SBOMgen

Creating SBOMs from npm Projects

Introduction

SBOMs can be created from npm based projects. This tutorial illustrates how to create a CycloneDX  SBOM from an npm project using the CycloneDX-Node-NPM cli.

Note(s)

Testing done on Ubuntu 20.04 x86_64.

Prerequisites

node >= 14

npm 6 - 10

Installation

Install the cli by the command

npm install --global @cyclonedx/cyclonedx-npm

Alternatively, npx can be used via:

npx --package @cyclonedx/cyclonedx-npm --call exit

Running

Navigate to the npm project folder. 

Create the SBOM  by running the following within the npm project:

cyclonedx-npm –output-file <set-sbom-name.set-output-format> –output-format <set-output-format>

e.g.

cyclonedx-npm  –output-file project-sbom.json –output-format json

The sbom file will be located in the folder. However, it is possible to specify another directory by specifying a full path in the –output-file flag.

e.g.

cyclonedx-npm –output-file /home/directory-for-sboms/project-sbom.json –output-format json

Note that Cyclonedx-Node-NPM requires a manifest file, i.e. a package.json file.

Example SBOM

The following section illustrates a CycloneDX JSON SBOM of the project CycloneDX-Node-NPM codebase, created by Cyclonedx-Node-NPM.

cyclonedx-npm

References

• CycloneDX. (2023). cyclonedx-node-npm. https://github.com/CycloneDX/cyclonedx-node-npm

This site is open source. Improve this page.