Skip to content

Commit

Permalink
feat: add npm sbom command (#6841)
Browse files Browse the repository at this point in the history
  • Loading branch information
bdehamer authored Oct 6, 2023
1 parent 7cd329d commit ecda95a
Show file tree
Hide file tree
Showing 27 changed files with 10,317 additions and 56 deletions.
6 changes: 6 additions & 0 deletions DEPENDENCIES.md
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,7 @@ graph LR;
npm-->libnpmversion;
npm-->make-fetch-happen;
npm-->nopt;
npm-->normalize-package-data;
npm-->npm-audit-report;
npm-->npm-install-checks;
npm-->npm-package-arg;
Expand Down Expand Up @@ -496,6 +497,9 @@ graph LR;
normalize-package-data-->semver;
normalize-package-data-->validate-npm-package-license;
npm-->abbrev;
npm-->ajv-formats-draft2019;
npm-->ajv-formats;
npm-->ajv;
npm-->archy;
npm-->cacache;
npm-->chalk;
Expand Down Expand Up @@ -534,6 +538,7 @@ graph LR;
npm-->nock;
npm-->node-gyp;
npm-->nopt;
npm-->normalize-package-data;
npm-->npm-audit-report;
npm-->npm-install-checks;
npm-->npm-package-arg;
Expand Down Expand Up @@ -569,6 +574,7 @@ graph LR;
npm-->semver;
npm-->sigstore;
npm-->spawk;
npm-->spdx-expression-parse;
npm-->ssri;
npm-->supports-color;
npm-->tap;
Expand Down
223 changes: 223 additions & 0 deletions docs/lib/content/commands/npm-sbom.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,223 @@
---
title: npm-sbom
section: 1
description: Generate a Software Bill of Materials (SBOM)
---

### Synopsis

<!-- AUTOGENERATED USAGE DESCRIPTIONS -->

### Description

The `npm sbom` command generates a Software Bill of Materials (SBOM) listing the
dependencies for the current project. SBOMs can be generated in either
[SPDX](https://spdx.dev/) or [CycloneDX](https://cyclonedx.org/) format.

### Example CycloneDX SBOM

```json
{
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:09f55116-97e1-49cf-b3b8-44d0207e7730",
"version": 1,
"metadata": {
"timestamp": "2023-09-01T00:00:00.001Z",
"lifecycles": [
{
"phase": "build"
}
],
"tools": [
{
"vendor": "npm",
"name": "cli",
"version": "10.1.0"
}
],
"component": {
"bom-ref": "simple@1.0.0",
"type": "library",
"name": "simple",
"version": "1.0.0",
"scope": "required",
"author": "John Doe",
"description": "simple react app",
"purl": "pkg:npm/simple@1.0.0",
"properties": [
{
"name": "cdx:npm:package:path",
"value": ""
}
],
"externalReferences": [],
"licenses": [
{
"license": {
"id": "MIT"
}
}
]
}
},
"components": [
{
"bom-ref": "lodash@4.17.21",
"type": "library",
"name": "lodash",
"version": "4.17.21",
"scope": "required",
"author": "John-David Dalton",
"description": "Lodash modular utilities.",
"purl": "pkg:npm/lodash@4.17.21",
"properties": [
{
"name": "cdx:npm:package:path",
"value": "node_modules/lodash"
}
],
"externalReferences": [
{
"type": "distribution",
"url": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz"
},
{
"type": "vcs",
"url": "git+https://github.com/lodash/lodash.git"
},
{
"type": "website",
"url": "https://lodash.com/"
},
{
"type": "issue-tracker",
"url": "https://github.com/lodash/lodash/issues"
}
],
"hashes": [
{
"alg": "SHA-512",
"content": "bf690311ee7b95e713ba568322e3533f2dd1cb880b189e99d4edef13592b81764daec43e2c54c61d5c558dc5cfb35ecb85b65519e74026ff17675b6f8f916f4a"
}
],
"licenses": [
{
"license": {
"id": "MIT"
}
}
]
}
],
"dependencies": [
{
"ref": "simple@1.0.0",
"dependsOn": [
"lodash@4.17.21"
]
},
{
"ref": "lodash@4.17.21",
"dependsOn": []
}
]
}
```

### Example SPDX SBOM

```json
{
"spdxVersion": "SPDX-2.3",
"dataLicense": "CC0-1.0",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "simple@1.0.0",
"documentNamespace": "http://spdx.org/spdxdocs/simple-1.0.0-bf81090e-8bbc-459d-bec9-abeb794e096a",
"creationInfo": {
"created": "2023-09-01T00:00:00.001Z",
"creators": [
"Tool: npm/cli-10.1.0"
]
},
"documentDescribes": [
"SPDXRef-Package-simple-1.0.0"
],
"packages": [
{
"name": "simple",
"SPDXID": "SPDXRef-Package-simple-1.0.0",
"versionInfo": "1.0.0",
"packageFileName": "",
"description": "simple react app",
"primaryPackagePurpose": "LIBRARY",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"homepage": "NOASSERTION",
"licenseDeclared": "MIT",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:npm/simple@1.0.0"
}
]
},
{
"name": "lodash",
"SPDXID": "SPDXRef-Package-lodash-4.17.21",
"versionInfo": "4.17.21",
"packageFileName": "node_modules/lodash",
"description": "Lodash modular utilities.",
"downloadLocation": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
"filesAnalyzed": false,
"homepage": "https://lodash.com/",
"licenseDeclared": "MIT",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:npm/lodash@4.17.21"
}
],
"checksums": [
{
"algorithm": "SHA512",
"checksumValue": "bf690311ee7b95e713ba568322e3533f2dd1cb880b189e99d4edef13592b81764daec43e2c54c61d5c558dc5cfb35ecb85b65519e74026ff17675b6f8f916f4a"
}
]
}
],
"relationships": [
{
"spdxElementId": "SPDXRef-DOCUMENT",
"relatedSpdxElement": "SPDXRef-Package-simple-1.0.0",
"relationshipType": "DESCRIBES"
},
{
"spdxElementId": "SPDXRef-Package-simple-1.0.0",
"relatedSpdxElement": "SPDXRef-Package-lodash-4.17.21",
"relationshipType": "DEPENDS_ON"
}
]
}
```

### Package lock only mode

If package-lock-only is enabled, only the information in the package
lock (or shrinkwrap) is loaded. This means that information from the
package.json files of your dependencies will not be included in the
result set (e.g. description, homepage, engines).

### Configuration

<!-- AUTOGENERATED CONFIG DESCRIPTIONS -->
## See Also

* [package spec](/using-npm/package-spec)
* [dependency selectors](/using-npm/dependency-selectors)
* [package.json](/configuring-npm/package-json)
* [workspaces](/using-npm/workspaces)

3 changes: 3 additions & 0 deletions docs/lib/content/nav.yml
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,9 @@
- title: npm run-script
url: /commands/npm-run-script
description: Run arbitrary package scripts
- title: npm sbom
url: /commands/npm-sbom
description: Generate a Software Bill of Materials (SBOM)
- title: npm search
url: /commands/npm-search
description: Search for packages
Expand Down
Loading

0 comments on commit ecda95a

Please sign in to comment.