CycloneDXCycloneDX SBOM for yarn
Create CycloneDX Software Bill of Materials (SBOM) from yarn projects.
This is probably the most accurate, complete SBOM generator for yarn-based projects.
Requirements
node >= 20.18.0yarn >= 4.0.0(berry)
However, there are older version of this software which support
- Node v18 and later
- Yarn v3 and later
Installation
Install the plugin into your yarn project via one of the following methods:
- zero-install: No install needed, just call on demand via dlx-wrapper as described in section "usage".
- cli-wrapper: As a development dependency of the current project:
yarn add --dev @cyclonedx/yarn-plugin-cyclonedx - plugin: Install the latest version from GitHub release asset as a plugin for the current project:
yarn plugin import https://github.com/CycloneDX/cyclonedx-node-yarn/releases/latest/download/yarn-plugin-cyclonedx.cjs
Usage
Usage depends on the installation method:
- With zero-install via dlx-wrapper:
yarn dlx -q @cyclonedx/yarn-plugin-cyclonedx --help - After cli-wrapper installation:
yarn exec cyclonedx-yarn --help - After plugin installation:
yarn cyclonedx --help
The help page:
Generates CycloneDX SBOM for current workspace.
━━━ Usage ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
$ yarn cyclonedx
━━━ Options ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
--production,--prod Exclude development dependencies.
(default: true if the NODE_ENV environment variable is set to "production", otherwise false)
--gather-license-texts Search for license files in components and include them as license evidence.
This feature is experimental.
--short-PURLs Omit all qualifiers from PackageURLs.
This causes information loss in trade-off shorter PURLs, which might improve ingesting these strings.
--sv,--spec-version #0 Which version of CycloneDX to use.
(choices: 1.2, 1.3, 1.4, 1.5, 1.6, default: 1.6)
--output-reproducible Whether to go the extra mile and make the output reproducible.
This might result in loss of time- and random-based values.
--of,--output-format #0 Which output format to use.
(choices: JSON, XML, default: JSON)
-o,--output-file #0 Path to the output file.
Set to "-" to write to STDOUT.
(default: write to STDOUT)
--mc-type #0 Type of the main component.
(choices: application, library, firmware, default: application)
-v,--verbose Increase the verbosity of messages.
Use multiple times to increase the verbosity even more.
━━━ Details ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Recursively scan workspace dependencies and emits them as
Software-Bill-of-Materials(SBOM) in CycloneDX format.Internals
This yarn plugin utilizes the CycloneDX library to generate the actual data structures.
This tool does not expose any additional public API or classes - all code is intended to be internal and might change without any notice during version upgrades. However, the CLI is stable - you may call it programmatically like:
const { execFileSync } = require('node:child_process')
const { constants: { MAX_LENGTH: BUFFER_MAX_LENGTH } } = require('node:buffer')
const sbom = JSON.parse(execFileSync(process.execPath, [
'.../path/to/this/package/bin/cyclonedx-yarn-cli.js',
'--output-format', 'JSON',
'--output-file', '-'
// additional CLI args
], {stdio: ['ignore', 'pipe', 'ignore'], encoding: 'buffer', maxBuffer: BUFFER_MAX_LENGTH }))Development & Contributing
Feel free to open issues, bugreports or pull requests.
See the CONTRIBUTING file for details.
License
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license.
See the LICENSE file for the full license.
For details and license posture of the assembly, see the LICENSE file in the respective release assets.