[PLANNING] VISION

[jkowalleck]

the users of the old https://github.com/CycloneDX/cyclonedx-node-module/tree/3.x
expected support for yarn,
but the yarn support was limited and flawed. see the closed-issues list of the project ...

to bring yarn support to the community, this dedicated project should solve the feature lack.

Goal

Responsibilities

• create SBOM in JSON or XML from yarn environments
• ... to be continued ...

Capabilities / Features

• runs in CLI
• can create reproducible results (feature switch)
• can create results in CDX spec 1.2 to 1.x (feature switch)
• can create results in XML or JSON (feature switch)
• supports latest yarn version: v4
• support yarn v1, v2, v3
  if this is not possible, the project could split for dedicated support of the versions
  became optional; like nice to have; like if a low-hanging fruit, why not
• MUST NOT publish any API or internal interfaces.
• ... to be continued ...

Architecture

this project should utilize https://github.com/CycloneDX/cyclonedx-javascript-library

Option: yarn plugin

implement a yarn plugin, that adds a new yarn command an can produce the SBOM as expected.
https://yarnpkg.com/features/plugins

need to do a Prove of concept, that showed that the plugin can run a command, and this command has access to yarns internal data structures ...
or find other capabilities ....

misc

• ... to be continued ...

---

You want to contribute or champion this tool? ❤️ see #12

[jkowalleck]

the implementation is coming to an end, nearly all core features are implemented. MVP in reach.
discussion closed.

[jdalton]

Which version of yarn does this support (and versions of the lock file)?

[jkowalleck]

Which version of yarn does this support [...]?
currently, there is a plugin for yarn v4

see

cyclonedx-node-yarn/README.md

Lines 29 to 35 in 2c87fcc

	## Requirements
	!! to be clarified ...
	* `node` >= `18`
	* `yarn` >= `4`

see

cyclonedx-node-yarn/package.json

Lines 88 to 91 in 2c87fcc

	"engines": {
	"yarn": ">=4",
	"node": ">=18"
	},

[...] versions of the lock file?

this is a yarn plugin. it supports everything that is supported by the yarn version you use/provide.

[jkowalleck]

i am currently investigating support foe yarn3, alongside with support for yarn4.
looks promising :D see #121

[jkowalleck]

Support for yarn3 was added in v1.0.0-rc.2