feat: add "sbom" command that produces a CycloneDX 1.4 JSON SBOM

[candrews]

• Follows CONTRIBUTING rules

What does this PR do?

Adds a new command, sbom, that produces an SBOM in the CycloneDX JSON 1.4 format.

By default, sbom will just list the dependency files and the count of the dependencies each contains, for example:

$ npx . sbom --target-dir /home/candrews/projects/test --fail-fast --all-projects
../test/build.gradle: Found 177 gradle dependencies
../test/frontend/yarn.lock: Found 111 yarn dependencies

Passing the --cyclonedx-json option will output CycloneDX 1.4 JSON to stdout:

$ npx . sbom --target-dir /home/candrews/projects/test --all-projects --fail-fast --cyclonedx-json

Passing the --cyclonedx-json-file-output=<file> option will output CycloneDX 1.4 JSON to the given file:

$ npx . sbom --target-dir /home/candrews/projects/test --all-projects --fail-fast --cyclonedx-json-file-output=bom.json

The SBOM includes the dependencies (in the "components" section) and the dependency graph (in the "dependencies" section).

See: https://cyclonedx.org/

This feature facilitates compliance with the May 21, 2021 Executive Order on Improving the Nation’s Cybersecurity . It also bring Snyk CLI into alignment with the industry move towards SBOMs, of which Snyk itself has stressed the importance.

Where should the reviewer start?

I suggest looking at the new sbom command's implementation.

How should this be manually tested?

• snyk sbom --target-dir <project>
• snyk sbom --target-dir <project> --cyclonedx-json
• snyk sbom --target-dir <project> --cyclonedx-json-file-output=bom.json

As well as the other options as documented.

Any background context you want to provide?

The CycloneDX JSON file is constructed using https://www.npmjs.com/package/%40cyclonedx/cyclonedx-library

What are the relevant tickets?

Closes: https://github.com/snyk/cli/issues/3862

Screenshots

Additional questions

[candrews]

During our call on Monday, October 1, Snyk expressed interest in having the SBOM generation command be "snyk sbom" instead of "snyk deps" . I personally like "snyk deps" more, but I'd also be happy with any name :) Therefore, I've updated ths pull request with a commit that just changes the command name from "deps" to "sbom" with no other changes.

[jkowalleck]

hello everyone,

if the upgrade to TypeScript 4.8 (via #3875) was an issue,
i could imagine the https://www.npmjs.com/package/%40cyclonedx/cyclonedx-library could be modified to render inter-compatible type-definition files, instead of abusing its own TS-sources for this purpose :-)
if you feel like this could be helpful, feel free to open an issue here: https://github.com/CycloneDX/cyclonedx-javascript-library/issues

[candrews]

Regardless of what Snyk does with this request, I think it would be greatly beneficial to users of the CycloneDX library to publish these compatible type definitions to enhance its utility for other projects so I opened the issue at CycloneDX/cyclonedx-javascript-library#291

[candrews]

Snyk itself advises keeping dependencies up to date. So regardless of what Snyk wants to do with this request, I hope they will upgrade their Typescript dependency. I'm more than happy to work with Snyk to do with upgrade at #3875 if they would work with me.

[jkowalleck]

this is an optional depedency, that causes transitive dependnecies to install.
if you do not serialize to XML, then you could omit this optional dependency when adding @cyclonedx/cyclonedx-library as a dependency. see https://docs.npmjs.com/cli/v8/commands/npm-install#omit

from this PR it appears that the XML functionality is not used.

see https://github.com/snyk/cli/pull/3983/files#r1004859860

[jkowalleck]

👍

[jkowalleck]

this is the optional dep from https://github.com/snyk/cli/pull/3983/files#r1004854642

[CLAassistant]

All committers have signed the CLA.

[bastiandoetsch]

Hi Craig,

we really appreciate the contribution. Unfortunately, it diverges a bit from our product vision and therefore we decided to close this PR.

Thanks again,
Bastian