Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cyclonedx-bom -append not working as expected #85

Closed
siewer opened this issue Sep 15, 2020 · 6 comments
Closed

cyclonedx-bom -append not working as expected #85

siewer opened this issue Sep 15, 2020 · 6 comments

Comments

@siewer
Copy link

siewer commented Sep 15, 2020

I have a project with multiple packages on it. I would like to execute cyclonedx-bom on each package and append results to the root one but I am unable to do so.

steps to reproduce:

cd /tmp
git clone https://github.com/lerna/lerna
cd lerna
npm install
cyclonedx-bom
cat bom.xml | wc -l
> 37
cd utils/log-packed/
npm install
cyclonedx-bom -a /tmp/lerna/bom.xml
cat /tmp/lerna/bom.xml |wc -l
> 37
cat /tmp/lerna/utils/log-packed/bom.xml | wc -l
> 873

after running plugin in root directory I have bom of 37 lines (empty becouse root package.json does not contain any dependancies), after running cyclonedx-bom on another package (which has few dependencies) i get bom with 873 lines but setting -a to root bom did nothing, still 37 lines.

Can anyone give me a hint how to make it work?
@coderpatros
Copy link
Member

Hi @siewer it works the other way around.

When you invoke cyclonedx-bom -a /tmp/lerna/bom.xml it is appending /tmp/lerna/bom.xml to the newly generated SBOM.

@siewer
Copy link
Author

siewer commented Sep 15, 2020
edited
Loading

@coderpatros so the proper way to achieve my goal is to

  1. Cd desired location
  2. Npm install
  3. Cyclonedx-bom
  4. Cd project root
  5. Cyclonedx-npm -a desiredlocation/bom.xml

And iterate through all packages?

@coderpatros
Copy link
Member

That should do it.

Although a comma separated list should work for the last step too.

@stevespringett
Copy link
Member

@siewer I'm curious why this approach is being taken. When generating BOMs, transitive dependencies will be included, so normally, there isn't a need to create BOMs for every package, unless of course that is the requirement.

@siewer
Copy link
Author

siewer commented Sep 15, 2020
edited
Loading

@stevespringett I am not an expert in field of npm projects. It happen to me multiple times that I have encountered multi module project where running npm install && cyclonedx-bom in root directory produced me an empty bom while running cyclonedx-bom on separate modules provide results
try this repo for example: https://github.com/lerna/lerna
running npm install && cyclonedx-bom in root directory produce bom.xml with 62 lines

while running npm install && cyclonedx-bom in utils/log-packed produce 873 lines bom.xml

combining them with @coderpatros tip result in 921 bom.xml combined

PS @coderpatros this works, thank You!

@coderpatros
Copy link
Member

For any future visitors to this issue. You shouldn't normally need this for a single Node.js project. But might need it for mono repos where you want to create a consolidated view for the entire repo.

Another really good use case is where you are generating an SBOM for server and client side dependencies. i.e. .NET for server side and JS client side.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@coderpatros @stevespringett @siewer