Skip to content

Create CycloneDX Software Bill of Materials (SBOM) from Node.js Yarn projects.

License

Notifications You must be signed in to change notification settings

kdsfkls/cyclonedx-node-yarn

 
 

Repository files navigation

CycloneDX SBOM plugin for yarn

shield_gh-workflow-test shield_coverage shield_license
shield_website shield_slack shield_groups shield_twitter-follow


Create CycloneDX Software Bill of Materials (SBOM) from yarn projects.

🚧 🏗️ this project is in alpha stage

See the projects issues, discussions, pull requests and milestone for the progress.

Development will happen in branch 1.0-dev.

Feel free to contribute, write issues, create pull requests, or start discussions.
Please read the CONTRIBUTING file first.


Requirements

!! to be clarified ...

  • node >= 18
  • yarn >= 4

Installation

Currently, there are no releases nor pre-builds. This means, the only way to test this tool is by building it from source:

  1. clone this repository
  2. install the project dependencies: run yarn install --immutable
  3. create the bundle: run yarn build

Then, import the bundle into your project using yarn import ..., or reference it in environment variable YARN_PLUGINS — like so:

YARN_PLUGINS=.../bundles/@yarnpkg/plugin-cyclonedx.js yarn sbom --help

Usage

The help page:

Generates CycloneDX SBOM for current workspace.

━━━ Usage ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

$ yarn cyclonedx

━━━ Options ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  --spec-version #0        Which version of CycloneDX to use.
                           (choices: 1.6, 1.5, 1.4, 1.3, 1.2, default: 1.5)
  --output-format #0       Which output format to use.
                           (choices: JSON, XML, default: JSON)
  --output-file #0         Path to the output file.
                           Set to "-" to write to STDOUT.
                           (default: write to STDOUT)
  --production,--prod      Exclude development dependencies.
                           (default: true if the NODE_ENV environment variable is set to "production", otherwise false)
  --mc-type #0             Type of the main component.
                           (choices: application, library, firmware, default: application)
  --short-PURLs            Omit all qualifiers from PackageURLs.
                           This causes information loss in trade-off shorter PURLs, which might improve ingesting these strings.
  --output-reproducible    Whether to go the extra mile and make the output reproducible.
                           This might result in loss of time- and random-based values.
  --verbose,-v             Increase the verbosity of messages.
                           Use multiple times to increase the verbosity even more.

━━━ Details ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Recursively scan workspace dependencies and emits them as 
Software-Bill-of-Materials(SBOM) in CycloneDX format.

Internals

This yarn plugin utilizes the CycloneDX library to generate the actual data structures.

This yarn plugin does not expose any additional public API or classes - all code is intended to be internal and might change without any notice during version upgrades.

Development & Contributing

Feel free to open issues, bugreports or pull requests.
See the CONTRIBUTING file for details.

License

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license.
See the LICENSE file for the full license.

About

Create CycloneDX Software Bill of Materials (SBOM) from Node.js Yarn projects.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • TypeScript 53.0%
  • JavaScript 47.0%