Skip to content

feat: add JS workspace discovery and public batch API#415

Open
a-oren wants to merge 4 commits intoguacsec:mainfrom
a-oren:TC-3863
Open

feat: add JS workspace discovery and public batch API#415
a-oren wants to merge 4 commits intoguacsec:mainfrom
a-oren:TC-3863

Conversation

@a-oren
Copy link
Copy Markdown
Contributor

@a-oren a-oren commented Apr 15, 2026
edited by atlassian bot
Loading

Summary

  • Add JsWorkspaceDiscovery utility for parsing pnpm-workspace.yaml and package.json workspaces field to discover member package.json manifests
  • Add parent-traversal lock file discovery to JavaScriptProviderFactory so workspace members find the lock file at the workspace root
  • Add stackAnalysisBatch() and stackAnalysisBatchHtml() to Api interface and ExhortApi implementation
  • Add jackson-dataformat-yaml dependency for YAML parsing
  • Add comprehensive test suites for workspace discovery and lock file walk-up

Details

JsWorkspaceDiscovery is a static utility class that discovers workspace
member packages by parsing pnpm-workspace.yaml (packages array) or
package.json (workspaces array/object format). It globs for package.json
files, filters by ignore patterns, and validates each manifest has name
and version fields.

JavaScriptProviderFactory.create() now walks up parent directories when
no lock file is found in the manifest directory. This enables workspace
member packages to find the single lock file at the workspace root.
The walk-up stops at workspace root boundaries or git root, and supports
TRUSTIFY_DA_WORKSPACE_DIR override.

The batch API methods delegate to the existing performBatchAnalysis()
infrastructure, following the same pattern as imageAnalysis(). Config
(TRUSTIFY_DA_CONTINUE_ON_ERROR) is read from environment internally.

Implements TC-3863

Test plan

  • pnpm-workspace.yaml parsing discovers member packages
  • package.json workspaces array and object formats parsed correctly
  • Invalid manifests (missing name/version) are skipped
  • Ignore patterns filter out matching paths
  • Workspace root detection works for both pnpm and npm/yarn
  • Lock file found at workspace root via parent walk-up (npm, yarn, pnpm)
  • Walk-up stops at workspace root boundary
  • TRUSTIFY_DA_WORKSPACE_DIR override works
  • No lock file anywhere throws descriptive error
  • Existing tests unaffected (19 new tests, 0 regressions)

🤖 Generated with Claude Code

@a-oren @claude
feat: add JS workspace discovery and public batch API
34f9e41 
Add JavaScript/TypeScript monorepo workspace support to the Java client:

- Add JsWorkspaceDiscovery utility for parsing pnpm-workspace.yaml and
  package.json workspaces field to discover member package.json manifests
- Add parent-traversal lock file discovery to JavaScriptProviderFactory
  so workspace members find the lock file at the workspace root
- Add stackAnalysisBatch() and stackAnalysisBatchHtml() to Api interface
- Implement batch methods in ExhortApi using existing performBatchAnalysis()
  infrastructure with TRUSTIFY_DA_CONTINUE_ON_ERROR support
- Add jackson-dataformat-yaml dependency for YAML parsing
- Add comprehensive test suites for workspace discovery and lock file walk-up

Implements TC-3863

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@a-oren
Copy link
Copy Markdown
Contributor Author

a-oren commented Apr 15, 2026

/review

ruromero
ruromero requested changes Apr 15, 2026
View reviewed changes
Comment thread src/main/java/io/github/guacsec/trustifyda/impl/ExhortApi.java Outdated
var provider = Ecosystem.getProvider(manifest);
var content = provider.provideStack();
var sbomJson = mapper.readTree(content.buffer);
String key = manifest.getParent().getFileName().toString();
Copy link
Copy Markdown
Collaborator

@ruromero ruromero Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the key must be a purl, not the file name.
Use the sbom metadata.component.purl

Comment thread src/main/java/io/github/guacsec/trustifyda/impl/ExhortApi.java Outdated

Map<String, JsonNode> getBatchStackSboms(
final Path workspaceDir, final Set<String> ignorePatterns) {
boolean continueOnError = Environment.getBoolean("TRUSTIFY_DA_CONTINUE_ON_ERROR", false);
Copy link
Copy Markdown
Collaborator

@ruromero ruromero Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This defaults to true in the JS implementation
https://github.com/guacsec/trustify-da-javascript-client/blob/main/src/batch_opts.js#L10

Comment thread src/main/java/io/github/guacsec/trustifyda/impl/ExhortApi.java Outdated
boolean continueOnError = Environment.getBoolean("TRUSTIFY_DA_CONTINUE_ON_ERROR", false);
try {
List<Path> manifests =
JsWorkspaceDiscovery.discoverWorkspaceManifests(workspaceDir, ignorePatterns);
Copy link
Copy Markdown
Collaborator

@ruromero ruromero Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be generic and also support Cargo. At this point it should detect the provider and get the manifests for this provider.
As this PR is only for Cargo support, implement only the manifest detection and the provider resolution.

Comment thread src/main/java/io/github/guacsec/trustifyda/impl/ExhortApi.java Outdated
final Path workspaceDir, final Set<String> ignorePatterns) {
boolean continueOnError = Environment.getBoolean("TRUSTIFY_DA_CONTINUE_ON_ERROR", false);
try {
List<Path> manifests =
Copy link
Copy Markdown
Collaborator

@ruromero ruromero Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I recommend that here if the root is not private we also return the root as a folder so that a report for the root is also generated having 1 + N (root + modules)
This is not possible in all package managers but when possible it should be done to provide more information about license and production deps in the root package

a-oren and others added 3 commits April 16, 2026 14:55
@a-oren @claude
fix: address PR review feedback and align with JS client
a00b2e5 
- Use purl as SBOM map key instead of directory name
- Default TRUSTIFY_DA_CONTINUE_ON_ERROR to true (matching JS client)
- Add generic ecosystem detection: Cargo workspace first, then JS
- Add Cargo workspace discovery via cargo metadata --no-deps
- Add configurable batch concurrency (TRUSTIFY_DA_BATCH_CONCURRENCY)
- Add batch metadata logging (TRUSTIFY_DA_BATCH_METADATA)
- Add ignore pattern resolution from defaults + env var + caller
- Include root package.json when not private (1+N pattern)
- Extract shared WorkspaceUtils.filterByIgnorePatterns() utility
- Check for JS lock file before attempting JS workspace discovery

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@a-oren
Merge branch 'main' into TC-3863
a3357a1
@a-oren @claude
style: fix spotless formatting violations
5dea62d 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@a-oren
Copy link
Copy Markdown
Contributor Author

a-oren commented Apr 16, 2026

@ruromero Thanks for the review! I pushed the changes

ruromero
ruromero approved these changes Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@ruromero ruromero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Adva

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ruromero ruromero ruromero approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@a-oren @ruromero