Skip to content

Generate a SBOM out of the vendored dependencies#661

Merged
jviotti merged 1 commit intomainfrom
sbom-vendorpull
Feb 24, 2026
Merged

Generate a SBOM out of the vendored dependencies#661
jviotti merged 1 commit intomainfrom
sbom-vendorpull

Conversation

@jviotti
Copy link
Member

@jviotti jviotti commented Feb 24, 2026

Signed-off-by: Juan Cruz Viotti jv@jviotti.com

@augmentcode
Copy link

augmentcode bot commented Feb 24, 2026

🤖 Augment PR Summary

Summary: This PR adds generation of an SPDX SBOM for vendored (non-npm) dependencies and embeds it into the Enterprise container image.

Changes:

  • Writes the computed ONE_VERSION to ${CMAKE_CURRENT_BINARY_DIR}/VERSION during CMake configuration to make the build version available to downstream steps.
  • Updates enterprise/Dockerfile to generate and install SBOM artifacts under /usr/share/sourcemeta/one during the builder stage.
  • Keeps the existing npm SBOM generation (npm sbom SPDX JSON) and adds a second SBOM for vendored dependencies.
  • Introduces enterprise/scripts/sbom-vendorpull.js, which scans all DEPENDENCIES files, filters/normalizes entries, applies a license mapping, and emits an SPDX 2.3 JSON document.
  • Uses the build’s version string (read from /build/VERSION) to populate the SBOM document namespace and root package version.

Technical Notes: The resulting image includes both npm-packages.spdx.json and vendor-packages.spdx.json to provide SBOM coverage for JavaScript and vendored C++/frontend components.

🤖 Was this summary useful? React with 👍 or 👎

augmentcode[bot]
augmentcode bot reviewed Feb 24, 2026
View reviewed changes
Copy link

@augmentcode augmentcode bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review completed. 2 suggestions posted.

Fix All in Augment

Comment augment review to trigger a new review at any time.

enterprise/scripts/sbom-vendorpull.js Outdated
function findDependenciesFiles(directory) {
const result = [];
for (const entry of readdirSync(directory, { withFileTypes: true })) {
if (entry.name === ".git") {
Copy link

@augmentcode augmentcode bot Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

findDependenciesFiles() currently recurses the entire repo tree and only skips .git; in the Docker build this will also traverse /source/node_modules after npm ci, which can be extremely large and may make SBOM generation slow or flaky. Consider explicitly excluding node_modules (and any other known-large build artifacts) from the walk.

Severity: medium

Fix This in Augment

🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Feb 24, 2026
View reviewed changes
Copy link

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3 issues found across 3 files

Prompt for AI agents (all issues) 

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="enterprise/scripts/sbom-vendorpull.js">

<violation number="1" location="enterprise/scripts/sbom-vendorpull.js:63">
P2: `findDependenciesFiles()` only excludes `.git` from the recursive directory walk. In the Docker build context, this will also traverse `/source/node_modules` (populated by the earlier `npm ci` step), `build` directories, and other large trees that cannot contain `DEPENDENCIES` files. This will make SBOM generation unnecessarily slow. Consider also skipping `node_modules`, `build`, and other known-large artifact directories.</violation>

<violation number="2" location="enterprise/scripts/sbom-vendorpull.js:105">
P2: De-duplicating by URL drops distinct versions of the same dependency, which can omit packages from the SBOM when multiple versions share a URL. Track uniqueness by name+version instead.</violation>

<violation number="3" location="enterprise/scripts/sbom-vendorpull.js:161">
P1: The `creationInfo` object is missing the `created` timestamp field, which is **required** by the SPDX 2.3 specification (section 6.9). Without it, SPDX validators and downstream SBOM consumers will likely reject this document as non-compliant. Add a `created` field with an ISO 8601 / UTC timestamp (e.g., `new Date().toISOString()`).</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

@jviotti
Generate a SBOM out of the vendored dependencies
ee62c83 
Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
@jviotti jviotti merged commit 7209db9 into main Feb 24, 2026
5 checks passed
@jviotti jviotti deleted the sbom-vendorpull branch February 24, 2026 16:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

+1 more reviewer

@augmentcode augmentcode[bot] augmentcode[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jviotti