Skip to content

Commit

Permalink
feat: add npm sbom command (#6801)
Browse files Browse the repository at this point in the history
Signed-off-by: Brian DeHamer <bdehamer@github.com>
  • Loading branch information
bdehamer authored Sep 27, 2023
1 parent 3ac703c commit 7c459d2
Show file tree
Hide file tree
Showing 27 changed files with 10,317 additions and 56 deletions.
6 changes: 6 additions & 0 deletions DEPENDENCIES.md
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,7 @@ graph LR;
npm-->libnpmversion;
npm-->make-fetch-happen;
npm-->nopt;
npm-->normalize-package-data;
npm-->npm-audit-report;
npm-->npm-install-checks;
npm-->npm-package-arg;
Expand Down Expand Up @@ -495,6 +496,9 @@ graph LR;
normalize-package-data-->semver;
normalize-package-data-->validate-npm-package-license;
npm-->abbrev;
npm-->ajv-formats-draft2019;
npm-->ajv-formats;
npm-->ajv;
npm-->archy;
npm-->cacache;
npm-->chalk;
Expand Down Expand Up @@ -533,6 +537,7 @@ graph LR;
npm-->nock;
npm-->node-gyp;
npm-->nopt;
npm-->normalize-package-data;
npm-->npm-audit-report;
npm-->npm-install-checks;
npm-->npm-package-arg;
Expand Down Expand Up @@ -568,6 +573,7 @@ graph LR;
npm-->semver;
npm-->sigstore-tuf["@sigstore/tuf"];
npm-->spawk;
npm-->spdx-expression-parse;
npm-->ssri;
npm-->strip-ansi;
npm-->supports-color;
Expand Down
223 changes: 223 additions & 0 deletions docs/lib/content/commands/npm-sbom.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,223 @@
---
title: npm-sbom
section: 1
description: Generate a Software Bill of Materials (SBOM)
---

### Synopsis

<!-- AUTOGENERATED USAGE DESCRIPTIONS -->

### Description

The `npm sbom` command generates a Software Bill of Materials (SBOM) listing the
dependencies for the current project. SBOMs can be generated in either
[SPDX](https://spdx.dev/) or [CycloneDX](https://cyclonedx.org/) format.

### Example CycloneDX SBOM

```json
{
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:09f55116-97e1-49cf-b3b8-44d0207e7730",
"version": 1,
"metadata": {
"timestamp": "2023-09-01T00:00:00.001Z",
"lifecycles": [
{
"phase": "build"
}
],
"tools": [
{
"vendor": "npm",
"name": "cli",
"version": "10.1.0"
}
],
"component": {
"bom-ref": "simple@1.0.0",
"type": "library",
"name": "simple",
"version": "1.0.0",
"scope": "required",
"author": "John Doe",
"description": "simple react app",
"purl": "pkg:npm/simple@1.0.0",
"properties": [
{
"name": "cdx:npm:package:path",
"value": ""
}
],
"externalReferences": [],
"licenses": [
{
"license": {
"id": "MIT"
}
}
]
}
},
"components": [
{
"bom-ref": "lodash@4.17.21",
"type": "library",
"name": "lodash",
"version": "4.17.21",
"scope": "required",
"author": "John-David Dalton",
"description": "Lodash modular utilities.",
"purl": "pkg:npm/lodash@4.17.21",
"properties": [
{
"name": "cdx:npm:package:path",
"value": "node_modules/lodash"
}
],
"externalReferences": [
{
"type": "distribution",
"url": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz"
},
{
"type": "vcs",
"url": "git+https://github.com/lodash/lodash.git"
},
{
"type": "website",
"url": "https://lodash.com/"
},
{
"type": "issue-tracker",
"url": "https://github.com/lodash/lodash/issues"
}
],
"hashes": [
{
"alg": "SHA-512",
"content": "bf690311ee7b95e713ba568322e3533f2dd1cb880b189e99d4edef13592b81764daec43e2c54c61d5c558dc5cfb35ecb85b65519e74026ff17675b6f8f916f4a"
}
],
"licenses": [
{
"license": {
"id": "MIT"
}
}
]
}
],
"dependencies": [
{
"ref": "simple@1.0.0",
"dependsOn": [
"lodash@4.17.21"
]
},
{
"ref": "lodash@4.17.21",
"dependsOn": []
}
]
}
```

### Example SPDX SBOM

```json
{
"spdxVersion": "SPDX-2.3",
"dataLicense": "CC0-1.0",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "simple@1.0.0",
"documentNamespace": "http://spdx.org/spdxdocs/simple-1.0.0-bf81090e-8bbc-459d-bec9-abeb794e096a",
"creationInfo": {
"created": "2023-09-01T00:00:00.001Z",
"creators": [
"Tool: npm/cli-10.1.0"
]
},
"documentDescribes": [
"SPDXRef-Package-simple-1.0.0"
],
"packages": [
{
"name": "simple",
"SPDXID": "SPDXRef-Package-simple-1.0.0",
"versionInfo": "1.0.0",
"packageFileName": "",
"description": "simple react app",
"primaryPackagePurpose": "LIBRARY",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"homepage": "NOASSERTION",
"licenseDeclared": "MIT",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:npm/simple@1.0.0"
}
]
},
{
"name": "lodash",
"SPDXID": "SPDXRef-Package-lodash-4.17.21",
"versionInfo": "4.17.21",
"packageFileName": "node_modules/lodash",
"description": "Lodash modular utilities.",
"downloadLocation": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
"filesAnalyzed": false,
"homepage": "https://lodash.com/",
"licenseDeclared": "MIT",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:npm/lodash@4.17.21"
}
],
"checksums": [
{
"algorithm": "SHA512",
"checksumValue": "bf690311ee7b95e713ba568322e3533f2dd1cb880b189e99d4edef13592b81764daec43e2c54c61d5c558dc5cfb35ecb85b65519e74026ff17675b6f8f916f4a"
}
]
}
],
"relationships": [
{
"spdxElementId": "SPDXRef-DOCUMENT",
"relatedSpdxElement": "SPDXRef-Package-simple-1.0.0",
"relationshipType": "DESCRIBES"
},
{
"spdxElementId": "SPDXRef-Package-simple-1.0.0",
"relatedSpdxElement": "SPDXRef-Package-lodash-4.17.21",
"relationshipType": "DEPENDS_ON"
}
]
}
```

### Package lock only mode

If package-lock-only is enabled, only the information in the package
lock (or shrinkwrap) is loaded. This means that information from the
package.json files of your dependencies will not be included in the
result set (e.g. description, homepage, engines).

### Configuration

<!-- AUTOGENERATED CONFIG DESCRIPTIONS -->
## See Also

* [package spec](/using-npm/package-spec)
* [dependency selectors](/using-npm/dependency-selectors)
* [package.json](/configuring-npm/package-json)
* [workspaces](/using-npm/workspaces)

3 changes: 3 additions & 0 deletions docs/lib/content/nav.yml
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,9 @@
- title: npm run-script
url: /commands/npm-run-script
description: Run arbitrary package scripts
- title: npm sbom
url: /commands/npm-sbom
description: Generate a Software Bill of Materials (SBOM)
- title: npm search
url: /commands/npm-search
description: Search for packages
Expand Down
Loading

1 comment on commit 7c459d2

@pitmobboss11
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

workspaces/config/tap-snapshots/test/type-description.js.test.cjs

Please sign in to comment.