Create CycloneDX Software Bill of Materials (SBOM) from yarn projects.
See the projects issues, discussions, pull requests and milestone for the progress.
- planning/vision: CycloneDX#8
Development will happen in branch 1.0-dev.
Feel free to contribute, write issues, create pull requests, or start discussions.
Please read the CONTRIBUTING file first.
!! to be clarified ...
node>=18yarn>=4
Currently, there are no releases nor pre-builds. This means, the only way to test this tool is by building it from source:
- clone this repository
- install the project dependencies: run
yarn install --immutable - create the bundle: run
yarn build
Then, import the bundle into your project using yarn import ...,
or reference it in environment variable YARN_PLUGINS — like so:
YARN_PLUGINS=.../bundles/@yarnpkg/plugin-cyclonedx.js yarn sbom --helpThe help page:
Generates CycloneDX SBOM for current workspace.
━━━ Usage ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
$ yarn cyclonedx
━━━ Options ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
--spec-version #0 Which version of CycloneDX to use.
(choices: 1.6, 1.5, 1.4, 1.3, 1.2, default: 1.5)
--output-format #0 Which output format to use.
(choices: JSON, XML, default: JSON)
--output-file #0 Path to the output file.
Set to "-" to write to STDOUT.
(default: write to STDOUT)
--production,--prod Exclude development dependencies.
(default: true if the NODE_ENV environment variable is set to "production", otherwise false)
--mc-type #0 Type of the main component.
(choices: application, library, firmware, default: application)
--short-PURLs Omit all qualifiers from PackageURLs.
This causes information loss in trade-off shorter PURLs, which might improve ingesting these strings.
--output-reproducible Whether to go the extra mile and make the output reproducible.
This might result in loss of time- and random-based values.
--verbose,-v Increase the verbosity of messages.
Use multiple times to increase the verbosity even more.
━━━ Details ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Recursively scan workspace dependencies and emits them as
Software-Bill-of-Materials(SBOM) in CycloneDX format.
This yarn plugin utilizes the CycloneDX library to generate the actual data structures.
This yarn plugin does not expose any additional public API or classes - all code is intended to be internal and might change without any notice during version upgrades.
Feel free to open issues, bugreports or pull requests.
See the CONTRIBUTING file for details.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license.
See the LICENSE file for the full license.