Skip to content
/ cyclonedx-node-yarn Public
forked from CycloneDX/cyclonedx-node-yarn

Create CycloneDX Software Bill of Materials (SBOM) from Node.js Yarn projects.

License

Apache-2.0 license
0 stars 5 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

AugustusKling/cyclonedx-node-yarn

BranchesTags
 
 

Repository files navigation

CycloneDX SBOM plugin for yarn

Create CycloneDX Software Bill of Materials (SBOM) from Yarn projects.

🚧 🏗️ this project is an ealy development stage

See the projects issues, discussions, pull requests and milestone for the progress.

Development will happen in branch 1.0-dev.

Feel free to contribute, write issues, create pull requests, or start discussions.
Please read the CONTRIBUTING file first.

Usage

Run yarn build:dev or yarn build to create bundle. Then import the bundle into your project using yarn import ... or reference it in YARN_PLUGINS.

Generates CycloneDX SBOM file for current workspace.

━━━ Usage ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

$ yarn sbom

━━━ Options ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  --spec-version #0      Which version of CycloneDX spec to use.
      (choices: "1.2", "1.3", "1.4", "1.5", default: "1.5")
  --output-format #0     Which output format to use.
      (choices: "JSON", "XML", default: "JSON")
  --output-file #0       Path to the output file. Set to "-" to write to STDOUT.
      (default: write to STDOUT)
  --production,--prod    Exclude development dependencies.
  --component-type #0    Type of component described by the generated SBOM. (choices: "application", "framework", "library", "container", "platform", "device-driver")
      Default: application
  --licenses             Include license information for components in generated SBOM. License information will always be absent for components that don't specify licenses unambigously.
      Default: Licenses are not included in the SBOM.
  --reproducible         Omit anything random or time-based from SBOM. If enabled consecutive runs of will result in identical files.
      Default: false

━━━ Details ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Recursively scan workspace dependencies and emits them as SBOM file in
CycloneDX's JSON format.

━━━ Examples ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Generate SBOM in JSON format for all dependencies and write it to standard output.
  $ yarn sbom

Generate SBOM in JSON format for all dependencies and write it to standard output.
  $ yarn sbom --component-type=library

Generate SBOM in JSON format for runtime dependencies but omit development dependencies.
  $ yarn sbom --component-type=application --output-file ./sbom-prod.cdx.json --production

Generate SBOM in XML format for runtime dependencies but omit development dependencies.
  $ yarn sbom --component-type=application --output-file ./sbom-prod.cdx.json --output-format=XML --production

Generate SBOM with component licenses.
  $ yarn sbom --licenses

Contained components

See components and licenses file.

About

Create CycloneDX Software Bill of Materials (SBOM) from Node.js Yarn projects.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • TypeScript 79.1%
  • JavaScript 20.9%