Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/cyclonedx/cyclonedx-node-yarn

Create CycloneDX Software Bill of Materials (SBOM) from Node.js Yarn projects.
https://github.com/cyclonedx/cyclonedx-node-yarn

bill-of-materials bom cyclonedx node nodejs sbom sbom-generator sbom-tool software-bill-of-materials yarn yarn-plugin

Last synced: 3 months ago
JSON representation

Create CycloneDX Software Bill of Materials (SBOM) from Node.js Yarn projects.

Awesome Lists containing this project

README 

        
# CycloneDX SBOM for yarn



[![shield_yarnpkg-version]][link_yarnpkg]

[![shield_npm-version]][link_npm]

[![shield_gh-workflow-test]][link_gh-workflow-test]

[![shield_coverage]][link_codacy]

[![shield_ossf-best-practices]][link_ossf-best-practices]

[![shield_license]][license_file]  

[![shield_website]][link_website]

[![shield_slack]][link_slack]

[![shield_groups]][link_discussion]

[![shield_twitter-follow]][link_twitter]



----



Create [CycloneDX] Software Bill of Materials (SBOM) from _[yarn]_ projects.



## 🚧 🏗️ this project is in RC/beta stage



All features are done, MVP is reached. Now it is time for public testing. 🚀



See the project's issues, discussions, pull requests, and milestones.

- progress: [milestone v1.0](https://github.com/CycloneDX/cyclonedx-node-yarn/milestone/1)

- planning: [discussion "vision"](https://github.com/CycloneDX/cyclonedx-node-yarn/discussions/8)



----



## Requirements



* `node >= 18`

* `yarn >= 3` (berry)



## Installation



Install the plugin into your yarn project via one of the following methods:



* **zero-install**: No install needed, just call on demand via dlx-wrapper as described in section "usage".

* **cli-wrapper**: As a development dependency of the current project:

  ```shell

  yarn add --dev @cyclonedx/yarn-plugin-cyclonedx

  ```

* **plugin**: Install the [latest version from GitHub release](https://github.com/CycloneDX/cyclonedx-node-yarn/releases/latest) asset as a plugin for the current project:

  ```shell

  yarn plugin import https://github.com/CycloneDX/cyclonedx-node-yarn/releases/latest/download/yarn-plugin-cyclonedx.cjs

  ```



## Usage



Usage depends on the installation method:



* With **zero-install** via dlx-wrapper:

  ```shell

  yarn dlx -q @cyclonedx/yarn-plugin-cyclonedx --help

  ```

* After **cli-wrapper** installation:

  ```shell

  yarn exec cyclonedx-yarn --help

  ```

* After **plugin** installation:

  ```shell 

  yarn cyclonedx --help

  ```



The help page:



```text

Generates CycloneDX SBOM for current workspace.



━━━ Usage ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━



$ yarn cyclonedx



━━━ Options ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━



  --spec-version #0        Which version of CycloneDX to use.

                           (choices: 1.6, 1.5, 1.4, 1.3, 1.2, default: 1.5)

  --output-format #0       Which output format to use.

                           (choices: JSON, XML, default: JSON)

  --output-file #0         Path to the output file.

                           Set to "-" to write to STDOUT.

                           (default: write to STDOUT)

  --production,--prod      Exclude development dependencies.

                           (default: true if the NODE_ENV environment variable is set to "production", otherwise false)

  --mc-type #0             Type of the main component.

                           (choices: application, library, firmware, default: application)

  --short-PURLs            Omit all qualifiers from PackageURLs.

                           This causes information loss in trade-off shorter PURLs, which might improve ingesting these strings.

  --output-reproducible    Whether to go the extra mile and make the output reproducible.

                           This might result in loss of time- and random-based values.

  --verbose,-v             Increase the verbosity of messages.

                           Use multiple times to increase the verbosity even more.



━━━ Details ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━



Recursively scan workspace dependencies and emits them as 

Software-Bill-of-Materials(SBOM) in CycloneDX format.

```



## Internals



This _yarn_ plugin utilizes the [CycloneDX library][CycloneDX-library] to generate the actual data structures.



This tool does **not** expose any additional _public_ API or classes - all code is intended to be internal and might change without any notice during version upgrades.

However, the CLI is stable - you may call it programmatically like:

```javascript

const { execFileSync } = require('node:child_process')

const { constants: { MAX_LENGTH: BUFFER_MAX_LENGTH } } = require('node:buffer')

const sbom = JSON.parse(execFileSync(process.execPath, [

    '.../path/to/this/package/bin/cyclonedx-yarn-cli.js',

    '--output-format', 'JSON',

    '--output-file', '-'

    // additional CLI args

  ], {stdio: ['ignore', 'pipe', 'ignore'], encoding: 'buffer', maxBuffer: BUFFER_MAX_LENGTH }))

```



## Development & Contributing



Feel free to open issues, bugreports or pull requests.  

See the [`CONTRIBUTING`][contributing_file] file for details.



## License



Permission to modify and redistribute is granted under the terms of the Apache 2.0 license.  

See the [`LICENSE`][license_file] file for the full license.



For details and license posture of the assembly, see the `LICENSE` file in the respective release assets.



[license_file]: https://github.com/CycloneDX/cyclonedx-node-yarn/blob/1.0-dev/LICENSE

[contributing_file]: https://github.com/CycloneDX/cyclonedx-node-yarn/blob/1.0-dev/CONTRIBUTING.md



[CycloneDX]: https://cyclonedx.org/

[yarn]: https://yarnpkg.com/

[cyclonedx-library]: https://www.npmjs.com/package/@cyclonedx/cyclonedx-library



[shield_gh-workflow-test]: https://img.shields.io/github/actions/workflow/status/CycloneDX/cyclonedx-node-yarn/nodejs.yml?branch=1.0-dev&logo=GitHub&logoColor=white "tests"

[shield_coverage]: https://img.shields.io/codacy/coverage/b0af77db5c7b4ab7a36eab255c7f9ede?logo=Codacy&logoColor=white "test coverage"

[shield_ossf-best-practices]: https://img.shields.io/cii/percentage/8960?label=OpenSSF%20best%20practices "OpenSSF best practices"

[shield_yarnpkg-version]: https://img.shields.io/npm/v/%40cyclonedx%2Fyarn-plugin-cyclonedx/latest?registry_uri=https%3A%2F%2Fregistry.yarnpkg.com&logo=yarn&logoColor=white&label=yarnpkg "yarnpkg"

[shield_npm-version]: https://img.shields.io/npm/v/%40cyclonedx%2Fyarn-plugin-cyclonedx/latest?logo=npm&logoColor=white&label=npm "npm"

[shield_license]: https://img.shields.io/github/license/CycloneDX/cyclonedx-node-yarn?logo=open%20source%20initiative&logoColor=white "license"

[shield_website]: https://img.shields.io/badge/https://-cyclonedx.org-blue.svg "homepage"

[shield_slack]: https://img.shields.io/badge/slack-join-blue?logo=Slack&logoColor=white "slack join"

[shield_groups]: https://img.shields.io/badge/discussion-groups.io-blue.svg "groups discussion"

[shield_twitter-follow]: https://img.shields.io/badge/Twitter-follow-blue?logo=Twitter&logoColor=white "twitter follow"



[link_website]: https://cyclonedx.org/

[link_gh-workflow-test]: https://github.com/CycloneDX/cyclonedx-node-yarn/actions/workflows/nodejs.yml?query=branch%3A1.0-dev

[link_yarnpkg]: https://yarnpkg.com/package?name=%40cyclonedx%2Fyarn-plugin-cyclonedx

[link_npm]: https://www.npmjs.com/package/@cyclonedx/yarn-plugin-cyclonedx

[link_codacy]: https://app.codacy.com/gh/CycloneDX/cyclonedx-node-yarn/dashboard

[link_ossf-best-practices]: https://www.bestpractices.dev/projects/8960

[link_slack]: https://cyclonedx.org/slack/invite

[link_discussion]: https://groups.io/g/CycloneDX

[link_twitter]: https://twitter.com/CycloneDX_Spec