A Bitbucket Pipe which generates a CycloneDX compliant Software Bill of Materials for a node/npm project.
For obvious reason the official copy this project is hosted on Bitbucket. In order to reach a diverse audience a copy of the repo also exists in GitHub. It is recommended to submit Pull Requests to the Bitbucket copy, however submissions to either copy will be synced.
The following is an example of a bitbucket pipeline which installs npm dependencies and caches those
dependencies in one step then uses those cached depdencies in the next step to build a CycloneDX
sBOM. The following code snip would need to be added to the bitbucket-pipelines.yml file
pipelines:
default:
- step:
name: Build and Test
caches:
- node
script:
- npm install
- npm test
- step:
name: Gen CycloneDX sBom
caches:
- node
script:
- pipe: docker://ccideas/cyclonedx-npm-pipe:1.5.0
variables:
IGNORE_NPM_ERRORS: 'true' # optional
NPM_SHORT_PURLS: 'true' # optional
NPM_OUTPUT_FORMAT: 'json' # optional
NPM_PACKAGE_LOCK_ONLY: 'false' # optional
OUTPUT_DIRECTORY: 'build' # optional # this dir should be archived by the pipeline
artifacts:
- build/*| Variable | Usage | Options | Default |
|---|---|---|---|
| IGNORE_NPM_ERRORS | Used to ignore any npm errors when generating the report | true, false | false |
| NPM_FLATTEN_COMPONENTS | Used to specify if the components should be flattened | true, false | false |
| NPM_SHORT_PURLS | Used to specify if qualifiers from PackageURLs should be shortened | true, false | false |
| NPM_OUTPUT_REPRODUCIBLE | Used to specify if the output should be reproducible | true, false | false |
| NPM_SPEC_VERSION | Used to specify the version of the CycloneDX spec | 1.2, 1.3, 1.4, 1.5 | 1.4 |
| NPM_MC_TYPE | Used to specify the type of main component | application, firmware, library | application |
| NPM_OMIT | Used to omit specific dependency types | dev, optional, peer | none |
| NPM_OUTPUT_FORMAT | Used to specify output format of the sBOM | json, xml | json |
| NPM_PACKAGE_LOCK_ONLY | Used to use only the package-lock.json file to find dependencies | true, false | false |
| OUTPUT_DIRECTORY | Used to specify the directory to place all output im | sbom_output |
Generates a CycloneDX compliant Software Bill of Materials
for a node/npm project. The generated sBOM will be created in the
sbom-output directory and be named ${BITBUCKET_REPO_SLUG}-sbom.json
npm dependencies must be installed first. It is advised to install npm dependencies in one step then archive them, so they can be read by the pipe. See the example below.
A working pipeline for the popular auditjs tool has been created as an example. The pipeline in this fork of the auditjs tool will install the required dependencies then generate a CycloneDX sBOM containing all the ingredients which make up the product.
If you'd like help with this pipe, or you have an issue, or a feature request, let us know.
If you are reporting an issue, please include:
the version of the pipe relevant logs and error messages steps to reproduce
This Bitbucket pipe is a collection and integration of the following open source tools
A big thank-you to the teams and volunteers who make these amazing tools available