{"id":26187761,"url":"https://github.com/shiftleftcyber/shiftsbomgen-node","last_synced_at":"2025-04-15T00:56:02.363Z","repository":{"id":167388271,"uuid":"641716929","full_name":"shiftleftcyber/ShiftSBOMGen-Node","owner":"shiftleftcyber","description":"A pure client side CycloneDX SBOM Generator for node/npm projects","archived":false,"fork":false,"pushed_at":"2025-02-16T17:44:14.000Z","size":82,"stargazers_count":4,"open_issues_count":3,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-15T00:55:55.497Z","etag":null,"topics":["azure-devops","bitbucket","cicd","cyclonedx","github-actions","gitlab-ci","open-source-security","oss","sbom","spdx","supply-chain-security"],"latest_commit_sha":null,"homepage":"https://shiftleftcyber.io","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/shiftleftcyber.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-05-17T02:54:20.000Z","updated_at":"2025-02-16T17:44:17.000Z","dependencies_parsed_at":null,"dependency_job_id":"9f2bb229-a47e-46da-8a52-a34128eb7997","html_url":"https://github.com/shiftleftcyber/ShiftSBOMGen-Node","commit_stats":null,"previous_names":["ccideas/cyclonedx-npm-pipe","shiftleftcyber/cyclonedx-npm-pipe"],"tags_count":11,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shiftleftcyber%2FShiftSBOMGen-Node","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shiftleftcyber%2FShiftSBOMGen-Node/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shiftleftcyber%2FShiftSBOMGen-Node/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shiftleftcyber%2FShiftSBOMGen-Node/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/shiftleftcyber","download_url":"https://codeload.github.com/shiftleftcyber/ShiftSBOMGen-Node/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248986280,"owners_count":21194025,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["azure-devops","bitbucket","cicd","cyclonedx","github-actions","gitlab-ci","open-source-security","oss","sbom","spdx","supply-chain-security"],"created_at":"2025-03-11T23:51:32.137Z","updated_at":"2025-04-15T00:56:02.347Z","avatar_url":"https://github.com/shiftleftcyber.png","language":"Shell","readme":"# ShiftSBOM-Node\n\n[![SonarQube Cloud](https://sonarcloud.io/images/project_badges/sonarcloud-highlight.svg)](https://sonarcloud.io/summary/new_code?id=ccideas1_cyclonedx-npm-pipe)\n\n[![Bugs](https://sonarcloud.io/api/project_badges/measure?project=ccideas1_cyclonedx-npm-pipe\u0026metric=bugs)](https://sonarcloud.io/summary/new_code?id=ccideas1_cyclonedx-npm-pipe)\n[![Code Smells](https://sonarcloud.io/api/project_badges/measure?project=ccideas1_cyclonedx-npm-pipe\u0026metric=code_smells)](https://sonarcloud.io/summary/new_code?id=ccideas1_cyclonedx-npm-pipe)\n[![Duplicated Lines (%)](https://sonarcloud.io/api/project_badges/measure?project=ccideas1_cyclonedx-npm-pipe\u0026metric=duplicated_lines_density)](https://sonarcloud.io/summary/new_code?id=ccideas1_cyclonedx-npm-pipe)\n\n![Build Badge](https://img.shields.io/bitbucket/pipelines/ccideas1/cyclonedx-npm-pipe/main)\n![GitHub release (latest by date)](https://img.shields.io/github/v/release/shiftleftcyber/cyclonedx-npm-pipe)\n\nShiftSBOM-Node is a pure client-side Bitbucket Pipe that generates a CycloneDX-compliant Software Bill of Materials\n(SBOM) for Node.js/npm projects. No subscriptions, server access, or API keys are required.\n\nThe official copy this project is hosted on [Bitbucket](https://bitbucket.org/ccideas1/cyclonedx-npm-pipe/src/main/).\nIn order to reach a diverse audience a copy of the repo also exists in\n[GitHub](https://github.com/ccideas/cyclonedx-npm-pipe).\nIt is recommended to submit Pull Requests to the Bitbucket copy, however submissions to either copy\nwill be synced.\n\n## YAML Definition\n\nThe following is an example of a bitbucket pipeline which installs npm dependencies and caches those\ndependencies in one step then uses those cached depdencies in the next step to build a CycloneDX\nsBOM. The following code snip would need to be added to the `bitbucket-pipelines.yml` file\n\n```yaml\npipelines:\n  default:\n    - step:\n        name: Build and Test\n        caches:\n          - node\n        script:\n          - npm install\n          - npm test\n    - step:\n        name: Gen CycloneDX sBom\n        caches:\n          - node\n        script:\n          - pipe: docker://ccideas/cyclonedx-npm-pipe:3.0.1\n            variables:\n              IGNORE_NPM_ERRORS: 'true' # optional\n              NPM_SHORT_PURLS: 'true' # optional\n              NPM_OUTPUT_FORMAT: 'json' # optional\n              NPM_PACKAGE_LOCK_ONLY: 'false' # optional\n              NPM_SPEC_VERSION: '1.6' # optional\n              OUTPUT_DIRECTORY: 'build' # optional # this dir should be archived by the pipeline\n        artifacts:\n          - build/*\n```\n\n## Variables\n\n| Variable                  | Usage                                                               | Options                         | Default       |\n| ---------------------     | -----------------------------------------------------------         | -----------                     | -------       |\n| IGNORE_NPM_ERRORS         | Used to ignore any npm errors when generating the report            | true, false                     | false         |\n| NPM_FLATTEN_COMPONENTS    | Used to specify if the components should be flattened               | true, false                     | false         |\n| NPM_SHORT_PURLS           | Used to specify if qualifiers from PackageURLs should be shortened  | true, false                     | false         |\n| NPM_OUTPUT_REPRODUCIBLE   | Used to specify if the output should be reproducible                | true, false                     | false         |\n| NPM_SPEC_VERSION          | Used to specify the version of the CycloneDX spec                   | 1.2, 1.3, 1.4, 1.5, 1.6         | 1.6           |\n| NPM_MC_TYPE               | Used to specify the type of main component                          | application, firmware, library  | application   |\n| NPM_OMIT                  | Used to omit specific dependency types                              | dev, optional, peer             | none          |\n| NPM_OUTPUT_FORMAT         | Used to specify output format of the sBOM                           | json, xml                       | json          |\n| NPM_PACKAGE_LOCK_ONLY     | Used to use only the package-lock.json file to find dependencies    | true, false                     | false         |\n| OUTPUT_DIRECTORY          | Used to specify the directory to place all output im                | directory name                  | sbom_output   |\n\n## Details\n\nGenerates a CycloneDX compliant Software Bill of Materials\nfor a node/npm project. The generated sBOM will be created in the\nsbom-output directory and be named `${BITBUCKET_REPO_SLUG}-sbom.json`\n\n## Prerequisites\n\nnpm dependencies must be installed first. It is advised to install npm dependencies\nin one step then archive them, so they can be read by the pipe. See the example below.\n\n## Example\n\nA working pipeline for the popular [auditjs](https://www.npmjs.com/package/auditjs)\ntool has been created as an example. The pipeline in\nthis fork of the [auditjs](https://www.npmjs.com/package/auditjs) tool will install the required\ndependencies then generate a CycloneDX sBOM containing all the ingredients which make up the\nproduct.\n\n* [Repository Link](https://bitbucket.org/ccideas1/fork-auditjs/src/main/)\n* [Link to bitbucket-pipelines.yml](https://bitbucket.org/ccideas1/fork-auditjs/src/main/bitbucket-pipelines.yml)\n* [Link to pipeline](https://bitbucket.org/ccideas1/fork-auditjs/pipelines/results/4)\n\n## Support\n\nIf you'd like help with this pipe, or you have an issue, or a feature request,\n[let us know](https://github.com/ccideas/cyclonedx-npm-pipe/issues).\n\nIf you are reporting an issue, please include:\n\nthe version of the pipe\nrelevant logs and error messages\nsteps to reproduce\n\n## Credits\n\nThis Bitbucket pipe is a collection and integration of the following open source tools\n\n* [cyclonedx-npm](https://github.com/CycloneDX/cyclonedx-node-npm)\n\nA big thank-you to the teams and volunteers who make these amazing tools available\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshiftleftcyber%2Fshiftsbomgen-node","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fshiftleftcyber%2Fshiftsbomgen-node","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshiftleftcyber%2Fshiftsbomgen-node/lists"}