Create CycloneDX Software Bill of Materials (SBOM) from yarn projects.
See the projects issues, discussions, pull requests and milestone for the progress.
- planning/vision: CycloneDX#8
Development will happen in branch 1.0-dev.
Feel free to contribute, write issues, create pull requests, or start discussions.
Please read the CONTRIBUTING file first.
!! to be clarified ...
node>=18yarn>=4
Currently, there are no releases nor pre-builds. This means, the only way to test this tool is by building it from source:
- clone this repository
- install the project dependencies: run
yarn install --immutable - create the bundle: run
yarn build
Then, import the bundle into your project using yarn import ...,
or reference it in environment variable YARN_PLUGINS — like so:
YARN_PLUGINS=.../bundles/@yarnpkg/plugin-sbom.js yarn sbom --helpThe help page:
Generates CycloneDX SBOM for current workspace.
━━━ Usage ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
$ yarn CycloneDX make-sbom
━━━ Options ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
--spec-version #0 Which version of CycloneDX to use.
(choices: "1.2", "1.3", "1.4", "1.5", default: "1.5")
--output-format #0 Which output format to use.
(choices: "JSON", "XML", default: "JSON")
--output-file #0 Path to the output file.
Set to "-" to write to STDOUT.
(default: write to STDOUT)
--production,--prod Exclude development dependencies.
(default: true if the NODE_ENV environment variable is set to "production", otherwise false)
--mc-type #0 Type of the main component.
(choices: "application", "framework", "library", "container", "platform", "device-driver", default: "application")
--reproducible Whether to go the extra mile and make the output reproducible.
This might result in loss of time- and random-based values.
━━━ Details ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Recursively scan workspace dependencies and emits them as
Software-Bill-of-Materials(SBOM) in CycloneDX format.