Using dependency-management-data with npm's SPDX and CycloneDX SBOM export functionality
This was shipped as part of npm's v10.2.0 release at the beginning of October, which we can use via:
# either npm sbom --sbom-format spdx > renovate-graph.spdx.json # or npm sbom --sbom-format cyclonedx > renovate-graph.cyclonedx.json
Then, as per the Getting Started with SBOM data cookbook, we can run:
# set up the database dmd db init --db dmd.db # whitespace added for readability only dmd import sbom --db dmd.db renovate-graph.spdx.json \ --platform gitlab \ --organisation tanna.dev \ --repo renovate-graph # or dmd import sbom --db dmd.db renovate-graph.cyclonedx.json \ --platform gitlab \ --organisation tanna.dev \ --repo renovate-graph
From here, we can then run queries such as:
-- how many dependencies do we have on Octokit libraries? select count(*) from sboms where package_name like '@octokit/%'
While playing around with this, I noticed a bug in dependency-management-data's SPDX support, as well as a couple of bugs in npm's SBOM support too:
- SBOM generation for SPDX generates invalid format for licenses -
Invalid type. Expected: string, given: object
- SBOM generation for CycloneDX generates duplicate dependencies
But it's great to have support natively in
npm, and I'm looking forward to more support of SBOMs!