-
-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: generate SBOM from "global" scope #471
Comments
Ok, i got it to work (somewhat) by simply creating a mostly empty
|
This tool does not actually read the Therefore, I sense a feature request to building an SBOM on the globally installed npm packages. @schlenk , could you do me a favor and tell: npm ls --global |
Yes, the
|
re: #471 (comment) if it lists the top levels, we are good to continue, thanks. |
got feedback to a POC/preview implementation: #503 (comment)
I do have a question, @schlenk
What is the story behind this? |
@jkowalleck: The story about the external SBOM of a global install is actually fairly easy, even if unusual. I build some kind of SDK for developing specific enterprisey web applications based on React. So i want to get an SBOM for the components in that SDK, which is a wide variety of stuff, from a customized Apache httpd server to complete NodeJS install and some globally installed tools for that installation, merged into a big SBOM for all the parts. The NodeJS part ships with a few global installs, but cyclonedx-npm is not one of the tools that get bundled. So i have three options to choose from:
The third option is not much different to the usual case of using cyclonedx-npm on a package. If you use a global install of cyclonedx-npm the package does not get polluted with a new cyclonedx-npm dependency. So it basically asks: I want to treat a node_modules directory of a npm global install like i would treat it for package with a package.json that listed all the globally installed tools as dependencies. |
No need to install You could install it in any node-env (like global encapsulated TD=$(mktemp -d)
npm --prefix "$TD" install --no-save @cyclonedx/cyclonedx-npm@^1.7
npm --prefix "$TD" exec cyclonedx-npm -- <options> <path-to-project>
rm -rf "$TD" |
Ok, thank you. Yes, i did not understand it from the documentation. But in hindsight, its documented there. So that part is unnecessary, but the --global is still useful. |
Is your feature request related to a problem? Please describe.
I try to package a nodejs + NPM installation that ships a few global tools like yarn/dart-saas as part of a larger software installer.
So basically i do the following (with some in-house BSD/Mac ports style system):
Unzip a nodejs distro, e.g.
node-v18.12.1-win-x64.zip
and rename the folder to 'img'Provide some .tar.gz of sass & yarn, e.g.
sass-1.57.0.tar.gz
andyarn-v1.22.10.tar.gz
in the folder 'base'Run a global npm install for the packages, resolving dependencies from the npm registry
Try to get an SBOM for the installed global packages, either as a SBOM with multiple application components included or one SBOM per application.
Describe the solution you'd like
I would like to have an option to use this package to get SBOMs for the globally installed packages in my node_modules folder.
Describe alternatives you've considered
I used the cyclonedx-bom package before, just pointing it at the created
img/node_modules
to collect the actually installed global tools with dependencies. That worked mostly fine and created a useable SBOM.With this package this does not work, as the code complains about a missing package-lock.json when i run it for the individual apps and has no option at all to just consume the
img/node_modules
folder.There seems to be no way to tell
npm install --global
to create any form of lock file. Or i could not find it.The text was updated successfully, but these errors were encountered: