cyclonedx-bom -append not working as expected about cyclonedx-node-module HOT 6 CLOSED

@coderpatros so the proper way to achieve my goal is to

1. Cd desired location
2. Npm install
3. Cyclonedx-bom
4. Cd project root
5. Cyclonedx-npm -a desiredlocation/bom.xml

And iterate through all packages?

from cyclonedx-node-module.

@stevespringett I am not an expert in field of npm projects. It happen to me multiple times that I have encountered multi module project where running npm install && cyclonedx-bom in root directory produced me an empty bom while running cyclonedx-bom on separate modules provide results
try this repo for example: https://github.com/lerna/lerna
running npm install && cyclonedx-bom in root directory produce bom.xml with 62 lines

while running npm install && cyclonedx-bom in utils/log-packed produce 873 lines bom.xml

combining them with @coderpatros tip result in 921 bom.xml combined

PS @coderpatros this works, thank You!

from cyclonedx-node-module.

Hi @siewer it works the other way around.

When you invoke cyclonedx-bom -a /tmp/lerna/bom.xml it is appending /tmp/lerna/bom.xml to the newly generated SBOM.

from cyclonedx-node-module.

That should do it.

Although a comma separated list should work for the last step too.

from cyclonedx-node-module.

@siewer I'm curious why this approach is being taken. When generating BOMs, transitive dependencies will be included, so normally, there isn't a need to create BOMs for every package, unless of course that is the requirement.

from cyclonedx-node-module.

For any future visitors to this issue. You shouldn't normally need this for a single Node.js project. But might need it for mono repos where you want to create a consolidated view for the entire repo.

Another really good use case is where you are generating an SBOM for server and client side dependencies. i.e. .NET for server side and JS client side.

from cyclonedx-node-module.