Skip to content

[BUG] sbom cyclonedx missing properties #8105

New issue
New issue
Open
Open
[BUG] sbom cyclonedx missing properties#8105
Labels
Bugthing that needs fixingNeeds Triageneeds review for next steps
@PaddeK

Description

@PaddeK
PaddeK
opened on Feb 13, 2025

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

Running npm sbom --sbom-format cyclonedx with [email protected] results in an sbom with empty properties in bom-ref entries.

Example:

    {
      "bom-ref": "[email protected]",
      "type": "library",
      "name": "mqtt",
      "version": "5.10.1",
      "scope": "required",
      "description": "A library for the MQTT protocol",
      "purl": "pkg:npm/[email protected]",
      "properties": [],
      "externalReferences": [
        {
          "type": "distribution",
          "url": "https://registry.npmjs.org/mqtt/-/mqtt-5.10.1.tgz"
        },
        {
          "type": "vcs",
          "url": "git://github.com/mqttjs/MQTT.js.git"
        },
        {
          "type": "website",
          "url": "https://github.com/mqttjs/MQTT.js#readme"
        },
        {
          "type": "issue-tracker",
          "url": "https://github.com/mqttjs/MQTT.js/issues"
        }
      ],
      "hashes": [
        {
          "alg": "SHA-512",
          "content": "85708e922f2c00da10ef0fb63b327383aa8c0714edac7f5196754d57ca5a9cb6609e5f8687427fb7893aafc033f3e0bbcb72807325ed9f49a62e2c725289bc4b"
        }
      ],
      "licenses": [
        {
          "license": {
            "id": "MIT"
          }
        }
      ]
    },

Expected Behavior

Running npx @cyclonedx/cyclonedx-npm or using [email protected] have cdx:npm:package:path in properties.

Example:

    {
      "type": "library",
      "name": "mqtt",
      "version": "5.10.1",
      "bom-ref": "[email protected]",
      "description": "A library for the MQTT protocol",
      "licenses": [
        {
          "license": {
            "id": "MIT",
            "acknowledgement": "declared"
          }
        }
      ],
      "purl": "pkg:npm/[email protected]",
      "externalReferences": [
        {
          "url": "git://github.com/mqttjs/MQTT.js.git",
          "type": "vcs",
          "comment": "as detected from PackageJson property \"repository.url\""
        },
        {
          "url": "https://github.com/mqttjs/MQTT.js#readme",
          "type": "website",
          "comment": "as detected from PackageJson property \"homepage\""
        },
        {
          "url": "https://github.com/mqttjs/MQTT.js/issues",
          "type": "issue-tracker",
          "comment": "as detected from PackageJson property \"bugs.url\""
        },
        {
          "url": "https://registry.npmjs.org/mqtt/-/mqtt-5.10.1.tgz",
          "type": "distribution",
          "comment": "as detected from npm-ls property \"resolved\""
        }
      ],
      "properties": [
        {
          "name": "cdx:npm:package:path",
          "value": "node_modules/mqtt"
        }
      ]
    },
   ...

Steps To Reproduce

No response

Environment

  • npm: 11.1.0
  • Node.js: 22.14.0
  • OS Name: macOS 15.3
  • System Model Name: Macbook Pro

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    Bugthing that needs fixingNeeds Triageneeds review for next steps

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions