Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/ulisesgascon/poc-sbom-javascript

Proof of concept project aimed to showcase how to generate SBOM for Javascript projects
https://github.com/ulisesgascon/poc-sbom-javascript

Last synced: about 20 hours ago
JSON representation

Proof of concept project aimed to showcase how to generate SBOM for Javascript projects

Host: GitHub
URL: https://github.com/ulisesgascon/poc-sbom-javascript
Owner: UlisesGascon
License: mit
Created: 2024-01-31T14:16:59.000Z (8 months ago)
Default Branch: main
Last Pushed: 2024-02-01T10:40:15.000Z (8 months ago)
Last Synced: 2024-02-01T16:36:30.528Z (8 months ago)
Language: JavaScript
Size: 56.6 KB
Stars: 0
Watchers: 1
Forks: 0
Open Issues: 2
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# POC - Using SBOM with javascript applications using npm and GitHub Actions

In this Proof of Concept (POC), we'll leverage GitHub Actions and npm to generate and verify the Software Bill of Materials (SBOM) for a straightforward JavaScript application.

### What is a SBOM?

> A “software bill of materials” (SBOM) has emerged as a key building block in software security and software supply chain risk management. A SBOM is a nested inventory, a list of ingredients that make up software components. [CISA](https://www.cisa.gov/sbom)

### Demo: How to use it?

This repo has a very simple JavaScript application that used Express to create a simple server that returns a "Hello World" message.

This project has some dependencies that are defined in the [package.json](package.json) and in the [package-lock.json](package-lock.json). The source code can be found in the [index.js](index.js) file.

The package.json contains some scripts that will help us to generate the SBOMs:
- `generate-sbom:cyclonedx` will generate the SBOM in the CycloneDX format.
- `generate-sbom:spdx` will generate the SBOM in the SPDX format.
- `generate-sbom` will generate the SBOM in the CycloneDX and SPDX formats.

The SBOMs will be generated in the `./sbom` folder:
- `./sbom/cyclonedx.json` is the SBOM in the CycloneDX format, [see](sbom/cyclonedx.json).
- `./sbom/spdx.spdx` is the SBOM in the SPDX format, [see](sbom/spdx.json).

Additionally, the project is equipped with a GitHub Action that verifies changes in dependencies and ensures the Software Bill of Materials (SBOMs) are up to date. You can find the GitHub Action defined in the [.github/workflows/ci.yml](.github/workflows/ci.yml) file. The validation process involves removing dynamic elements, such as timestamps and serial numbers, from the SBOMs and comparing the existing files with the new ones generated during the `npm run generate-sbom` execution.

**Test the results**

The most simple way to see this difference is by checking these PRs:
- Passing: [#3](https://github.com/UlisesGascon/poc-sbom-javascript/pull/3)
- Failing: [#2](https://github.com/UlisesGascon/poc-sbom-javascript/pull/2)

### Resources

- [npm-sbom documentation](https://docs.npmjs.com/cli/v10/commands/npm-sbom)
- [The Software Package Data Exchange (SPDX)](https://spdx.dev/)
- [CycloneDX](https://cyclonedx.org/)