Skip to content

Create CycloneDX Software Bill of Materials (SBOM) from Node.js Yarn projects.

License

Notifications You must be signed in to change notification settings

CycloneDX/cyclonedx-node-yarn

CycloneDX SBOM for yarn

shield_yarnpkg-version shield_npm-version shield_gh-workflow-test shield_coverage shield_ossf-best-practices shield_license
shield_website shield_slack shield_groups shield_twitter-follow


Create CycloneDX Software Bill of Materials (SBOM) from yarn projects.

Requirements

  • node >= 18
  • yarn >= 3 (berry)

Installation

Install the plugin into your yarn project via one of the following methods:

  • zero-install: No install needed, just call on demand via dlx-wrapper as described in section "usage".
  • cli-wrapper: As a development dependency of the current project:
    yarn add --dev @cyclonedx/yarn-plugin-cyclonedx
  • plugin: Install the latest version from GitHub release asset as a plugin for the current project:
    yarn plugin import https://github.com/CycloneDX/cyclonedx-node-yarn/releases/latest/download/yarn-plugin-cyclonedx.cjs

Usage

Usage depends on the installation method:

  • With zero-install via dlx-wrapper:
    yarn dlx -q @cyclonedx/yarn-plugin-cyclonedx --help
  • After cli-wrapper installation:
    yarn exec cyclonedx-yarn --help
  • After plugin installation:
    yarn cyclonedx --help

The help page:

Generates CycloneDX SBOM for current workspace.

━━━ Usage ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

$ yarn cyclonedx

━━━ Options ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  --spec-version #0        Which version of CycloneDX to use.
                           (choices: 1.6, 1.5, 1.4, 1.3, 1.2, default: 1.5)
  --output-format #0       Which output format to use.
                           (choices: JSON, XML, default: JSON)
  --output-file #0         Path to the output file.
                           Set to "-" to write to STDOUT.
                           (default: write to STDOUT)
  --production,--prod      Exclude development dependencies.
                           (default: true if the NODE_ENV environment variable is set to "production", otherwise false)
  --mc-type #0             Type of the main component.
                           (choices: application, library, firmware, default: application)
  --short-PURLs            Omit all qualifiers from PackageURLs.
                           This causes information loss in trade-off shorter PURLs, which might improve ingesting these strings.
  --output-reproducible    Whether to go the extra mile and make the output reproducible.
                           This might result in loss of time- and random-based values.
  --gather-license-texts   Search for license files in components and include them as license evidence.
                           This feature is experimental.
  --verbose,-v             Increase the verbosity of messages.
                           Use multiple times to increase the verbosity even more.

━━━ Details ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Recursively scan workspace dependencies and emits them as 
Software-Bill-of-Materials(SBOM) in CycloneDX format.

Internals

This yarn plugin utilizes the CycloneDX library to generate the actual data structures.

This tool does not expose any additional public API or classes - all code is intended to be internal and might change without any notice during version upgrades. However, the CLI is stable - you may call it programmatically like:

const { execFileSync } = require('node:child_process')
const { constants: { MAX_LENGTH: BUFFER_MAX_LENGTH } } = require('node:buffer')
const sbom = JSON.parse(execFileSync(process.execPath, [
    '.../path/to/this/package/bin/cyclonedx-yarn-cli.js',
    '--output-format', 'JSON',
    '--output-file', '-'
    // additional CLI args
  ], {stdio: ['ignore', 'pipe', 'ignore'], encoding: 'buffer', maxBuffer: BUFFER_MAX_LENGTH }))

Development & Contributing

Feel free to open issues, bugreports or pull requests.
See the CONTRIBUTING file for details.

License

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license.
See the LICENSE file for the full license.

For details and license posture of the assembly, see the LICENSE file in the respective release assets.