Skip to content

Create Software Bill of Materials on build

Branch: sbom

We want to display a Software Bill of Materials (SBOM = a list of dependencies) within the app. The SBOM (a JSON file) should be created automatically when building the app and displayed on a page accessible through the app menu. Currently, we want to display the package names, versions and licenses.

The SBOM can be created using CycloneDX. However, this outputs more than we need (currently about 375KB) and the final JSON file should contain only the desired information.

Requirements/Tasks

  • Write a Node script sbom that calls CycloneDX as part of the build process and outputs a JSON file
  • Write another script postsbom that minifies the JSON file
  • Create a component that displays the contents of the minified JSON file and add a menu entry
  • Get CycloneDX to work with yarn.lock instead of package-lock.json

Known issues

  • The way of importing JSON files to Node scripts varies from Node version to version.
    • Node 16.17.0: import sbom from './sbom.json' assert {type: 'json'} and call script with node sbom.js
    • Node 16.13.0: import sbom from './sbom.json' and call script with node --experimental-json-modules sbom.js
    • Possible solution: Works with Node 16.13.0, 16.17.0 and latest 18.10.0. Note that package.json must specify "type": "module" for this to work.
import { createRequire } from 'module'
const require = createRequire(import.meta.url)
const sbom = require('./sbom.json')

  • CycloneDX uses package-lock.json by default. We want to permanently switch to yarn, but cyclonedx-node yarn.lock --output sbom.json exits with an error: "There are no components in the BOM. The project may not contain dependencies or node_modules does not exist. Executing npm install prior to CycloneDX may solve the issue."

    • I'm not experienced with Node/npm, this might be trivial.
    • Running the default cyclonedx-node -o sbom.json outputs: "Please review your project as multiple package management lock files exist, defaulting to package-lock.json"
    • If I delete package-lock.json and re-run the default command, it still works – does that mean yarn.lock is used?

  • CycloneDX had a breaking change in version 4.0.0 (October 2022). It looks like it currently only supports npm. We're using 3.10.6, which to my knowledge should be able to work with yarn projects. We should look out for yarn support and update as soon as possible.

  • Maybe CycloneDX isn't the right tool for the job, but it's the best I could find during my research. Here are my notes, feel free to take a look (first time sharing ClickUp documents, let me @noel.simmel know if it doesn't work).

Edited by Noel Simmel