Important: This documentation covers Yarn 1 (Classic).
For Yarn 2+ docs and migration guide, see yarnpkg.com.

Package detail

@deluksic/cyclonedx-npm

CycloneDX162Apache-2.01.14.0

Create CycloneDX Software Bill of Materials (SBOM) from NPM projects.

CycloneDX, SBOM, BOM, inventory, bill-of-materials, software-bill-of-materials, component, dependency, package-url, PURL, spdx, node, npm

readme

shield_npm-version shield_gh-workflow-test shield_license
shield_website shield_slack shield_groups shield_twitter-follow

cyclonedx-npm

Create CycloneDX Software Bill of Materials (SBOM) from npm projects.

Based on OWASP Software Component Verification Standard for Software Bill of Materials's criteria, this tool is capable of producing SBOM documents almost passing Level-2 (only signing needs to be done externally).

The resulting SBOM documents follow official specifications and standards, and might have properties following cdx:npm Namespace Taxonomy .

Requirements

  • node >= 14
  • npm in range 6 - 9

Installation

There are multiple methods for installing this tool:

  • As a global tool ala npm:

    npm install --global @cyclonedx/cyclonedx-npm

  • As a global tool ala npx:

    npx --package @cyclonedx/cyclonedx-npm --call exit

  • As a development dependency of the current projects:

    npm install --save-dev @cyclonedx/cyclonedx-npm

Usage

Depending on the installation method, the following describes the proper usage:

  • If installed as a global tool ala npm:

    cyclonedx-npm --help

  • If installed as a global tool ala npx:
    — or —
    If installed as a development dependency of the current projects:

    npx @cyclonedx/cyclonedx-npm --help

The help page:

Usage: cyclonedx-npm [options] [--] [<package-manifest>]

Create CycloneDX Software Bill of Materials (SBOM) from Node.js NPM projects.

Arguments:
  <package-manifest>        Path to project's manifest file.
                            (default: "package.json" file in current working directory)

Options:
  --ignore-npm-errors       Whether to ignore errors of NPM.
                            This might be used, if "npm install" was run with "--force" or "--legacy-peer-deps".
                            (default: false)
  --package-lock-only       Whether to only use the lock file, ignoring "node_modules".
                            This means the output will be based only on the few details in and the tree described by the "npm-shrinkwrap.json" or "package-lock.json", rather than the contents of "node_modules" directory.
                            (default: false)
  --omit <type...>          Dependency types to omit from the installation tree.
                            (can be set multiple times)
                            (choices: "dev", "optional", "peer", default: "dev" if the NODE_ENV environment variable is set to "production", otherwise empty)
  --flatten-components      Whether to flatten the components.
                            This means the actual nesting of node packages is not represented in the SBOM result.
                            (default: false)
  --short-PURLs             Omit all qualifiers from PackageURLs.
                            This causes information loss in trade of shorter PURLs, which might improve digesting these strings.
                            (default: false)
  --spec-version <version>  Which version of CycloneDX spec to use.
                            (choices: "1.2", "1.3", "1.4", default: "1.4")
  --output-reproducible     Whether to go the extra mile and make the output reproducible.
                            This requires more resources, and might result in loss of time- and random-based-values.
                            (env: BOM_REPRODUCIBLE)
  --output-format <format>  Which output format to use.
                            (choices: "JSON", "XML", default: "JSON")
  --output-file <file>      Path to the output file.
                            Set to "-" to write to STDOUT.
                            (default: write to STDOUT)
  --validate                Validate resulting BOM before outputting. Validation is skipped, if requirements not met.
                            (default: true)
  --no-validate             Disable validation of resulting BOM.
  --mc-type <type>          Type of the main component.
                            (choices: "application", "firmware", "library", default: "application")
  -V, --version             output the version number
  -h, --help                display help for command

Demo

For a demo of cyclonedx-npm see the demo project.

How it works

This tool utilizes npm to collect evidences of installed packages/modules. Read more in the dedicated docs.

The appropriate npm executable is detected automatically, yet can be overridden with the environment variable npm_execpath.
Autodetect: If called from npm/npx context, then the current npm executable is utilized, otherwise it is managed by SHELL and PATH.

This tool does not do artificial deduplication. Therefore, if a component is installed multiple times, it appears multiple times in the SBOM result. Read more on the topic in the dedicated docs "Component Deduplication".

Internals

This tool utilizes the CycloneDX library to generate the actual data structures, and serialize and validate them.
Validation requires transitive optional dependencies.

This tool does not expose any additional public API or classes - all code is intended to be internal and might change without any notice during version upgrades.

Contributing

Feel free to open issues, bugreports or pull requests.
See the CONTRIBUTING file for details.

License

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license.
See the LICENSE file for the full license.

changelog

Changelog

All notable changes to this project will be documented in this file.

unreleased

  • Build
    • Disabled TypeScript compilerOption esModuleInterop (via #736)
    • Disabled TypeScript compilerOption allowSyntheticDefaultImports (via #736)

1.12.0 - 2023-05-17

Based on OWASP Software Component Verification Standard for Software Bill of Materials (SCVS SBOM) criteria, this tool is now capable of producing SBOM documents almost passing Level-2 (only signing needs to be done externally).
Affective changes based on these SCVS SBOM criteria:

  • 2.15 — SPDX license expression detection improved (via #726)
  • 2.18 — SHA-1 integrity hash detection added (#699 via #735)

Details

  • Changes
    • SPDX license expression detection improved (via #726)
      Previously, some expressions were not properly detected, so they were marked as named-license in the SBOM results. They should be marked as expression, now.
  • Added
    • Added detection for package integrity with SHA-1 (#699 via #735)
  • Misc
    • Raised dependency @cyclonedx/cyclonedx-library@^2.0.0, was @^1.14.0 (via #726)

1.11.0 - 2023-04-27

  • Added
    • SBOM result might be validated (via #660)
      This feature is enabled per default and can be disabled via CLI switch --no-validate.
      Validation is skipped, if requirements are not met. Requires transitive optional dependencies

1.10.0 - 2023-04-17

  • Added
    • SBOM result might have component.scope=optional populated for OptionalDependencies (#645 via #657)
  • Fixed
    • DevDependencies that are also required by OptionalDependencies correctly have the property cdx:npm:package:development populated in SBOM results (#645 via #657)
    • DevDependencies that are also required by OptionalDependencies are correctly omitted from SBOM results, when the CLI switch for omitting "dev" and "optional" are set (#645 via #657)
  • Docs
    • Describe internal NPM executable detection in README (via #647)
  • Build
    • Use TypeScript v5.0.4 now, was v4.9.5 (via #638)

1.9.2 - 2023-03-30

  • Fixed
    • No longer omit components' version's buildID (#551 via #597)
      Fixed for NPM>=7 only. NPM6 omits this information in the first place, still.
  • Misc

1.9.1 - 2023-03-15

  • Docs
    • added section "How it works" to the README (via #563)

1.9.0 - 2023-03-03

  • Changed
    • Detected node packages' metadata are now normalized, before translation to SBOM components happens. (#536 via #537)
      This might increase the quality of SBOM results.

1.8.0 - 2023-02-16

  • Added
    • SBOM result might have additional items in metadata.tools populated (#505 via #506)

1.7.5 - 2023-02-14

Maintenance release

1.7.4 - 2023-02-14

Maintenance release

1.7.3 - 2023-02-12

Maintenance release

  • Dependencies
    • Utilize commander ^10.0.0 now, was "^9.4.0 (via #431)
  • Build
    • Use TypeScript v4.9.5 now, was v4.9.4 (via #482)

1.7.2 - 2022-12-19

  • Changed
    • Enhanced randomness when generating a serialNumber (via #389)
  • Build
    • Use TypeScript v4.9.4 now, was v4.9.3 (via #366)

1.7.1 - 2022-12-16

Maintenance release

1.7.0 - 2022-12-15

  • Added
    • SBOM result might have serialNumber populated (#375 via #376, #377)

1.6.1 - 2022-11-19

Maintenance release

  • Docs
    • Enhanced documentation regarding NodeJS/NPM internals, package-dedupe and results (via #331)
  • Misc
    • Added test for flattened results (via #312)
  • Build
    • Use TypeScript v4.9.3 now, was v4.8.4 (via #333)

1.6.0 - 2022-11-12

  • Added
  • Misc
    • Added demos for flattened results (via #310)

1.5.0 - 2022-11-11

  • Added
    • Components' install path/location will be visible in the SBOM result (#305 via #308)

1.4.1 - 2022-11-06

  • Fixed
    • Components' "sha512" hash is properly detected and populated in the SBOM result (#302 via #303)

1.4.0 - 2022-11-05

  • Added
    • Enabled support for NPM v9 (#245 via #246)

1.3.0 - 2022-10-30

  • Fixed
    • Improved the NPM compatibility with --omit options (#254 via #259)
    • In case of an error, the exit code is guaranteed to be non-zero (via #260)
  • Misc
    • Added more debug output regarding NPM version detection (via #259)

1.2.0 - 2022-10-23

  • Changed
    • The existence of a lock file is no longer enforced, as long as there are other evidence (#247 via #248)

1.1.0 - 2022-10-22

  • Added
    • CLI got a new switch --short-PURLs (#225 via #226)
  • Fixed
    • Improved usability on Windows (#161 via #234)
  • Misc
    • Improved the error message when a lock files was missing (#196 via #231)
  • Build
    • Use TypeScript v4.8.4 now, was v4.8.3 (via #164)

1.0.0 - 2022-09-24

First major version (via #1)

Thanks to all the beta testers. Your efforts, feedback and contributions are appreciated.

1.0.0-beta.8 - 2022-09-10

  • Fixed
    • Run on Windows systems was improved for npm/npx sub-processes.
  • Misc
    • Style: imports are sorted, now.
  • Build
    • Use TypeScript v4.8.3 now, was v4.8.2.

1.0.0-beta.7 - 2022-09-07

  • Changed
    • PackageUrl(PURL) in JSON and XML results are as short as possible, but still precise.

1.0.0-beta.6 - 2022-09-06

  • Added
    • CLI switch --ignore-npm-errors to ignore/suppress NPM errors.

1.0.0-beta.5 - 2022-09-06

  • Added
    • Support for node 14 was enabled.
    • Support for handling when run via npx.
  • Docs
    • Improve installation instructions and usage instructions.
  • Misc
    • Improved test coverage.
  • Build
    • Use TypeScript v4.8.2 now, was v4.7.4.

1.0.0-beta.4 - 2022-08-25

  • Fixed
    • Run on Windows systems was fixed.
    • Improved error reporting.
    • Debug output was made clearer to understand.

1.0.0-beta.3 - 2022-08-23

  • Change
    • The package no longer pins dependencies via shrinkwrap.

1.0.0-beta.2 - 2022-08-21

  • Fixed
    • Debug output was made clearer to understand and less annoying.
  • Style
    • Improved internal typing for OmittableDependencyTypes.

1.0.0-beta.1 - 2022-08-20

  • First feature complete implementation.