-
-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cyclonedx-bom -append not working as expected #85
Comments
Hi @siewer it works the other way around. When you invoke |
@coderpatros so the proper way to achieve my goal is to
And iterate through all packages? |
That should do it. Although a comma separated list should work for the last step too. |
@siewer I'm curious why this approach is being taken. When generating BOMs, transitive dependencies will be included, so normally, there isn't a need to create BOMs for every package, unless of course that is the requirement. |
@stevespringett I am not an expert in field of npm projects. It happen to me multiple times that I have encountered multi module project where running npm install && cyclonedx-bom in root directory produced me an empty bom while running cyclonedx-bom on separate modules provide results while running npm install && cyclonedx-bom in utils/log-packed produce 873 lines bom.xml combining them with @coderpatros tip result in 921 bom.xml combined PS @coderpatros this works, thank You! |
For any future visitors to this issue. You shouldn't normally need this for a single Node.js project. But might need it for mono repos where you want to create a consolidated view for the entire repo. Another really good use case is where you are generating an SBOM for server and client side dependencies. i.e. .NET for server side and JS client side. |
I have a project with multiple packages on it. I would like to execute cyclonedx-bom on each package and append results to the root one but I am unable to do so.
steps to reproduce:
after running plugin in root directory I have bom of 37 lines (empty becouse root package.json does not contain any dependancies), after running cyclonedx-bom on another package (which has few dependencies) i get bom with 873 lines but setting -a to root bom did nothing, still 37 lines.
Can anyone give me a hint how to make it work?
The text was updated successfully, but these errors were encountered: