1NPM-SBOM(1) NPM-SBOM(1)
2
6 npm-sbom - Generate a Software Bill of Materials (SBOM)
7 Synopsis
9 npm sbom
10 Description
12 The npm sbom command generates a Software Bill of Materials (SBOM)
13 listing the dependencies for the current project. SBOMs can be gener‐
14 ated in either SPDX ⟨https://spdx.dev/⟩ or CycloneDX ⟨https://cy‐
15 clonedx.org/⟩ format.
16 Example CycloneDX SBOM
18 {
19 "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
20 "bomFormat": "CycloneDX",
21 "specVersion": "1.5",
22 "serialNumber": "urn:uuid:09f55116-97e1-49cf-b3b8-44d0207e7730",
23 "version": 1,
24 "metadata": {
25 "timestamp": "2023-09-01T00:00:00.001Z",
26 "lifecycles": [
27 {
28 "phase": "build"
29 }
30 ],
31 "tools": [
32 {
33 "vendor": "npm",
34 "name": "cli",
35 "version": "10.1.0"
36 }
37 ],
38 "component": {
39 "bom-ref": "simple@1.0.0",
40 "type": "library",
41 "name": "simple",
42 "version": "1.0.0",
43 "scope": "required",
44 "author": "John Doe",
45 "description": "simple react app",
46 "purl": "pkg:npm/simple@1.0.0",
47 "properties": [
48 {
49 "name": "cdx:npm:package:path",
50 "value": ""
51 }
52 ],
53 "externalReferences": [],
54 "licenses": [
55 {
56 "license": {
57 "id": "MIT"
58 }
59 }
60 ]
61 }
62 },
63 "components": [
64 {
65 "bom-ref": "lodash@4.17.21",
66 "type": "library",
67 "name": "lodash",
68 "version": "4.17.21",
69 "scope": "required",
70 "author": "John-David Dalton",
71 "description": "Lodash modular utilities.",
72 "purl": "pkg:npm/lodash@4.17.21",
73 "properties": [
74 {
75 "name": "cdx:npm:package:path",
76 "value": "node_modules/lodash"
77 }
78 ],
79 "externalReferences": [
80 {
81 "type": "distribution",
82 "url": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz"
83 },
84 {
85 "type": "vcs",
86 "url": "git+https://github.com/lodash/lodash.git"
87 },
88 {
89 "type": "website",
90 "url": "https://lodash.com/"
91 },
92 {
93 "type": "issue-tracker",
94 "url": "https://github.com/lodash/lodash/issues"
95 }
96 ],
97 "hashes": [
98 {
99 "alg": "SHA-512",
100 "content": "bf690311ee7b95e713ba568322e3533f2dd1cb880b189e99d4edef13592b81764daec43e2c54c61d5c558dc5cfb35ecb85b65519e74026ff17675b6f8f916f4a"
101 }
102 ],
103 "licenses": [
104 {
105 "license": {
106 "id": "MIT"
107 }
108 }
109 ]
110 }
111 ],
112 "dependencies": [
113 {
114 "ref": "simple@1.0.0",
115 "dependsOn": [
116 "lodash@4.17.21"
117 ]
118 },
119 {
120 "ref": "lodash@4.17.21",
121 "dependsOn": []
122 }
123 ]
124 }
125 Example SPDX SBOM
127 {
128 "spdxVersion": "SPDX-2.3",
129 "dataLicense": "CC0-1.0",
130 "SPDXID": "SPDXRef-DOCUMENT",
131 "name": "simple@1.0.0",
132 "documentNamespace": "http://spdx.org/spdxdocs/simple-1.0.0-bf81090e-8bbc-459d-bec9-abeb794e096a",
133 "creationInfo": {
134 "created": "2023-09-01T00:00:00.001Z",
135 "creators": [
136 "Tool: npm/cli-10.1.0"
137 ]
138 },
139 "documentDescribes": [
140 "SPDXRef-Package-simple-1.0.0"
141 ],
142 "packages": [
143 {
144 "name": "simple",
145 "SPDXID": "SPDXRef-Package-simple-1.0.0",
146 "versionInfo": "1.0.0",
147 "packageFileName": "",
148 "description": "simple react app",
149 "primaryPackagePurpose": "LIBRARY",
150 "downloadLocation": "NOASSERTION",
151 "filesAnalyzed": false,
152 "homepage": "NOASSERTION",
153 "licenseDeclared": "MIT",
154 "externalRefs": [
155 {
156 "referenceCategory": "PACKAGE-MANAGER",
157 "referenceType": "purl",
158 "referenceLocator": "pkg:npm/simple@1.0.0"
159 }
160 ]
161 },
162 {
163 "name": "lodash",
164 "SPDXID": "SPDXRef-Package-lodash-4.17.21",
165 "versionInfo": "4.17.21",
166 "packageFileName": "node_modules/lodash",
167 "description": "Lodash modular utilities.",
168 "downloadLocation": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
169 "filesAnalyzed": false,
170 "homepage": "https://lodash.com/",
171 "licenseDeclared": "MIT",
172 "externalRefs": [
173 {
174 "referenceCategory": "PACKAGE-MANAGER",
175 "referenceType": "purl",
176 "referenceLocator": "pkg:npm/lodash@4.17.21"
177 }
178 ],
179 "checksums": [
180 {
181 "algorithm": "SHA512",
182 "checksumValue": "bf690311ee7b95e713ba568322e3533f2dd1cb880b189e99d4edef13592b81764daec43e2c54c61d5c558dc5cfb35ecb85b65519e74026ff17675b6f8f916f4a"
183 }
184 ]
185 }
186 ],
187 "relationships": [
188 {
189 "spdxElementId": "SPDXRef-DOCUMENT",
190 "relatedSpdxElement": "SPDXRef-Package-simple-1.0.0",
191 "relationshipType": "DESCRIBES"
192 },
193 {
194 "spdxElementId": "SPDXRef-Package-simple-1.0.0",
195 "relatedSpdxElement": "SPDXRef-Package-lodash-4.17.21",
196 "relationshipType": "DEPENDS_ON"
197 }
198 ]
199 }
200 Package lock only mode
202 If package-lock-only is enabled, only the information in the package
203 lock (or shrinkwrap) is loaded. This means that information from the
204 package.json files of your dependencies will not be included in the re‐
205 sult set (e.g. description, homepage, engines).
206 Configuration
208 omit
209 • Default: 'dev' if the NODE_ENV environment variable is set to 'pro‐
210 duction', otherwise empty.
211 • Type: "dev", "optional", or "peer" (can be set multiple times)
213 Dependency types to omit from the installation tree on disk.
216 Note that these dependencies are still resolved and added to the pack‐
218 age-lock.json or npm-shrinkwrap.json file. They are just not physically
219 installed on disk.
220 If a package type appears in both the --include and --omit lists, then
222 it will be included.
223 If the resulting omit list includes 'dev', then the NODE_ENV environ‐
225 ment variable will be set to 'production' for all lifecycle scripts.
226 package-lock-only
228 • Default: false
229 • Type: Boolean
231 If set to true, the current operation will only use the package-
234 lock.json, ignoring node_modules.
235 For update this means only the package-lock.json will be updated, in‐
237 stead of checking node_modules and downloading dependencies.
238 For list this means the output will be based on the tree described by
240 the package-lock.json, rather than the contents of node_modules.
241 sbom-format
243 • Default: null
244 • Type: "cyclonedx" or "spdx"
246 SBOM format to use when generating SBOMs.
249 sbom-type
251 • Default: "library"
252 • Type: "library", "application", or "framework"
254 The type of package described by the generated SBOM. For SPDX, this is
257 the value for the primaryPackagePurpose fieled. For CycloneDX, this is
258 the value for the type field.
259 workspace
261 • Default:
262 • Type: String (can be set multiple times)
264 Enable running a command in the context of the configured workspaces of
267 the current project while filtering by running only the workspaces de‐
268 fined by this configuration option.
269 Valid values for the workspace config are either:
271 • Workspace names
273 • Path to a workspace directory
275 • Path to a parent workspace directory (will result in selecting all
277 workspaces within that folder)
278 When set for the npm init command, this may be set to the folder of a
281 workspace which does not yet exist, to create the folder and set it up
282 as a brand new workspace within the project.
283 This value is not exported to the environment for child processes.
285 workspaces
287 • Default: null
288 • Type: null or Boolean
290 Set to true to run the command in the context of all configured
293 workspaces.
294 Explicitly setting this to false will cause commands like install to
296 ignore workspaces altogether. When not set explicitly:
297 • Commands that operate on the node_modules tree (install, update,
299 etc.) will link workspaces into the node_modules folder. - Commands
300 that do other things (test, exec, publish, etc.) will operate on
301 the root project, unless one or more workspaces are specified in
302 the workspace config.
303 This value is not exported to the environment for child processes.
306
308 • npm help "package spec"
309 • npm help "dependency selectors"
311 • package.json ⟨/configuring-npm/package-json⟩
313 • npm help workspaces
315 November 2023 NPM-SBOM(1)