Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] generate SBOM from "global" env #503

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Conversation

jkowalleck
Copy link
Member

@jkowalleck jkowalleck commented Feb 13, 2023

fixes #471

  • have a minimal implementation
  • make sure this implementation also works if installed in a global encapsulated node-env via npx
  • have the bom.metadata.component populated properly
  • have tests
  • have WARNING that this feature is not properly working with NPM6 not needed, npm6 will fail itself, IF it had errors, and success if possible.
  • have proper help texts
  • have updated README

Signed-off-by: Jan Kowalleck <[email protected]>
@jkowalleck jkowalleck added the enhancement New feature or request label Feb 13, 2023
@jkowalleck jkowalleck changed the title [WIP] implementation quick and dirty [WIP] generate SBOM from "global" env Feb 13, 2023
@jkowalleck
Copy link
Member Author

resulted in a preview version: @cyclonedx/cyclonedx-npm@1.8.0-alpha.5d82149ae21396f6824c94185281b9162e2a18411

@schlenk do you want to try the preview and see if it works for you?

@schlenk
Copy link

schlenk commented Feb 14, 2023

@jkowalleck Thanks.

I gave it a try and it basically works with the --global switch.

There are two small feature requests still lurking in there, to make it more useful.

  1. Optionally exclude the cyclonedx-npm global install from the SBOM, as thats basically only installed to create the SBOM and mentioned in the tools metadata anyway, but not really of interest for the SBOM. (or if you want to turn it around, allow a cyclonedx-npm --global to specify the npm installation to actually use, inspecting the global SBOM of a different NPM install instead of the one it is installed into.)
  2. It would be nice to specify toplevel component name/version/purl, as the component that ends up in the metadata is a bit lacking, and always need post processing. This is usually provided by the package.json file, so it is missing for the global case e.g.
    "component": {
      "type": "application",
      "name": "img",
      "bom-ref": "-/img@-",
      "purl": "pkg:npm/img",
      "properties": [
        {
          "name": "cdx:npm:package:path",
          "value": ""
        }
      ]
    }

@jkowalleck
Copy link
Member Author

Thanks for the feedback, @schlenk .
The alpha build's purpose was to see if it was practical and possible to create needed data.
You confirmed it to work.

Your notes regarding bom.metadata.component will be taken into account.

Be aware, that I might yank the special version at some time, so it will not be possible to install it anymore.
Please refrain from using it in production.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

feat: generate SBOM from "global" scope
2 participants