Changed outline of the pipeline as described above

command :
cyclonedx-bom -o D:\Builds\GenericAgent1_work\246\s/FrontEnd/bom.xml
throw "Unsupported component type. Supported types are " + Component.supportedComponentTypes().toString();

This is now breaking all of our ci/cd pipelines

Seems like the contract of the cli is broken since 11 hours ago.
We have used option -a to append cyclonedx bom generation in our ci pipelines

Recently, the -o and --output flags seem to have no effect. It always outputs to bom.xml now

Hi there! Can someone explain to me why do I need to run npm install before I generate BOM file for project dependencies?
It seems for me that I miss something. I run this from the project directory where package.json file locating:

I appreciate any advice. Thank you in advance.

It would be helpful when I can set the name and version of the metaData component from outside.

Is there a way to create the bom.xml with only the "dependencies", excluding the "devDependencies" ?
I'm sending this bom.xml to Dependency Track, and I don't want to register dev dependencies like protractor test lib's or angular-devkit.

When generating node BOM and using -a to add an already generated maven-project BOM (1.5.0+) the xml is broken since the maven BOM, since version 1.5.x has dg: namespace defined. Node generated BOM has not.

This scenario is very useful for us since we deliver Java-backend and JS frontend in same package but they are build with their respective build tools.

Hello guys
while I'm trying to execute cyclonedx-bom, I'm always getting this

"There are no components in the BOM. The project may not contain dependencies or node_modules does not exist. Executing npm install prior to CycloneDX may solve the issue."

This is the screenshot.. as you can see after executing npm install, I have the node_modules created, but the cycloneDx doesn't really recognize it.

Can you help me with that please?

Thanks a lot
Vince

I'm running cyclonedx-bom v. 1.0.4 and want to test and generate a POM from the Vue.js repo (https://github.com/vuejs/vue). I have cloned the repo locally and cd:d to that directory:

cyclonedx-bom
Result:

<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.1" version="1" serialNumber="urn:uuid:87c904d4-7d21-4f51-aef2-8aaa7496a556">
    <components>
    </components>
</bom>

The I try to run npm installwhich results in:

added 1491 packages from 1554 contributors and audited 11951 packages in 36.94s
found 14 vulnerabilities (3 low, 10 high, 1 critical)
  run `npm audit fix` to fix them, or `npm audit` for details

Once again I try cyclonedx-bom:

<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.1" version="1" serialNumber="urn:uuid:85ab67e4-1942-4f07-abd4-3b8d5ed2ef3c">
    <components>
    </components>
</bom>

What am I doing wrong here? Seems to me the output should not be an empty XML file?

I have a problem creating a bom file for a Vue.js project.

The bom file includes an empty component like this:

<component type="library">
            <name>
            </name>
            <version>
            </version>
            <description>
                <![CDATA[]]>
            </description>
            <licenses>
                <license>
                </license>
            </licenses>
            <purl>pkg:npm/@</purl>
            <modified>false</modified>
</component>

otherwise the bom file can be imported to dependency track only after deleting the empty component.

Any idea how to debug this!

In preparation of v1.2 of the spec we need to support JSON output.

Running command:

npx @cyclonedx/[email protected] -o bom.xml

Bom is generated perfekt.

Running command:
npx @cyclonedx/bom -o bom.xml OR npx @cyclonedx/bom -o super-bom.xml -a composer-bom.xml

Bom is NOT generated.

Error:
\AppData\Roaming\npm-cache_npx\5908\node_modules@cyclonedx\bom\node_modules\packageurl-js\src\package-url.js:28
throw new Error('Invalid purl: "' + key + '" is a required field.');

Error: Invalid purl: "name" is a required field.

Nothing in release notes about updating commands for generation of bom files.

Hi there! I am planning on using this tool and want to include an entry in my Bill of Materials for it.

I am trying to formulate a CPE for it and this is what I have come up with: cpe:2.3:a:cyclonedx:cyclonedx-node-module:3.0.3:*:*:*:*:*:*:*.

Does this seem reasonable? I just want to be able to use it to look up any CVEs that may come up.
Thanks!

When generating a bom with this repo I have found that the component, externalReferences, reference type of vcs will produce an invalid url which will start with "git+" as shown below

<externalReferences>
 <reference type="website">
  <url>https://material-ui.com/</url>
 </reference>
 <reference type="issue-tracker">
  <url>https://github.com/mui-org/material-ui/issues</url>
 </reference>
 <reference type="vcs">
  <url>git+https://github.com/mui-org/material-ui.git</url>
 </reference>
</externalReferences>

When trying to reenter a bom generated with the incorrect url, the vcs reference type will drop. In my case the vcs is similar enough to the other two references that this is no impact.

Using CyloneDX Node.js module 2.0.2 with node version 14.4.0

The option to include dev dependencies is not correctly passed to the read-installed package. Because of this, --include-dev does nothing.

This line should be changed:

I have observed some differences in the output (bom.xml) of cyclonedx-bom compared to the output of cdxgen.

In some projects cyclonedx-bom reports less dependencies than cdxgen, and on rare occurences 2 or 3 more (but they mostly are the project itself).

For example, I have a project in which cyclonedx-bom only detects 5 dependencies, when cdxgen reports 63 dependencies.

Do you have a clue on what is going on?

We use a mono repo with yarn workspaces. I've tried running cyclonedx-bom at the repo root and in individual projects but it doesn't detect any packages.
Cli Error:

There are no components in the BOM. The project may not contain dependencies or node_modules does not exist. Executing npm install prior to CycloneDX may solve the issue.

Testing with a single project repository works as expected.

Is this supported?

When running 3.0.5 with npx after building with yarn we get this crash. Running exact same in 3.0.4 works.

internal/fs/utils.js:220
throw err;
^

Error: ENOENT: no such file or directory, open 'package-lock.json'
�[90m at Object.openSync (fs.js:440:3)�[39m
�[90m at Object.readFileSync (fs.js:342:35)�[39m
at /root/.npm/_npx/1/lib/node_modules/�[4m@cyclonedx�[24m/bom/index.js:26:34
at /root/.npm/_npx/1/lib/node_modules/�[4m@cyclonedx�[24m/bom/node_modules/�[4mread-installed�[24m/read-installed.js:142:5
at /root/.npm/_npx/1/lib/node_modules/�[4m@cyclonedx�[24m/bom/node_modules/�[4mread-installed�[24m/read-installed.js:263:14
at cb (/root/.npm/_npx/1/lib/node_modules/�[4m@cyclonedx�[24m/bom/node_modules/�[4mslide�[24m/lib/async-map.js:47:24)
at /root/.npm/_npx/1/lib/node_modules/�[4m@cyclonedx�[24m/bom/node_modules/�[4mread-installed�[24m/read-installed.js:263:14
at cb (/root/.npm/_npx/1/lib/node_modules/�[4m@cyclonedx�[24m/bom/node_modules/�[4mslide�[24m/lib/async-map.js:47:24)
at /root/.npm/_npx/1/lib/node_modules/�[4m@cyclonedx�[24m/bom/node_modules/�[4mread-installed�[24m/read-installed.js:263:14
at cb (/root/.npm/_npx/1/lib/node_modules/�[4m@cyclonedx�[24m/bom/node_modules/�[4mslide�[24m/lib/async-map.js:47:24) {
errno: �[33m-2�[39m,
syscall: �[32m'open'�[39m,
code: �[32m'ENOENT'�[39m,
path: �[32m'package-lock.json'�[39m

Hash support needs serious improvement. It appears that hashes are derived from the package itself, rather than calculating them. If the package didn't have a hash, it doesn't show up in the resulting bom. In addition, if a components package does have a hash, its rare that it will contain more than one (sha1, sha-512, but not both for example).

Need to investigate the ability to generate all supported hashes for packages and ensure that unmodified packages have the same hash value as stated in the package manifest. If a hash is generated that doesn't match what's in the package, then flip the modified element to true.

Version: 2.0.1
Node Version: 10.20.1
OS: macOS Mojave 10.14.6

When running cyclonedx-bom and specifying a custom output location, if the location specified doesn't exist, the bom file won't be created but the process will exit successfully with no indication of failure

Given that this library aims to support Node 8.x and onward, it'd probably make the most sense to return a non-zero exit code and provide some kind of error message in this case (since native support for auto-creation of subdirectories on fs.writeFile doesn't seem to exist until 10.12.0 and this seems to be the culprit: https://github.com/CycloneDX/cyclonedx-node-module/blob/master/bin/cyclonedx-bom#L82)

@cyclonedx/[email protected]
npm v5.4.2
node v8.9.3

Running this command:
cyclonedx-bom -o . <path>

Seeing this error:

    let purlName = pkg.name.replace("@", "%40"); // Encode 'scoped' npm packages in purl
                            ^

TypeError: Cannot read property 'replace' of undefined
    at addComponent (C:\Users\user1\AppData\Roaming\npm\node_modules\@cyclonedx\bom\index.js:46:29)
    at listComponents (C:\Users\user1\AppData\Roaming\npm\node_modules\@cyclonedx\bom\index.js:35:5)
    at readInstalled (C:\Users\user1\AppData\Roaming\npm\node_modules\@cyclonedx\bom\index.js:159:15)
    at C:\Users\user1\AppData\Roaming\npm\node_modules\@cyclonedx\bom\node_modules\read-installed\read-installed.js:142:5
    at C:\Users\user1\AppData\Roaming\npm\node_modules\@cyclonedx\bom\node_modules\read-installed\read-installed.js:263:14
    at asyncMap (C:\Users\user1\AppData\Roaming\npm\node_modules\@cyclonedx\bom\node_modules\slide\lib\async-map.js:27:18)
    at next (C:\Users\user1\AppData\Roaming\npm\node_modules\@cyclonedx\bom\node_modules\read-installed\read-installed.js:234:5)
    at C:\Users\user1\AppData\Roaming\npm\node_modules\@cyclonedx\bom\node_modules\read-installed\read-installed.js:179:7
    at LOOP (fs.js:1745:14)
    at _combinedTickCallback (internal/process/next_tick.js:131:7)

integrating your excellent tool into a security orchestrator i'm building at the moment

and noticed your apache 2.0 license doesn't look completed, needs year/person populated

Copyright {yyyy} {name of copyright owner}
https://github.com/CycloneDX/cyclonedx-node-module/blob/master/LICENSE

also it might be easier to embed the short form linked version of the license, i find it makes it easier as you can see where to edit it at the top rather at the bottom of a long license ! :)

Copyright [yyyy] [name of copyright owner]

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License."

http://www.apache.org/licenses/LICENSE-2.0#apply

ta

Anthony

I have a project with multiple packages on it. I would like to execute cyclonedx-bom on each package and append results to the root one but I am unable to do so.

steps to reproduce:

cd /tmp
git clone https://github.com/lerna/lerna
cd lerna
npm install
cyclonedx-bom
cat bom.xml | wc -l
> 37
cd utils/log-packed/
npm install
cyclonedx-bom -a /tmp/lerna/bom.xml
cat /tmp/lerna/bom.xml |wc -l
> 37
cat /tmp/lerna/utils/log-packed/bom.xml | wc -l
> 873

after running plugin in root directory I have bom of 37 lines (empty becouse root package.json does not contain any dependancies), after running cyclonedx-bom on another package (which has few dependencies) i get bom with 873 lines but setting -a to root bom did nothing, still 37 lines.

Can anyone give me a hint how to make it work?

Steps to reproduce

I have created two projects(first_project and second_project) . I was trying to append json output from first_project to the current json output added to second_project using the following command cyclonedx-bom -o ../second_bom.json -a ~/first_project/first_bom.json

Output

When I open second_bom.json output file I can only see components for second_project.

Expected output

Expected to see components for first_project appended to second_bom.json file

Now that the CLI tool is available to convert between different schema versions deprecation is planned for multiple schema version support.

I observe a regression in the version 2.0.2, this happens:

cyclonedx-bom -h
/usr/lib/node_modules/@cyclonedx/bom/node_modules/ssri/index.js:25
const ssriOpts = (opts = {}) => ({ ...defaultOpts, ...opts })
^^^

SyntaxError: Unexpected token ...
at createScript (vm.js:56:10)
at Object.runInThisContext (vm.js:97:10)
at Module._compile (module.js:549:28)
at Object.Module._extensions..js (module.js:586:10)
at Module.load (module.js:494:32)
at tryModuleLoad (module.js:453:12)
at Function.Module._load (module.js:445:3)
at Module.require (module.js:504:17)
at require (internal/module.js:20:19)
at Object. (/usr/lib/node_modules/@cyclonedx/bom/model/HashList.js:19:14)

Note : the program behaves normally in version 2.0.1

npm v5.4.2
node v8.6.0
cyclonedx-bom v0.2.4

Having an issue on my build server where a bom.xml file is generated, but is missing most/all of the dependencies specified in the package.json file:

<bom xmlns="http://cyclonedx.org/schema/bom/1.0" version="1">
    <components>
        <component type="library">
            <name>MyApp</name>
            <version>1.0.0</version>
            <description>
                <![CDATA[Customer Facing Reporting Tool]]>
            </description>
            <licenses>
                <license>
                    <name>UNLICENSED</name>
                </license>
            </licenses>
            <purl>pkg:npm/[email protected]</purl>
            <modified>false</modified>
        </component>
    </components>
</bom>

However, looking at the package.json file, I can clearly see many dependencies specified:

{
  "name": "MyApp",
  "version": "1.0.0",
  "description": "Customer Facing Reporting Tool",
  "author": "My Company",
  "license": "UNLICENSED",
  "repository": "http://somedomain/tfs/DefaultCollection/SMG.Global/",
  "private": true,
  "config": {
    "environment": "local"
  },
...
  "dependencies": {
    "angular": "1.5.9",
    "angular-animate": "1.5.9",
    "angular-aria": "1.5.9",
    "angular-drag-and-drop-lists": "^2.1.0",
    "angular-local-storage": "^0.6.0",
    "angular-material": "1.1.4",
    "angular-messages": "1.5.3",
    "angular-resource": "1.4.8",
    "angular-route": "1.3.15",
    "angular-template-cache": "^1.2.0",
    "angular-touch": "1.5.9",
    "angular-translate-loader-pluggable": "^1.3.1",
    "angular-ui-router": "0.2.15",
    "file-saver": "^1.3.3",
    "gulp-string-replace": "^1.1.1",
    "lodash.assign": "^4.2.0",
    "tinymce": "^4.8.1",
    "xlsx": "0.10.3"
  },
  "devDependencies": {
    "babel-core": "6.24.1",
    "babel-preset-es2015": "^6.14.0",
    "chromedriver": "2.29.0",
    "commander": "1.1.0",
    "del": "^3.0.0",
    "envar": "2.0.0",
    "eslint": "^3.19.0",
    "eslint-config-angular": "^0.5.0",
    "eslint-plugin-angular": "^1.3.1",
    "gulp": "^3.9.1",
    "gulp-angular-filesort": "^1.1.1",
    "gulp-angular-templatecache": "1.9.1",
    "gulp-babel": "^6.1.2",
    "gulp-clean-css": "^2.0.12",
    "gulp-cli": "^1.4.0",
    ...
  }
}

The odd thing here is that on my development machine (npm v5.4.2, node v8.9.3, cyclonedx-bom v0.2.4) I get the full listing of dependencies....

Is this a node version issue? Can I somehow get some verbose/debug logging to find out what's up?

Thanks!
Drew

To get list of installed components cyclonedx-node-module uses module read-installed. Which read this information from package.json and node_modules (see https://github.com/npm/read-installed/blob/master/read-installed.js). So we need either update docs for usage of cyclonedx-node-module and add required base step npm install before launching of cyclonedx-bom . Or implement support for package-lock.json...Without this step cyclonedx-bom generates empty BOM file for project with package.json and package-lock.json but without node_modules.

As the lincenseText(s) can be quite long, it would be nice to have the option to include or not include the licenseText.

The maven module provides a similar option:

    <includeLicenseText>true</includeLicenseText>

It would be great if packages that are installed from non-NPM origin had the information in their purl.

For example

npm install git+ssh://[email protected]:npm/cli.git#v1.0.27

Would create a component with purl pkg:npm/[email protected]?vcs_url=git+git+ssh://[email protected]:npm/cli.git#v1.0.27

Similarly repository_url could be added for packages installed from custom registries.

As per Low risk vulnerability:
https://snyk.io/vuln/SNYK-JS-XMLDOM-1084960

Many thanks

The fix in 1.1.2 that merges using DOM creates extra tag making only the JS dependencies get parsed by dtrack, not the java ones.

Here is a short example file merging with an existing cyclonedx-maven 1.6.0 bom file.

Bugsnag is from cyclonedx-node and FasterXML from cyclonedx-maven 1.6.0.

The dg: elements are dropped as noted in previous fix, but notice the extra components element in the middle of the two components, and also the two elements.

<?xml version="1.0" encoding="utf-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.1" serialNumber="urn:uuid:8aa6025b-9439-42c8-b93f-8835b71d7214" version="1">
    <components>
        <component type="library" bom-ref="pkg:npm/bugsnag/%40bugsnag%[email protected]">
            <group>bugsnag</group>
            <name>js</name>
            <version>6.5.0</version>
            <description>
                <![CDATA[Universal Javascript error reporting. Automatically detect JavaScript errors in the browser and Node.js, with plugins for React, Vue, Angular, Express, Restify and Koa.]]>
            </description>
            <licenses>
                <license>
                    <id>MIT</id>
                    <text content-type="text/txt">
                        <![CDATA[Copyright (c) Bugsnag, https://www.bugsnag.com/
                        
                        Permission is hereby granted, free of charge, to any person obtaining
                        a copy of this software and associated documentation files (the "Software"),
                        to deal in the Software without restriction, including without limitation
                        the rights to use, copy, modify, merge, publish, distribute, sublicense,
                        and/or sell copies of the Software, and to permit persons to whom the Software
                        is furnished to do so, subject to the following conditions:
                        
                        The above copyright notice and this permission notice shall be included in
                        all copies or substantial portions of the Software.
                        
                        THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
                        IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
                        FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
                        AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
                        LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
                        OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
                        THE SOFTWARE.
                        ]]>
                    </text>
                </license>
            </licenses>
            <purl>pkg:npm/bugsnag/%40bugsnag%[email protected]</purl>
            <externalReferences>
                <reference type="website">
                    <url>https://www.bugsnag.com/</url>
                </reference>
                <reference type="issue-tracker">
                    <url>https://github.com/bugsnag/bugsnag-js/issues</url>
                </reference>
                <reference type="vcs">
                    <url>git+ssh://[email protected]/bugsnag/bugsnag-js.git</url>
                </reference>
            </externalReferences>
        </component>
<components>
    <component bom-ref="pkg:maven/com.fasterxml.jackson.core/[email protected]?type=jar" type="library">
        <publisher>FasterXML</publisher>
        <group>com.fasterxml.jackson.core</group>
        <name>jackson-core</name>
        <version>2.10.2</version>
        <description>Core Jackson processing abstractions (aka Streaming API), implementation for JSON</description>
        <scope>required</scope>
        <hashes>
            <hash alg="MD5">5514a46e38331f8c8262ea63bf36483e</hash>
            <hash alg="SHA-1">73d4322a6bda684f676a2b5fe918361c4e5c7cca</hash>
            <hash alg="SHA-256">4c41f22a48f6ebb28752baeb6d25bf09ba4ff0ad8bfb82650dde448928b9da4f</hash>
            <hash alg="SHA-384">4c7522e20c2a13aead0522d5529dd3b549584fd06e11fe06f1d61925699b632974a85be017bdfec8246151ff3b8c1c60</hash>
            <hash alg="SHA-512">5055943790cea2c3abbacbe91e63634e6d2e977cd59b08ce102c0ee7d859995eb5d150d530da3848235b2b1b751a8df55cff2c33d43da695659248187ddf1bff</hash>
        </hashes>
        <licenses>
            <license>
                <id>Apache-2.0</id>
            </license>
        </licenses>
        <purl>pkg:maven/com.fasterxml.jackson.core/[email protected]?type=jar</purl>
        <externalReferences>
            <reference type="vcs">
                <url>http://github.com/FasterXML/jackson-core</url>
            </reference>
            <reference type="website">
                <url>http://fasterxml.com/</url>
            </reference>
            <reference type="distribution">
                <url>https://oss.sonatype.org/service/local/staging/deploy/maven2/</url>
            </reference>
            <reference type="issue-tracker">
                <url>https://github.com/FasterXML/${project.artifactId}/issues</url>
            </reference>
        </externalReferences>
    </component>
</components>
</components>
</bom>

I have started using CycloneDX for our node.js (angular) project and our .Net Core 3.1 Rest API. It works great however we never see a Dependency graph (" nodes") in our generated BOM reports. What do I need to get this information added to the BOM file?

We have a .net and npm project. When first analyzing the .net application with dotnet-cyclonedx a bom.xml is generated. If I want to use -a to combine the results from cyclonedx-bom and the dotnet-cyclonedx, it seems it removes every other .net package found from the combined list.
In the combined output I see all the npm packages, and only half of the package reported by dotnet.

What I notice: dotnet reports for instance packages A B C D E F G H
then in the combined output I see A C E G

Or am I doing something wrong here?

We are using this library in auditjs to generate an SBOM to send to Nexus IQ Server.

We've run into an issue with a few libraries where the license is presented as something that isn't in your current list.

An example is:

• https://github.com/substack/node-optimist

https://github.com/substack/node-optimist/blob/master/package.json#L35

That license is declared as MIT/X11 when in reality it should either be MIT X (not in your list) or X11

When the sbom is created, a license section with a Name is created, just no ID, and this fails validation in Nexus IQ Server.

I'm curious if we should add these kinda odd license types to your list, or if a PR of some sort where if it can't find an ID it adds something that indicates the license is Non-Conforming or something akin?

Thanks!

npm 6.4.1
node v10.15.3
@cyclonedx/bom 1.0.2

The generated xml output differs, if you generate it on Windows or on Linux. Actually with Linux you get less components with license texts. The license texts of the components is missing, if their license file has only a lowercase file name.

E.g. on Linux:

• License file of package [email protected] is captured, because the filename is "LICENSE"
• License file of package [email protected] is not captured, because the filename is "license"

cyclonedx-node-module 0.2.4
npm 5.4.2
node 8.6.0
dependency-track 3.4.0

I have a web project using npm to load dependencies. I have the cyclonedx-node-module running on my build server generating a bom file for my project. I'm seeing a dependency in the list that was flagged as critical, and I didn't recognize the package, so naturally I tried to find where it was being referenced.

See "macaddress" dependency in this image:

When I run a scan on my project folder I do not find a direct reference to the "macaddress" dependency in package.json, but I do find it in the package-lock.json file.

"macaddress": {
      "version": "0.2.8",
      "resolved": "https://registry.npmjs.org/macaddress/-/macaddress-0.2.8.tgz",
      "integrity": "sha1-WQTcU3w57G2+/q6QIycTX6hRHxI="
    },

I then found that there was a second reference under package-lock.json for "macaddress"

"uniqid": {
      "version": "4.1.1",
      "resolved": "https://registry.npmjs.org/uniqid/-/uniqid-4.1.1.tgz",
      "integrity": "sha1-iSIN32t1GuUrX3JISGNShZa7hME=",
      "requires": {
        "macaddress": "0.2.8"
      }
    },

Which appears to be the parent dependency pulling "macaddress" in.
And that comes from...

 "postcss-filter-plugins": {
      "version": "2.0.2",
      "resolved": "https://registry.npmjs.org/postcss-filter-plugins/-/postcss-filter-plugins-2.0.2.tgz",
      "integrity": "sha1-bYWGJTTXNaxCDkqFgG4fXUKG2Ew=",
      "requires": {
        "postcss": "5.2.18",
        "uniqid": "4.1.1"
      },
      "dependencies": {

And so on...
Eventually, this builds out to a dependency tree like this:

css-loader (referenced in "dependencies" section of package.json)
|-cssnano
 |--postcss-filter-plugins
  |---uniqid
   |----macaddress

My question is how can we resolve this dependency tree in the cyclonedx-node-module bom generation? Either that or dependency-track itself should resolve this. I'm going to have people asking about critical vuln dependencies and I would love to figure out how the heck these are getting pulled in without doing the time-intensive dirty work. Seems like this should be possible.

Let me know if I need to elaborate further.

Thanks!
Drew

Hi Team,

Im working on end to end declarative pipeline involving DC and DT, so need inputs from the community as after the DC report (xml) is generated, how to convert it to cyclonedx bom, or directly upload dependency-check-report.xml to DT.

In NPM 7 (used in node engine v14+), there is a new package-lock.json structure (lockfile version 2). This structure removes all module integrity information from the module specific package.json files, and moves it into the top-level package-lock.json. It appears that this tool only looks in the old location, and does not consider the integrity that may be in the package-lock.json. Because of this, the cyclonedx-node-module tool does not find any hashes for node modules in apps that use node-engine v14+. Ideally, I would still expect hashes to be located for these apps.

I mentioned this issue in #25, but I think this issue can be resolved by expanding the files that are looked at in HashList.js to include the lockfile.

Now that the CLI tool is available to merge SBOMs deprecation is planned for the --append option.

Hello,

I tried to generate a BOM file but it raises an error :

cyclonedx-bom -o bom.xml
/usr/local/lib/node_modules/@cyclonedx/bom/bin/cyclonedx-bom:10
let arguments = process.argv.slice(2);
^
SyntaxError: Identifier 'arguments' has already been declared
at Object.exports.runInThisContext (vm.js:76:16)
at Module._compile (module.js:542:28)
at Object.Module._extensions..js (module.js:579:10)
at Module.load (module.js:487:32)
at tryModuleLoad (module.js:446:12)
at Function.Module._load (module.js:438:3)
at Module.runMain (module.js:604:10)
at run (bootstrap_node.js:394:7)
at startup (bootstrap_node.js:149:9)
at bootstrap_node.js:509:3

Starting with version 1.1.0, the following error is encountered when running on a project with no dependencies:

$ npm install -g @cyclonedx/bom
/usr/local/bin/cyclonedx-bom -> /usr/local/lib/node_modules/@cyclonedx/bom/bin/cyclonedx-bom
+ @cyclonedx/[email protected]
added 41 packages from 37 contributors in 2.149s
$ cyclonedx-bom -o bom.xml
/usr/local/lib/node_modules/@cyclonedx/bom/node_modules/xmlbuilder/lib/XMLNode.js:191
          throw new Error("Could not create any elements with: " + name + ". " + this.debugInfo());
          ^
Error: Could not create any elements with: . node: <components>, parent: <bom>
    at XMLElement.element (/usr/local/lib/node_modules/@cyclonedx/bom/node_modules/xmlbuilder/lib/XMLNode.js:191:17)
    at XMLElement.ele (/usr/local/lib/node_modules/@cyclonedx/bom/node_modules/xmlbuilder/lib/XMLNode.js:611:21)
    at /usr/local/lib/node_modules/@cyclonedx/bom/index.js:208:27
    at /usr/local/lib/node_modules/@cyclonedx/bom/node_modules/read-installed/read-installed.js:142:5
    at /usr/local/lib/node_modules/@cyclonedx/bom/node_modules/read-installed/read-installed.js:263:14
    at cb (/usr/local/lib/node_modules/@cyclonedx/bom/node_modules/slide/lib/async-map.js:47:24)
    at /usr/local/lib/node_modules/@cyclonedx/bom/node_modules/read-installed/read-installed.js:263:14
    at cb (/usr/local/lib/node_modules/@cyclonedx/bom/node_modules/slide/lib/async-map.js:47:24)
    at /usr/local/lib/node_modules/@cyclonedx/bom/node_modules/read-installed/read-installed.js:263:14
     at cb (/usr/local/lib/node_modules/@cyclonedx/bom/node_modules/slide/lib/async-map.js:47:24)
ERROR: Job failed: exit code 1

The output does appear correct if devDependencies are included.

Previous versions would generate the following output:

<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.1" version="1" serialNumber="urn:uuid:3b14e096-3de2-4fec-81ce-7ad082ff99fe">
    <components>
    </components>
</bom>

Dependabot couldn't reach artifact.devsnc.com/content/groups/npm-all as it timed out.

Is artifact.devsnc.com/content/groups/npm-all accessible over the internet? If it is then this may be a transitory issue and can be ignored - Dependabot will close it on its next successful update run.

View the update logs.

First of all, thanks for a great package!

I'm working with a few legacy projects and would like to track the bower dependencies in these projects.

I would like to ask if the direction of this project would allow support for bower?

I understand that bower is not being recommended anymore and I would be happy to help implement this functionality, however I thought I'd ask before submitting a PR or creating a separate module.

Thanks

I'm trying to get my head around scoped packages in npm.
Maybe I'm wrong and overlooked something, please have a look.

Purl Spec

According to purl-spec for npm packages scoped packages shall use the package's scope as purl namespace. Example from spec

pkg:npm/%40angular/[email protected]

• type: npm
• namespace: @angular encoded as %40angular
• name: animation
• version: 12.3.1

Problem

However, when I use cyclonedx-bom -d -o bom.xml I get in the generated BOM URLs like this:

<purl>pkg:npm/angular/%40angular%[email protected]</purl>

• type: npm ✔️
• namespace: angular, not encoded because no @ in there
  • ❌ should be @angular
• name: @angular/animation, encoded as %40angular%2Fanimations
  • ❌ should be animation
• version: 9.1.4 ✔️

Version

$ cyclonedx-bom --version
1.1.3

Dependabot couldn't reach artifact.devsnc.com/content/groups/npm-all as it timed out.

Is artifact.devsnc.com/content/groups/npm-all accessible over the internet? If it is then this may be a transitory issue and can be ignored - Dependabot will close it on its next successful update run.

View the update logs.

I just tried out @cyclonedx/[email protected] and noticed that I couldn't install a new dependency after I updgraded this module. npm install failed with code EISGIT.

Steps to reproduce

Run the following in an empty directory.

npm init -y && npm install --save @cyclonedx/bom && npm install

How to fix?

The reason .git directory was included in the package was README.sample in node_modules/@cyclonedx/bom/.git/hooks. That file should be ignored when publishing the package to NPM. Similar thing happened recently with [email protected].

Workaround until the package is fixed in NPM

If this happens to you, you can remove the directory causing EISGIT: rm -rf node_modules/@cyclonedx/bom/.git.

Official support of Node.js 8 ended last year. I'm proposing to drop support for it.

@stevespringett any concerns from you? It will mean another major version bump.