Using dependency-management-data with npm's SPDX and CycloneDX SBOM export functionality
In today's DevOps Weekly, it was mentioned that npm recently added support for exporting Software Bill of Materials (SBOMs).
This was shipped as part of npm's v10.2.0 release at the beginning of October, which we can use via:
# either
npm sbom --sbom-format spdx > renovate-graph.spdx.json
# or
npm sbom --sbom-format cyclonedx > renovate-graph.cyclonedx.json
Then, as per the Getting Started with SBOM data cookbook, we can run:
# set up the database
dmd db init --db dmd.db
# whitespace added for readability only
dmd import sbom --db dmd.db renovate-graph.spdx.json \
--platform gitlab \
--organisation tanna.dev \
--repo renovate-graph
# or
dmd import sbom --db dmd.db renovate-graph.cyclonedx.json \
--platform gitlab \
--organisation tanna.dev \
--repo renovate-graph
From here, we can then run queries such as:
-- how many dependencies do we have on Octokit libraries?
select count(*) from sboms where package_name like '@octokit/%'
While playing around with this, I noticed a bug in dependency-management-data's SPDX support, as well as a couple of bugs in npm's SBOM support too:
- SBOM generation for SPDX generates invalid format for licenses -
Invalid type. Expected: string, given: object - SBOM generation for CycloneDX generates duplicate dependencies
But it's great to have support natively in npm, and I'm looking forward to more support of SBOMs!
