Skip to content

feat: generate SBOM from "global" scope #471

Description

@schlenk

Is your feature request related to a problem? Please describe.

I try to package a nodejs + NPM installation that ships a few global tools like yarn/dart-saas as part of a larger software installer.

So basically i do the following (with some in-house BSD/Mac ports style system):

  1. Unzip a nodejs distro, e.g. node-v18.12.1-win-x64.zip and rename the folder to 'img'

  2. Provide some .tar.gz of sass & yarn, e.g. sass-1.57.0.tar.gz and yarn-v1.22.10.tar.gz in the folder 'base'

  3. Run a global npm install for the packages, resolving dependencies from the npm registry

     img\npm install --cache base/ --global saas@1.57.0
     img\npm install --cache base/ --global yarn@1.22.10
    
  4. Try to get an SBOM for the installed global packages, either as a SBOM with multiple application components included or one SBOM per application.

Describe the solution you'd like

I would like to have an option to use this package to get SBOMs for the globally installed packages in my node_modules folder.

Describe alternatives you've considered

I used the cyclonedx-bom package before, just pointing it at the created img/node_modules to collect the actually installed global tools with dependencies. That worked mostly fine and created a useable SBOM.

With this package this does not work, as the code complains about a missing package-lock.json when i run it for the individual apps and has no option at all to just consume the img/node_modules folder.

C:\code\repro\img>.\cyclonedx-npm --output-file bom.json node_modules\yarn\package.json
DEBUG | options: {"ignoreNpmErrors":false,"packageLockOnly":false,"omit":[],"flattenComponents":false,"shortPURLs":false,"specVersion":"1.4","outputFormat":"JSON","outputFile":"bom.json","mcType":"application"}
DEBUG | packageFile: C:\code\repro\img\node_modules\yarn\package.json
INFO  | projectDir: C:\code\repro\img\node_modules\yarn
LOG   | No evidence: no package lock file nor npm shrinkwrap file
LOG   | No evidence: no node_modules dir
INFO  | ? Did you forget to run `npm install` on your project accordingly ?

Error: missing evidence

There seems to be no way to tell npm install --global to create any form of lock file. Or i could not find it.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requesthelp wantedExtra attention is needed

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions