Generate and store an NPM SBOM on the Enterprise image

[jviotti]

Signed-off-by: Juan Cruz Viotti jv@jviotti.com

[augmentcode]

🤖 Augment PR Summary

Summary: Updates the Enterprise Docker image build to install Node.js from NodeSource so npm is new enough to support npm sbom.

Changes:

• Switches Node.js installation to the NodeSource LTS setup script (to get npm >= 10)
• Runs npm sbom after npm ci and stores the generated SPDX JSON under /usr/share/sourcemeta/one (copied into the final image)

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 1 suggestions posted.

Comment augment review to trigger a new review at any time.

[cubic-dev-ai]

1 issue found across 1 file

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="enterprise/Dockerfile">

<violation number="1" location="enterprise/Dockerfile:7">
P1: Avoid piping a remote setup script directly into `bash` without integrity verification; it exposes the build to supply‑chain injection if the endpoint is compromised or intercepted.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}