Investigate what metadata can be retrieved for npm-install modules

[sophiewigmore]

As a part of our BOM work outlined in this RFC, we would like to support some type of BOM metadata for modules provided by buildpacks like npm-install.

We should investigate the extent of data that can be extracted around the following for the modules provided by this buildpack:

• All of the the other information (SHA, URI, etc for each module)
• License information
• CPEs

Acceptance

The outcome of this issue should be more issues that outline the work needed to implement viable metadata as a result of this investigation.

[ForestEckhardt]

There does not appear to be any straight forward tooling from NPM to facilitate the retrieval of module information. However, because the modules themselves contain package.json files we could walk the node_modules directory and parse all of the information such as name, version, license, repository, etc. out of the package.json itself as these are standard fields. Another benefit of this approach is that is will for for any node package manager (i.e. npm, yarn) as it relies on the contents of the node_modules folder as opposed to the functionality built into the package manager.

[ryanmoran]

Have you looked into https://github.com/CycloneDX/cyclonedx-node-module?

[sophiewigmore]

Just checked it out! This tool is awesome, it gets almost everything we want:
name, version, description, hash, source URI, license ID, package URL for each node module. I'm thinking we can try to run this tool along side the npm install or yarn install buildpack. We may need to do some additional work to generate CPEs and deprecation dates.

The tool outputs in CycloneDX which will be ideal if/when we officially support CycloneDX. For the time being, with the current TOML format we support we can likely pull the information off of the JSON, and pass it into the same BOM Generator we currently use in node-engine and yarn

[sophiewigmore]

Closing in favour of the suite of issues to implement this.