@@ -1693,13 +2969,19 @@ async function scan(config) {
   const {
     projectPath,
     sbomOutput = "./sbom.cdx.json",
-    skipCveCheck = false
+    skipCveCheck = false,
+    cyclonedxVersion = "1.7"
   } = config;
   const registry = new ScannerRegistry();
   const scanResult = await registry.detectAndScan(projectPath);
-  const sbomGenerator = new CycloneDxGenerator();
-  const sbom = sbomGenerator.generate(scanResult);
-  await writeFile(sbomOutput, sbom.content, "utf-8");
+  const artifacts = generateSbomArtifacts(scanResult, void 0, cyclonedxVersion);
+  const sbom = artifacts.cyclonedx;
+  const outputPaths = deriveArtifactOutputPaths(sbomOutput);
+  await Promise.all([
+    writeFile(outputPaths.cyclonedx, artifacts.cyclonedx.content, "utf-8"),
+    writeFile(outputPaths.spdx, artifacts.spdx.content, "utf-8"),
+    writeFile(outputPaths.swid, artifacts.swid.content, "utf-8")
+  ]);
   let cveCheck;
   if (skipCveCheck) {
     cveCheck = {
@@ -1728,6 +3010,7 @@ async function scan(config) {
       dependencyCount: scanResult.dependencies.length
     },
     sbom,
+    artifacts,
     cveCheck,
     summary,
     generatedAt: (/* @__PURE__ */ new Date()).toISOString()
@@ -1752,7 +3035,7 @@ async function uploadToVerimu(report, config) {
     ecosystem: report.project.ecosystem
   });
   const projectId = upsertRes.project.id;
-  const scanRes = await client.uploadSbom(projectId, report.sbom.content);
+  const scanRes = await client.uploadSbom(projectId, buildUploadPayload(report));
   return {
     projectId,
     projectCreated: upsertRes.created,
@@ -1779,6 +3062,28 @@ function printReport(report) {
   const reporter = new ConsoleReporter();
   console.log(reporter.report(report));
 }
+function deriveArtifactOutputPaths(cycloneDxOutput) {
+  const parsed = parse(cycloneDxOutput);
+  let baseName = parsed.name;
+  if (parsed.ext === ".json" && baseName.endsWith(".cdx")) {
+    baseName = baseName.slice(0, -4);
+  }
+  return {
+    cyclonedx: cycloneDxOutput,
+    spdx: join(parsed.dir, `${baseName}.spdx.json`),
+    swid: join(parsed.dir, `${baseName}.swid.xml`)
+  };
+}
+function buildUploadPayload(report) {
+  if (!report.artifacts) {
+    return report.sbom.content;
+  }
+  return {
+    cyclonedx: JSON.parse(report.artifacts.cyclonedx.content),
+    spdx: JSON.parse(report.artifacts.spdx.content),
+    swid: report.artifacts.swid.content
+  };
+}
 export {
   ApiKeyRequiredError,
   CargoScanner,
@@ -1787,6 +3092,7 @@ export {
   CveAggregator,
   CveSourceError,
   CycloneDxGenerator,
+  DenoScanner,
   GoScanner,
   LockfileParseError,
   MavenScanner,
@@ -1795,11 +3101,18 @@ export {
   NugetScanner,
   OsvSource,
   PipScanner,
+  PnpmScanner,
   RubyScanner,
   ScannerRegistry,
+  SpdxJsonGenerator,
+  SwidTagGenerator,
   VerimuApiClient,
   VerimuError,
+  YarnScanner,
   generateSbom,
+  generateSbomArtifacts,
+  generateSpdxSbom,
+  generateSwidTag,
   printReport,
   scan,
   shouldFailCi,