Using dependency-management-data with npm's SPDX and CycloneDX SBOM export functionality

Featured image for sharing metadata for article

In today's DevOps Weekly, it was mentioned that npm recently added support for exporting Software Bill of Materials (SBOMs).

This was shipped as part of npm's v10.2.0 release at the beginning of October, which we can use via:

# either
npm sbom --sbom-format spdx > renovate-graph.spdx.json
# or
npm sbom --sbom-format cyclonedx > renovate-graph.cyclonedx.json

Then, as per the Getting Started with SBOM data cookbook, we can run:

# set up the database
dmd db init --db dmd.db
# whitespace added for readability only
dmd import sbom --db dmd.db renovate-graph.spdx.json \
  --platform gitlab \
  --organisation \
  --repo renovate-graph
# or
dmd import sbom --db dmd.db renovate-graph.cyclonedx.json \
  --platform gitlab \
  --organisation \
  --repo renovate-graph

From here, we can then run queries such as:

-- how many dependencies do we have on Octokit libraries?
select count(*) from sboms where package_name like '@octokit/%'

While playing around with this, I noticed a bug in dependency-management-data's SPDX support, as well as a couple of bugs in npm's SBOM support too:

But it's great to have support natively in npm, and I'm looking forward to more support of SBOMs!

Written by Jamie Tanna's profile image Jamie Tanna on , and last updated on .

Content for this article is shared under the terms of the Creative Commons Attribution Non Commercial Share Alike 4.0 International, and code is shared under the Apache License 2.0.

#dependency-management-data #sbom #npm.

This post was filed under articles.

Interactions with this post

Interactions with this post

Below you can find the interactions that this page has had using WebMention.

Have you written a response to this post? Let me know the URL:

Do you not have a website set up with WebMention capabilities? You can use Comment Parade.