feat: add npm sbom command (#6801)

Signed-off-by: Brian DeHamer <bdehamer@github.com>

Author: bdehamer

DEPENDENCIES.md

@@ -107,6 +107,7 @@ graph LR;
   npm-->libnpmversion;
   npm-->make-fetch-happen;
   npm-->nopt;
+  npm-->normalize-package-data;
   npm-->npm-audit-report;
   npm-->npm-install-checks;
   npm-->npm-package-arg;
@@ -495,6 +496,9 @@ graph LR;
   normalize-package-data-->semver;
   normalize-package-data-->validate-npm-package-license;
   npm-->abbrev;
+  npm-->ajv-formats-draft2019;
+  npm-->ajv-formats;
+  npm-->ajv;
   npm-->archy;
   npm-->cacache;
   npm-->chalk;
@@ -533,6 +537,7 @@ graph LR;
   npm-->nock;
   npm-->node-gyp;
   npm-->nopt;
+  npm-->normalize-package-data;
   npm-->npm-audit-report;
   npm-->npm-install-checks;
   npm-->npm-package-arg;
@@ -568,6 +573,7 @@ graph LR;
   npm-->semver;
   npm-->sigstore-tuf["@sigstore/tuf"];
   npm-->spawk;
+  npm-->spdx-expression-parse;
   npm-->ssri;
   npm-->strip-ansi;
   npm-->supports-color;

docs/lib/content/commands/npm-sbom.md

@@ -0,0 +1,223 @@
+---
+title: npm-sbom
+section: 1
+description: Generate a Software Bill of Materials (SBOM)
+---
+
+### Synopsis
+
+<!-- AUTOGENERATED USAGE DESCRIPTIONS -->
+
+### Description
+
+The `npm sbom` command generates a Software Bill of Materials (SBOM) listing the
+dependencies for the current project. SBOMs can be generated in either
+[SPDX](https://spdx.dev/) or [CycloneDX](https://cyclonedx.org/) format.
+
+### Example CycloneDX SBOM
+
+```json
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.5",
+  "serialNumber": "urn:uuid:09f55116-97e1-49cf-b3b8-44d0207e7730",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2023-09-01T00:00:00.001Z",
+    "lifecycles": [
+      {
+        "phase": "build"
+      }
+    ],
+    "tools": [
+      {
+        "vendor": "npm",
+        "name": "cli",
+        "version": "10.1.0"
+      }
+    ],
+    "component": {
+      "bom-ref": "simple@1.0.0",
+      "type": "library",
+      "name": "simple",
+      "version": "1.0.0",
+      "scope": "required",
+      "author": "John Doe",
+      "description": "simple react app",
+      "purl": "pkg:npm/simple@1.0.0",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": ""
+        }
+      ],
+      "externalReferences": [],
+      "licenses": [
+        {
+          "license": {
+            "id": "MIT"
+          }
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "bom-ref": "lodash@4.17.21",
+      "type": "library",
+      "name": "lodash",
+      "version": "4.17.21",
+      "scope": "required",
+      "author": "John-David Dalton",
+      "description": "Lodash modular utilities.",
+      "purl": "pkg:npm/lodash@4.17.21",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": "node_modules/lodash"
+        }
+      ],
+      "externalReferences": [
+        {
+          "type": "distribution",
+          "url": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz"
+        },
+        {
+          "type": "vcs",
+          "url": "git+https://github.com/lodash/lodash.git"
+        },
+        {
+          "type": "website",
+          "url": "https://lodash.com/"
+        },
+        {
+          "type": "issue-tracker",
+          "url": "https://github.com/lodash/lodash/issues"
+        }
+      ],
+      "hashes": [
+        {
+          "alg": "SHA-512",
+          "content": "bf690311ee7b95e713ba568322e3533f2dd1cb880b189e99d4edef13592b81764daec43e2c54c61d5c558dc5cfb35ecb85b65519e74026ff17675b6f8f916f4a"
+        }
+      ],
+      "licenses": [
+        {
+          "license": {
+            "id": "MIT"
+          }
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "simple@1.0.0",
+      "dependsOn": [
+        "lodash@4.17.21"
+      ]
+    },
+    {
+      "ref": "lodash@4.17.21",
+      "dependsOn": []
+    }
+  ]
+}
+```
+
+### Example SPDX SBOM
+
+```json
+{
+  "spdxVersion": "SPDX-2.3",
+  "dataLicense": "CC0-1.0",
+  "SPDXID": "SPDXRef-DOCUMENT",
+  "name": "simple@1.0.0",
+  "documentNamespace": "http://spdx.org/spdxdocs/simple-1.0.0-bf81090e-8bbc-459d-bec9-abeb794e096a",
+  "creationInfo": {
+    "created": "2023-09-01T00:00:00.001Z",
+    "creators": [
+      "Tool: npm/cli-10.1.0"
+    ]
+  },
+  "documentDescribes": [
+    "SPDXRef-Package-simple-1.0.0"
+  ],
+  "packages": [
+    {
+      "name": "simple",
+      "SPDXID": "SPDXRef-Package-simple-1.0.0",
+      "versionInfo": "1.0.0",
+      "packageFileName": "",
+      "description": "simple react app",
+      "primaryPackagePurpose": "LIBRARY",
+      "downloadLocation": "NOASSERTION",
+      "filesAnalyzed": false,
+      "homepage": "NOASSERTION",
+      "licenseDeclared": "MIT",
+      "externalRefs": [
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:npm/simple@1.0.0"
+        }
+      ]
+    },
+    {
+      "name": "lodash",
+      "SPDXID": "SPDXRef-Package-lodash-4.17.21",
+      "versionInfo": "4.17.21",
+      "packageFileName": "node_modules/lodash",
+      "description": "Lodash modular utilities.",
+      "downloadLocation": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
+      "filesAnalyzed": false,
+      "homepage": "https://lodash.com/",
+      "licenseDeclared": "MIT",
+      "externalRefs": [
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:npm/lodash@4.17.21"
+        }
+      ],
+      "checksums": [
+        {
+          "algorithm": "SHA512",
+          "checksumValue": "bf690311ee7b95e713ba568322e3533f2dd1cb880b189e99d4edef13592b81764daec43e2c54c61d5c558dc5cfb35ecb85b65519e74026ff17675b6f8f916f4a"
+        }
+      ]
+    }
+  ],
+  "relationships": [
+    {
+      "spdxElementId": "SPDXRef-DOCUMENT",
+      "relatedSpdxElement": "SPDXRef-Package-simple-1.0.0",
+      "relationshipType": "DESCRIBES"
+    },
+    {
+      "spdxElementId": "SPDXRef-Package-simple-1.0.0",
+      "relatedSpdxElement": "SPDXRef-Package-lodash-4.17.21",
+      "relationshipType": "DEPENDS_ON"
+    }
+  ]
+}
+```
+
+### Package lock only mode
+
+If package-lock-only is enabled, only the information in the package
+lock (or shrinkwrap) is loaded.  This means that information from the
+package.json files of your dependencies will not be included in the
+result set (e.g. description, homepage, engines).
+
+### Configuration
+
+<!-- AUTOGENERATED CONFIG DESCRIPTIONS -->
+## See Also
+
+* [package spec](/using-npm/package-spec)
+* [dependency selectors](/using-npm/dependency-selectors)
+* [package.json](/configuring-npm/package-json)
+* [workspaces](/using-npm/workspaces)
+

docs/lib/content/nav.yml

@@ -150,6 +150,9 @@
   - title: npm run-script
     url: /commands/npm-run-script
     description: Run arbitrary package scripts
+  - title: npm sbom
+    url: /commands/npm-sbom
+    description: Generate a Software Bill of Materials (SBOM)
   - title: npm search
     url: /commands/npm-search
     description: Search for packages

lib/commands/sbom.js

@@ -0,0 +1,155 @@
+'use strict'
+
+const { EOL } = require('os')
+const localeCompare = require('@isaacs/string-locale-compare')('en')
+const BaseCommand = require('../base-command.js')
+const log = require('../utils/log-shim.js')
+const { cyclonedxOutput } = require('../utils/sbom-cyclonedx.js')
+const { spdxOutput } = require('../utils/sbom-spdx.js')
+
+const SBOM_FORMATS = ['cyclonedx', 'spdx']
+
+class SBOM extends BaseCommand {
+  #response = {} // response is the sbom response
+
+  static description = 'Generate a Software Bill of Materials (SBOM)'
+  static name = 'sbom'
+  static workspaces = true
+
+  static params = [
+    'omit',
+    'package-lock-only',
+    'sbom-format',
+    'sbom-type',
+    'workspace',
+    'workspaces',
+  ]
+
+  get #parsedResponse () {
+    return JSON.stringify(this.#response, null, 2)
+  }
+
+  async exec () {
+    const sbomFormat = this.npm.config.get('sbom-format')
+    const packageLockOnly = this.npm.config.get('package-lock-only')
+
+    if (!sbomFormat) {
+      /* eslint-disable-next-line max-len */
+      throw this.usageError(`Must specify --sbom-format flag with one of: ${SBOM_FORMATS.join(', ')}.`)
+    }
+
+    const Arborist = require('@npmcli/arborist')
+
+    const opts = {
+      ...this.npm.flatOptions,
+      path: this.npm.prefix,
+      forceActual: true,
+    }
+    const arb = new Arborist(opts)
+
+    let tree
+    if (packageLockOnly) {
+      try {
+        tree = await arb.loadVirtual(opts)
+      } catch (err) {
+        /* eslint-disable-next-line max-len */
+        throw this.usageError('A package lock or shrinkwrap file is required in package-lock-only mode')
+      }
+    } else {
+      tree = await arb.loadActual(opts)
+    }
+
+    // Collect the list of selected workspaces in the project
+    let wsNodes
+    if (this.workspaceNames && this.workspaceNames.length) {
+      wsNodes = arb.workspaceNodes(tree, this.workspaceNames)
+    }
+
+    // Build the selector and query the tree for the list of nodes
+    const selector = this.#buildSelector({ wsNodes })
+    log.info('sbom', `Using dependency selector: ${selector}`)
+    const items = await tree.querySelectorAll(selector)
+
+    const errors = new Set()
+    for (const node of items) {
+      detectErrors(node).forEach(error => errors.add(error))
+    }
+
+    if (errors.size > 0) {
+      throw Object.assign(
+        new Error([...errors].join(EOL)),
+        { code: 'ESBOMPROBLEMS' }
+      )
+    }
+
+    // Populate the response with the list of unique nodes (sorted by location)
+    this.#buildResponse(
+      items
+        .sort((a, b) => localeCompare(a.location, b.location))
+    )
+    this.npm.output(this.#parsedResponse)
+  }
+
+  async execWorkspaces (args) {
+    await this.setWorkspaces()
+    return this.exec(args)
+  }
+
+  // Build the selector from all of the specified filter options
+  #buildSelector ({ wsNodes }) {
+    let selector
+    const omit = this.npm.flatOptions.omit
+    const workspacesEnabled = this.npm.flatOptions.workspacesEnabled
+
+    // If omit is specified, omit all nodes and their children which match the
+    // specified selectors
+    const omits = omit.reduce((acc, o) => `${acc}:not(.${o})`, '')
+
+    if (!workspacesEnabled) {
+      // If workspaces are disabled, omit all workspace nodes and their children
+      selector = `:root > :not(.workspace)${omits},:root > :not(.workspace) *${omits},:extraneous`
+    } else if (wsNodes && wsNodes.length > 0) {
+      // If one or more workspaces are selected, select only those workspaces and their children
+      selector = wsNodes.map(ws => `#${ws.name},#${ws.name} *${omits}`).join(',')
+    } else {
+      selector = `:root *${omits},:extraneous`
+    }
+
+    // Always include the root node
+    return `:root,${selector}`
+  }
+
+  // builds a normalized inventory
+  #buildResponse (items) {
+    const sbomFormat = this.npm.config.get('sbom-format')
+    const packageType = this.npm.config.get('sbom-type')
+    const packageLockOnly = this.npm.config.get('package-lock-only')
+
+    this.#response =
+        sbomFormat === 'cyclonedx'
+          ? cyclonedxOutput({ npm: this.npm, nodes: items, packageType, packageLockOnly })
+          : spdxOutput({ npm: this.npm, nodes: items, packageType })
+  }
+}
+
+const detectErrors = (node) => {
+  const errors = []
+
+  // Look for missing dependencies (that are NOT optional), or invalid dependencies
+  for (const edge of node.edgesOut.values()) {
+    if (edge.missing && !(edge.type === 'optional' || edge.type === 'peerOptional')) {
+      errors.push(`missing: ${edge.name}@${edge.spec}, required by ${edge.from.pkgid}`)
+    }
+
+    if (edge.invalid) {
+      /* istanbul ignore next */
+      const spec = edge.spec || '*'
+      const from = edge.from.pkgid
+      errors.push(`invalid: ${edge.to.pkgid}, ${spec} required by ${from}`)
+    }
+  }
+
+  return errors
+}
+
+module.exports = SBOM

lib/utils/cmd-list.js

@@ -52,6 +52,7 @@ const commands = [
   'restart',
   'root',
   'run-script',
+  'sbom',
   'search',
   'set',
   'shrinkwrap',

lib/utils/sbom-cyclonedx.js

@@ -0,0 +1,194 @@
+const crypto = require('crypto')
+const normalizeData = require('normalize-package-data')
+const parseLicense = require('spdx-expression-parse')
+const npa = require('npm-package-arg')
+const ssri = require('ssri')
+
+const CYCLONEDX_SCHEMA = 'http://cyclonedx.org/schema/bom-1.5.schema.json'
+const CYCLONEDX_FORMAT = 'CycloneDX'
+const CYCLONEDX_SCHEMA_VERSION = '1.5'
+
+const PROP_PATH = 'cdx:npm:package:path'
+const PROP_BUNDLED = 'cdx:npm:package:bundled'
+const PROP_DEVELOPMENT = 'cdx:npm:package:development'
+const PROP_EXTRANEOUS = 'cdx:npm:package:extraneous'
+const PROP_PRIVATE = 'cdx:npm:package:private'
+
+const REF_VCS = 'vcs'
+const REF_WEBSITE = 'website'
+const REF_ISSUE_TRACKER = 'issue-tracker'
+const REF_DISTRIBUTION = 'distribution'
+
+const ALGO_MAP = {
+  sha1: 'SHA-1',
+  sha256: 'SHA-256',
+  sha384: 'SHA-384',
+  sha512: 'SHA-512',
+}
+
+const cyclonedxOutput = ({ npm, nodes, packageType, packageLockOnly }) => {
+  const rootNode = nodes.find(node => node.isRoot)
+  const childNodes = nodes.filter(node => !node.isRoot && !node.isLink)
+  const uuid = crypto.randomUUID()
+
+  const deps = []
+  const seen = new Set()
+  for (let node of nodes) {
+    if (node.isLink) {
+      node = node.target
+    }
+
+    if (seen.has(node)) {
+      continue
+    }
+    seen.add(node)
+    deps.push(toCyclonedxDependency(node, nodes))
+  }
+
+  const bom = {
+    $schema: CYCLONEDX_SCHEMA,
+    bomFormat: CYCLONEDX_FORMAT,
+    specVersion: CYCLONEDX_SCHEMA_VERSION,
+    serialNumber: `urn:uuid:${uuid}`,
+    version: 1,
+    metadata: {
+      timestamp: new Date().toISOString(),
+      lifecycles: [
+        { phase: packageLockOnly ? 'pre-build' : 'build' },
+      ],
+      tools: [
+        {
+          vendor: 'npm',
+          name: 'cli',
+          version: npm.version,
+        },
+      ],
+      component: toCyclonedxItem(rootNode, { packageType }),
+    },
+    components: childNodes.map(toCyclonedxItem),
+    dependencies: deps,
+  }
+
+  return bom
+}
+
+const toCyclonedxItem = (node, { packageType }) => {
+  packageType = packageType || 'library'
+
+  // Calculate purl from package spec
+  let spec = npa(node.pkgid)
+  spec = (spec.type === 'alias') ? spec.subSpec : spec
+  const purl = npa.toPurl(spec) + (isGitNode(node) ? `?vcs_url=${node.resolved}` : '')
+
+  if (node.package) {
+    normalizeData(node.package)
+  }
+
+  let parsedLicense
+  try {
+    parsedLicense = parseLicense(node.package?.license)
+  } catch (err) {
+    parsedLicense = null
+  }
+
+  const component = {
+    'bom-ref': toCyclonedxID(node),
+    type: packageType,
+    name: node.name,
+    version: node.version,
+    scope: (node.optional || node.devOptional) ? 'optional' : 'required',
+    author: (typeof node.package?.author === 'object')
+      ? node.package.author.name
+      : (node.package?.author || undefined),
+    description: node.package?.description || undefined,
+    purl: purl,
+    properties: [{
+      name: PROP_PATH,
+      value: node.location,
+    }],
+    externalReferences: [],
+  }
+
+  if (node.integrity) {
+    const integrity = ssri.parse(node.integrity, { single: true })
+    component.hashes = [{
+      alg: ALGO_MAP[integrity.algorithm] || /* istanbul ignore next */ 'SHA-512',
+      content: integrity.hexDigest(),
+    }]
+  }
+
+  if (node.dev === true) {
+    component.properties.push(prop(PROP_DEVELOPMENT))
+  }
+
+  if (node.package?.private === true) {
+    component.properties.push(prop(PROP_PRIVATE))
+  }
+
+  if (node.extraneous === true) {
+    component.properties.push(prop(PROP_EXTRANEOUS))
+  }
+
+  if (node.inBundle === true) {
+    component.properties.push(prop(PROP_BUNDLED))
+  }
+
+  if (!node.isLink && node.resolved) {
+    component.externalReferences.push(extRef(REF_DISTRIBUTION, node.resolved))
+  }
+
+  if (node.package?.repository?.url) {
+    component.externalReferences.push(extRef(REF_VCS, node.package.repository.url))
+  }
+
+  if (node.package?.homepage) {
+    component.externalReferences.push(extRef(REF_WEBSITE, node.package.homepage))
+  }
+
+  if (node.package?.bugs?.url) {
+    component.externalReferences.push(extRef(REF_ISSUE_TRACKER, node.package.bugs.url))
+  }
+
+  // If license is a single SPDX license, use the license field
+  if (parsedLicense?.license) {
+    component.licenses = [{ license: { id: parsedLicense.license } }]
+  // If license is a conjunction, use the expression field
+  } else if (parsedLicense?.conjunction) {
+    component.licenses = [{ expression: node.package.license }]
+  }
+
+  return component
+}
+
+const toCyclonedxDependency = (node, nodes) => {
+  return {
+    ref: toCyclonedxID(node),
+    dependsOn: [...node.edgesOut.values()]
+      // Filter out edges that are linking to nodes not in the list
+      .filter(edge => nodes.find(n => n === edge.to))
+      .map(edge => toCyclonedxID(edge.to))
+      .filter(id => id),
+  }
+}
+
+const toCyclonedxID = (node) => `${node.packageName}@${node.version}`
+
+const prop = (name) => ({ name, value: 'true' })
+
+const extRef = (type, url) => ({ type, url })
+
+const isGitNode = (node) => {
+  if (!node.resolved) {
+    return
+  }
+
+  try {
+    const { type } = npa(node.resolved)
+    return type === 'git' || type === 'hosted'
+  } catch (err) {
+    /* istanbul ignore next */
+    return false
+  }
+}
+
+module.exports = { cyclonedxOutput }

lib/utils/sbom-spdx.js

@@ -0,0 +1,175 @@
+
+const crypto = require('crypto')
+const normalizeData = require('normalize-package-data')
+const npa = require('npm-package-arg')
+const ssri = require('ssri')
+
+const SPDX_SCHEMA_VERSION = 'SPDX-2.3'
+const SPDX_DATA_LICENSE = 'CC0-1.0'
+const SPDX_IDENTIFER = 'SPDXRef-DOCUMENT'
+
+const NO_ASSERTION = 'NOASSERTION'
+
+const REL_DESCRIBES = 'DESCRIBES'
+const REL_PREREQ = 'HAS_PREREQUISITE'
+const REL_OPTIONAL = 'OPTIONAL_DEPENDENCY_OF'
+const REL_DEV = 'DEV_DEPENDENCY_OF'
+const REL_DEP = 'DEPENDS_ON'
+
+const REF_CAT_PACKAGE_MANAGER = 'PACKAGE-MANAGER'
+const REF_TYPE_PURL = 'purl'
+
+const spdxOutput = ({ npm, nodes, packageType }) => {
+  const rootNode = nodes.find(node => node.isRoot)
+  const childNodes = nodes.filter(node => !node.isRoot && !node.isLink)
+  const rootID = rootNode.pkgid
+  const uuid = crypto.randomUUID()
+  const ns = `http://spdx.org/spdxdocs/${npa(rootID).escapedName}-${rootNode.version}-${uuid}`
+
+  const relationships = []
+  const seen = new Set()
+  for (let node of nodes) {
+    if (node.isLink) {
+      node = node.target
+    }
+
+    if (seen.has(node)) {
+      continue
+    }
+    seen.add(node)
+
+    const rels = [...node.edgesOut.values()]
+      // Filter out edges that are linking to nodes not in the list
+      .filter(edge => nodes.find(n => n === edge.to))
+      .map(edge => toSpdxRelationship(node, edge))
+      .filter(rel => rel)
+
+    relationships.push(...rels)
+  }
+
+  const extraRelationships = nodes.filter(node => node.extraneous)
+    .map(node => toSpdxRelationship(rootNode, { to: node, type: 'optional' }))
+
+  relationships.push(...extraRelationships)
+
+  const bom = {
+    spdxVersion: SPDX_SCHEMA_VERSION,
+    dataLicense: SPDX_DATA_LICENSE,
+    SPDXID: SPDX_IDENTIFER,
+    name: rootID,
+    documentNamespace: ns,
+    creationInfo: {
+      created: new Date().toISOString(),
+      creators: [
+        `Tool: npm/cli-${npm.version}`,
+      ],
+    },
+    documentDescribes: [toSpdxID(rootNode)],
+    packages: [toSpdxItem(rootNode, { packageType }), ...childNodes.map(toSpdxItem)],
+    relationships: [
+      {
+        spdxElementId: SPDX_IDENTIFER,
+        relatedSpdxElement: toSpdxID(rootNode),
+        relationshipType: REL_DESCRIBES,
+      },
+      ...relationships,
+    ],
+  }
+
+  return bom
+}
+
+const toSpdxItem = (node, { packageType }) => {
+  normalizeData(node.package)
+
+  // Calculate purl from package spec
+  let spec = npa(node.pkgid)
+  spec = (spec.type === 'alias') ? spec.subSpec : spec
+  const purl = npa.toPurl(spec) + (isGitNode(node) ? `?vcs_url=${node.resolved}` : '')
+
+  /* For workspace nodes, use the location from their linkNode */
+  let location = node.location
+  if (node.isWorkspace && node.linksIn.size > 0) {
+    location = node.linksIn.values().next().value.location
+  }
+
+  const pkg = {
+    name: node.packageName,
+    SPDXID: toSpdxID(node),
+    versionInfo: node.version,
+    packageFileName: location,
+    description: node.package?.description || undefined,
+    primaryPackagePurpose: packageType ? packageType.toUpperCase() : undefined,
+    downloadLocation: (node.isLink ? undefined : node.resolved) || NO_ASSERTION,
+    filesAnalyzed: false,
+    homepage: node.package?.homepage || NO_ASSERTION,
+    licenseDeclared: node.package?.license || NO_ASSERTION,
+    externalRefs: [
+      {
+        referenceCategory: REF_CAT_PACKAGE_MANAGER,
+        referenceType: REF_TYPE_PURL,
+        referenceLocator: purl,
+      },
+    ],
+  }
+
+  if (node.integrity) {
+    const integrity = ssri.parse(node.integrity, { single: true })
+    pkg.checksums = [{
+      algorithm: integrity.algorithm.toUpperCase(),
+      checksumValue: integrity.hexDigest(),
+    }]
+  }
+  return pkg
+}
+
+const toSpdxRelationship = (node, edge) => {
+  let type
+  switch (edge.type) {
+    case 'peer':
+      type = REL_PREREQ
+      break
+    case 'optional':
+      type = REL_OPTIONAL
+      break
+    case 'dev':
+      type = REL_DEV
+      break
+    default:
+      type = REL_DEP
+  }
+
+  return {
+    spdxElementId: toSpdxID(node),
+    relatedSpdxElement: toSpdxID(edge.to),
+    relationshipType: type,
+  }
+}
+
+const toSpdxID = (node) => {
+  let name = node.packageName
+
+  // Strip leading @ for scoped packages
+  name = name.replace(/^@/, '')
+
+  // Replace slashes with dots
+  name = name.replace(/\//g, '.')
+
+  return `SPDXRef-Package-${name}-${node.version}`
+}
+
+const isGitNode = (node) => {
+  if (!node.resolved) {
+    return
+  }
+
+  try {
+    const { type } = npa(node.resolved)
+    return type === 'git' || type === 'hosted'
+  } catch (err) {
+    /* istanbul ignore next */
+    return false
+  }
+}
+
+module.exports = { spdxOutput }

package.json

@@ -95,6 +95,7 @@
     "ms": "^2.1.2",
     "node-gyp": "^9.4.0",
     "nopt": "^7.2.0",
+    "normalize-package-data": "^6.0.0",
     "npm-audit-report": "^5.0.0",
     "npm-install-checks": "^6.2.0",
     "npm-package-arg": "^11.0.0",
@@ -110,6 +111,7 @@
     "qrcode-terminal": "^0.12.0",
     "read": "^2.1.0",
     "semver": "^7.5.4",
+    "spdx-expression-parse": "^3.0.1",
     "ssri": "^10.0.5",
     "strip-ansi": "^6.0.1",
     "supports-color": "^9.4.0",
@@ -166,6 +168,7 @@
     "ms",
     "node-gyp",
     "nopt",
+    "normalize-package-data",
     "npm-audit-report",
     "npm-install-checks",
     "npm-package-arg",
@@ -181,6 +184,7 @@
     "qrcode-terminal",
     "read",
     "semver",
+    "spdx-expression-parse",
     "ssri",
     "strip-ansi",
     "supports-color",
@@ -200,6 +204,9 @@
     "@npmcli/mock-registry": "^1.0.0",
     "@npmcli/template-oss": "4.19.0",
     "@tufjs/repo-mock": "^2.0.0",
+    "ajv": "^8.12.0",
+    "ajv-formats": "^2.1.1",
+    "ajv-formats-draft2019": "^1.6.1",
     "diff": "^5.1.0",
     "licensee": "^10.0.0",
     "nock": "^13.3.3",

smoke-tests/tap-snapshots/test/index.js.test.cjs

@@ -27,10 +27,10 @@ All commands:
     help-search, hook, init, install, install-ci-test,
     install-test, link, ll, login, logout, ls, org, outdated,
     owner, pack, ping, pkg, prefix, profile, prune, publish,
-    query, rebuild, repo, restart, root, run-script, search,
-    set, shrinkwrap, star, stars, start, stop, team, test,
-    token, uninstall, unpublish, unstar, update, version, view,
-    whoami
+    query, rebuild, repo, restart, root, run-script, sbom,
+    search, set, shrinkwrap, star, stars, start, stop, team,
+    test, token, uninstall, unpublish, unstar, update, version,
+    view, whoami
 
 Specify configs in the ini-formatted file:
     {NPM}/{TESTDIR}/home/.npmrc

tap-snapshots/test/lib/commands/completion.js.test.cjs

@@ -93,6 +93,7 @@ Array [
       restart
       root
       run-script
+      sbom
       search
       set
       shrinkwrap

tap-snapshots/test/lib/commands/config.js.test.cjs

@@ -89,6 +89,8 @@ exports[`test/lib/commands/config.js TAP config list --json > output matches sna
   "legacy-peer-deps": false,
   "link": false,
   "local-address": null,
+  "sbom-format": null,
+  "sbom-type": "library",
   "location": "user",
   "lockfile-version": null,
   "loglevel": "notice",
@@ -290,6 +292,8 @@ save-optional = false
 save-peer = false 
 save-prefix = "^" 
 save-prod = false 
+sbom-format = null 
+sbom-type = "library" 
 scope = "" 
 script-shell = null 
 searchexclude = "" 

tap-snapshots/test/lib/commands/publish.js.test.cjs

@@ -191,6 +191,7 @@ Object {
     "man/man1/npm-restart.1",
     "man/man1/npm-root.1",
     "man/man1/npm-run-script.1",
+    "man/man1/npm-sbom.1",
     "man/man1/npm-search.1",
     "man/man1/npm-shrinkwrap.1",
     "man/man1/npm-star.1",

tap-snapshots/test/lib/commands/sbom.js.test.cjs

@@ -145,6 +145,7 @@ Array [
   "restart",
   "root",
   "run-script",
+  "sbom",
   "search",
   "set",
   "shrinkwrap",
@@ -1405,6 +1406,26 @@ or \`--save-optional\` are true.
 
 
 
+#### \`sbom-format\`
+
+* Default: null
+* Type: "cyclonedx" or "spdx"
+
+SBOM format to use when generating SBOMs.
+
+
+
+#### \`sbom-type\`
+
+* Default: "library"
+* Type: "library", "application", or "framework"
+
+The type of package described by the generated SBOM. For SPDX, this is the
+value for the \`primaryPackagePurpose\` fieled. For CycloneDX, this is the
+value for the \`type\` field.
+
+
+
 #### \`scope\`
 
 * Default: the scope of the current project, if any, or ""
@@ -2083,6 +2104,8 @@ Array [
   "legacy-peer-deps",
   "link",
   "local-address",
+  "sbom-format",
+  "sbom-type",
   "location",
   "lockfile-version",
   "loglevel",
@@ -2225,6 +2248,8 @@ Array [
   "legacy-bundling",
   "legacy-peer-deps",
   "local-address",
+  "sbom-format",
+  "sbom-type",
   "location",
   "lockfile-version",
   "loglevel",
@@ -2415,6 +2440,8 @@ Object {
   "save": true,
   "saveBundle": false,
   "savePrefix": "^",
+  "sbomFormat": null,
+  "sbomType": "library",
   "scope": "",
   "scriptShell": undefined,
   "search": Object {
@@ -3965,6 +3992,33 @@ aliases: run, rum, urn
 #### \`script-shell\`
 `
 
+exports[`test/lib/docs.js TAP usage sbom > must match snapshot 1`] = `
+Generate a Software Bill of Materials (SBOM)
+
+Usage:
+npm sbom
+
+Options:
+[--omit <dev|optional|peer> [--omit <dev|optional|peer> ...]]
+[--package-lock-only] [--sbom-format <cyclonedx|spdx>]
+[--sbom-type <library|application|framework>]
+[-w|--workspace <workspace-name> [-w|--workspace <workspace-name> ...]]
+[-ws|--workspaces]
+
+Run "npm help sbom" for more info
+
+\`\`\`bash
+npm sbom
+\`\`\`
+
+#### \`omit\`
+#### \`package-lock-only\`
+#### \`sbom-format\`
+#### \`sbom-type\`
+#### \`workspace\`
+#### \`workspaces\`
+`
+
 exports[`test/lib/docs.js TAP usage search > must match snapshot 1`] = `
 Search for packages
 

tap-snapshots/test/lib/docs.js.test.cjs

@@ -27,10 +27,10 @@ All commands:
     help-search, hook, init, install, install-ci-test,
     install-test, link, ll, login, logout, ls, org, outdated,
     owner, pack, ping, pkg, prefix, profile, prune, publish,
-    query, rebuild, repo, restart, root, run-script, search,
-    set, shrinkwrap, star, stars, start, stop, team, test,
-    token, uninstall, unpublish, unstar, update, version, view,
-    whoami
+    query, rebuild, repo, restart, root, run-script, sbom,
+    search, set, shrinkwrap, star, stars, start, stop, team,
+    test, token, uninstall, unpublish, unstar, update, version,
+    view, whoami
 
 Specify configs in the ini-formatted file:
     {USERCONFIG}
@@ -76,13 +76,13 @@ All commands:
     profile, prune, publish,
     query, rebuild, repo,
     restart, root,
-    run-script, search, set,
-    shrinkwrap, star, stars,
-    start, stop, team, test,
-    token, uninstall,
-    unpublish, unstar,
-    update, version, view,
-    whoami
+    run-script, sbom,
+    search, set, shrinkwrap,
+    star, stars, start,
+    stop, team, test, token,
+    uninstall, unpublish,
+    unstar, update, version,
+    view, whoami
 
 Specify configs in the ini-formatted file:
     {USERCONFIG}
@@ -128,13 +128,13 @@ All commands:
     profile, prune, publish,
     query, rebuild, repo,
     restart, root,
-    run-script, search, set,
-    shrinkwrap, star, stars,
-    start, stop, team, test,
-    token, uninstall,
-    unpublish, unstar,
-    update, version, view,
-    whoami
+    run-script, sbom,
+    search, set, shrinkwrap,
+    star, stars, start,
+    stop, team, test, token,
+    uninstall, unpublish,
+    unstar, update, version,
+    view, whoami
 
 Specify configs in the ini-formatted file:
     {USERCONFIG}
@@ -168,10 +168,10 @@ All commands:
     help-search, hook, init, install, install-ci-test,
     install-test, link, ll, login, logout, ls, org, outdated,
     owner, pack, ping, pkg, prefix, profile, prune, publish,
-    query, rebuild, repo, restart, root, run-script, search,
-    set, shrinkwrap, star, stars, start, stop, team, test,
-    token, uninstall, unpublish, unstar, update, version, view,
-    whoami
+    query, rebuild, repo, restart, root, run-script, sbom,
+    search, set, shrinkwrap, star, stars, start, stop, team,
+    test, token, uninstall, unpublish, unstar, update, version,
+    view, whoami
 
 Specify configs in the ini-formatted file:
     {USERCONFIG}
@@ -217,13 +217,13 @@ All commands:
     profile, prune, publish,
     query, rebuild, repo,
     restart, root,
-    run-script, search, set,
-    shrinkwrap, star, stars,
-    start, stop, team, test,
-    token, uninstall,
-    unpublish, unstar,
-    update, version, view,
-    whoami
+    run-script, sbom,
+    search, set, shrinkwrap,
+    star, stars, start,
+    stop, team, test, token,
+    uninstall, unpublish,
+    unstar, update, version,
+    view, whoami
 
 Specify configs in the ini-formatted file:
     {USERCONFIG}
@@ -269,13 +269,13 @@ All commands:
     profile, prune, publish,
     query, rebuild, repo,
     restart, root,
-    run-script, search, set,
-    shrinkwrap, star, stars,
-    start, stop, team, test,
-    token, uninstall,
-    unpublish, unstar,
-    update, version, view,
-    whoami
+    run-script, sbom,
+    search, set, shrinkwrap,
+    star, stars, start,
+    stop, team, test, token,
+    uninstall, unpublish,
+    unstar, update, version,
+    view, whoami
 
 Specify configs in the ini-formatted file:
     {USERCONFIG}
@@ -320,10 +320,10 @@ All commands:
     profile, prune, publish,
     query, rebuild, repo,
     restart, root,
-    run-script, search, set,
-    shrinkwrap, star, stars,
-    start, stop, team, test,
-    token, uninstall,
+    run-script, sbom, search,
+    set, shrinkwrap, star,
+    stars, start, stop, team,
+    test, token, uninstall,
     unpublish, unstar,
     update, version, view,
     whoami
@@ -360,10 +360,10 @@ All commands:
     help-search, hook, init, install, install-ci-test,
     install-test, link, ll, login, logout, ls, org, outdated,
     owner, pack, ping, pkg, prefix, profile, prune, publish,
-    query, rebuild, repo, restart, root, run-script, search,
-    set, shrinkwrap, star, stars, start, stop, team, test,
-    token, uninstall, unpublish, unstar, update, version, view,
-    whoami
+    query, rebuild, repo, restart, root, run-script, sbom,
+    search, set, shrinkwrap, star, stars, start, stop, team,
+    test, token, uninstall, unpublish, unstar, update, version,
+    view, whoami
 
 Specify configs in the ini-formatted file:
     {USERCONFIG}
@@ -397,10 +397,10 @@ All commands:
     help-search, hook, init, install, install-ci-test,
     install-test, link, ll, login, logout, ls, org, outdated,
     owner, pack, ping, pkg, prefix, profile, prune, publish,
-    query, rebuild, repo, restart, root, run-script, search,
-    set, shrinkwrap, star, stars, start, stop, team, test,
-    token, uninstall, unpublish, unstar, update, version, view,
-    whoami
+    query, rebuild, repo, restart, root, run-script, sbom,
+    search, set, shrinkwrap, star, stars, start, stop, team,
+    test, token, uninstall, unpublish, unstar, update, version,
+    view, whoami
 
 Specify configs in the ini-formatted file:
     {USERCONFIG}
@@ -434,10 +434,10 @@ All commands:
     help-search, hook, init, install, install-ci-test,
     install-test, link, ll, login, logout, ls, org, outdated,
     owner, pack, ping, pkg, prefix, profile, prune, publish,
-    query, rebuild, repo, restart, root, run-script, search,
-    set, shrinkwrap, star, stars, start, stop, team, test,
-    token, uninstall, unpublish, unstar, update, version, view,
-    whoami
+    query, rebuild, repo, restart, root, run-script, sbom,
+    search, set, shrinkwrap, star, stars, start, stop, team,
+    test, token, uninstall, unpublish, unstar, update, version,
+    view, whoami
 
 Specify configs in the ini-formatted file:
     {USERCONFIG}

tap-snapshots/test/lib/npm.js.test.cjs

@@ -0,0 +1,245 @@
+const t = require('tap')
+const Ajv = require('ajv')
+const applyFormats = require('ajv-formats')
+const applyDraftFormats = require('ajv-formats-draft2019')
+const { cyclonedxOutput } = require('../../../lib/utils/sbom-cyclonedx.js')
+
+const FAKE_UUID = 'urn:uuid:00000000-0000-0000-0000-000000000000'
+
+t.cleanSnapshot = s => {
+  let sbom
+  try {
+    sbom = JSON.parse(s)
+  } catch (e) {
+    return s
+  }
+
+  sbom.serialNumber = FAKE_UUID
+  if (sbom.metadata) {
+    sbom.metadata.timestamp = '2020-01-01T00:00:00.000Z'
+  }
+
+  return JSON.stringify(sbom, null, 2)
+}
+
+const npm = { version: '10.0.0 ' }
+
+const rootPkg = {
+  author: 'Author',
+}
+
+const root = {
+  name: 'root',
+  packageName: 'root',
+  version: '1.0.0',
+  pkgid: 'root@1.0.0',
+  isRoot: true,
+  package: rootPkg,
+  location: '',
+  edgesOut: [],
+}
+
+const dep1 = {
+  name: 'dep1',
+  packageName: 'dep1',
+  version: '0.0.1',
+  pkgid: 'dep1@0.0.1',
+  package: {},
+  location: 'node_modules/dep1',
+  edgesOut: [],
+}
+
+const dep2 = {
+  name: 'dep2',
+  packageName: 'dep2',
+  version: '0.0.2',
+  pkgid: 'npm@npm:dep2@0.0.2',
+  package: {},
+  location: 'node_modules/dep2',
+  edgesOut: [{ to: dep1 }],
+}
+
+const dep2Link = {
+  name: 'dep2',
+  packageName: 'dep2',
+  version: '0.0.2',
+  pkgid: 'dep2@0.0.2',
+  package: {},
+  location: 'node_modules/dep2',
+  edgesOut: [],
+  isLink: true,
+  target: dep2,
+}
+
+t.test('single node - application package type', t => {
+  const res = cyclonedxOutput({ npm, nodes: [root], packageType: 'application' })
+  t.matchSnapshot(JSON.stringify(res))
+  t.end()
+})
+
+t.test('single node - package lock only', t => {
+  const res = cyclonedxOutput({ npm, nodes: [root], packageLockOnly: true })
+  t.matchSnapshot(JSON.stringify(res))
+  t.end()
+})
+
+t.test('single node - optional ', t => {
+  const node = { ...root, optional: true }
+  const res = cyclonedxOutput({ npm, nodes: [node] })
+  t.matchSnapshot(JSON.stringify(res))
+  t.end()
+})
+
+t.test('single node - with description', t => {
+  const pkg = { ...rootPkg, description: 'Package description' }
+  const node = { ...root, package: pkg }
+  const res = cyclonedxOutput({ npm, nodes: [node] })
+  t.matchSnapshot(JSON.stringify(res))
+  t.end()
+})
+
+t.test('single node - with author object', t => {
+  const pkg = { ...rootPkg, author: { name: 'Arthur' } }
+  const node = { ...root, package: pkg }
+  const res = cyclonedxOutput({ npm, nodes: [node] })
+  t.matchSnapshot(JSON.stringify(res))
+  t.end()
+})
+
+t.test('single node - with integrity', t => {
+  /* eslint-disable-next-line max-len */
+  const node = { ...root, integrity: 'sha512-1RkbFGUKex4lvsB9yhIfWltJM5cZKUftB2eNajaDv3dCMEp49iBG0K14uH8NnX9IPux2+mK7JGEOB0jn48/J6w==' }
+  const res = cyclonedxOutput({ npm, nodes: [node] })
+  t.matchSnapshot(JSON.stringify(res))
+  t.end()
+})
+
+t.test('single node - development', t => {
+  const node = { ...root, dev: true }
+  const res = cyclonedxOutput({ npm, nodes: [node] })
+  t.matchSnapshot(JSON.stringify(res))
+  t.end()
+})
+
+t.test('single node - extraneous', t => {
+  const node = { ...root, extraneous: true }
+  const res = cyclonedxOutput({ npm, nodes: [node] })
+  t.matchSnapshot(JSON.stringify(res))
+  t.end()
+})
+
+t.test('single node - bundled', t => {
+  const node = { ...root, inBundle: true }
+  const res = cyclonedxOutput({ npm, nodes: [node] })
+  t.matchSnapshot(JSON.stringify(res))
+  t.end()
+})
+
+t.test('single node - private', t => {
+  const pkg = { ...rootPkg, private: true }
+  const node = { ...root, package: pkg }
+  const res = cyclonedxOutput({ npm, nodes: [node] })
+  t.matchSnapshot(JSON.stringify(res))
+  t.end()
+})
+
+t.test('single node - with repository url', t => {
+  const pkg = { ...rootPkg, repository: { url: 'https://foo.bar' } }
+  const node = { ...root, package: pkg }
+  const res = cyclonedxOutput({ npm, nodes: [node] })
+  t.matchSnapshot(JSON.stringify(res))
+  t.end()
+})
+
+t.test('single node - with homepage', t => {
+  const pkg = { ...rootPkg, homepage: 'https://foo.bar/README.md' }
+  const node = { ...root, package: pkg }
+  const res = cyclonedxOutput({ npm, nodes: [node] })
+  t.matchSnapshot(JSON.stringify(res))
+  t.end()
+})
+
+t.test('single node - with issue tracker', t => {
+  const pkg = { ...rootPkg, bugs: { url: 'https://foo.bar/issues' } }
+  const node = { ...root, package: pkg }
+  const res = cyclonedxOutput({ npm, nodes: [node] })
+  t.matchSnapshot(JSON.stringify(res))
+  t.end()
+})
+
+t.test('single node - with distribution url', t => {
+  const node = { ...root, resolved: 'https://registry.npmjs.org/root/-/root-1.0.0.tgz' }
+  const res = cyclonedxOutput({ npm, nodes: [node] })
+  t.matchSnapshot(JSON.stringify(res))
+  t.end()
+})
+
+t.test('single node - with single license', t => {
+  const pkg = { ...rootPkg, license: 'ISC' }
+  const node = { ...root, package: pkg }
+  const res = cyclonedxOutput({ npm, nodes: [node] })
+  t.matchSnapshot(JSON.stringify(res))
+  t.end()
+})
+
+t.test('single node - with license expression', t => {
+  const pkg = { ...rootPkg, license: '(MIT OR Apache-2.0)' }
+  const node = { ...root, package: pkg }
+  const res = cyclonedxOutput({ npm, nodes: [node] })
+  t.matchSnapshot(JSON.stringify(res))
+  t.end()
+})
+
+t.test('single node - from git url', t => {
+  const node = { ...root, type: 'git', resolved: 'https://github.com/foo/bar#1234' }
+  const res = cyclonedxOutput({ npm, nodes: [node] })
+  t.matchSnapshot(JSON.stringify(res))
+  t.end()
+})
+
+t.test('single node - no package info', t => {
+  const node = { ...root, package: undefined }
+  const res = cyclonedxOutput({ npm, nodes: [node] })
+  t.matchSnapshot(JSON.stringify(res))
+  t.end()
+})
+
+t.test('node - with deps', t => {
+  const node = { ...root,
+    edgesOut: [
+      { to: dep1 },
+      { to: dep2 },
+      { to: undefined },
+      { to: { pkgid: 'foo' } },
+    ] }
+  const res = cyclonedxOutput({ npm, nodes: [node, dep1, dep2, dep2Link] })
+  t.matchSnapshot(JSON.stringify(res))
+  t.end()
+})
+
+// Check that all of the generated test snapshots validate against the CycloneDX schema
+t.test('schema validation', t => {
+  // Load schemas
+  const cdxSchema = require('../../schemas/cyclonedx/bom-1.5.schema.json')
+  const spdxLicenseSchema = require('../../schemas/cyclonedx/spdx.schema.json')
+  const jsfSchema = require('../../schemas/cyclonedx/jsf-0.82.schema.json')
+
+  const ajv = new Ajv({
+    strict: false,
+    schemas: [spdxLicenseSchema, jsfSchema, cdxSchema],
+  })
+  applyFormats(ajv)
+  applyDraftFormats(ajv)
+
+  // Retrieve compiled schema
+  const validate = ajv.getSchema('http://cyclonedx.org/schema/bom-1.5.schema.json')
+
+  // Load snapshots for all tests in this file
+  const sboms = require('../../../tap-snapshots/test/lib/utils/sbom-cyclonedx.js.test.cjs')
+
+  // Check that all snapshots validate against the CycloneDX schema
+  Object.entries(sboms).forEach(([name, sbom]) => {
+    t.ok(validate(JSON.parse(sbom)), { snapshot: name, error: validate.errors?.[0] })
+  })
+  t.end()
+})

tap-snapshots/test/lib/utils/sbom-cyclonedx.js.test.cjs

@@ -0,0 +1,188 @@
+const t = require('tap')
+const Ajv = require('ajv')
+const { spdxOutput } = require('../../../lib/utils/sbom-spdx.js')
+
+t.cleanSnapshot = s => {
+  let sbom
+  try {
+    sbom = JSON.parse(s)
+  } catch (e) {
+    return s
+  }
+
+  sbom.documentNamespace = 'docns'
+
+  if (sbom.creationInfo) {
+    sbom.creationInfo.created = '2020-01-01T00:00:00.000Z'
+  }
+
+  return JSON.stringify(sbom, null, 2)
+}
+
+const npm = { version: '10.0.0 ' }
+
+const rootPkg = {
+  author: 'Author',
+}
+
+const root = {
+  packageName: 'root',
+  version: '1.0.0',
+  pkgid: 'root@1.0.0',
+  isRoot: true,
+  package: rootPkg,
+  location: '',
+  edgesOut: [],
+}
+
+const dep1 = {
+  packageName: 'dep1',
+  version: '0.0.1',
+  pkgid: 'dep1@0.0.1',
+  package: {},
+  location: 'node_modules/dep1',
+  edgesOut: [],
+}
+
+const dep2 = {
+  packageName: 'dep2',
+  version: '0.0.2',
+  pkgid: 'dep2@0.0.2',
+  package: {},
+  location: 'node_modules/dep2',
+  edgesOut: [],
+}
+
+const dep3 = {
+  packageName: 'dep3',
+  version: '0.0.3',
+  pkgid: 'dep3@0.0.3',
+  package: {},
+  location: 'node_modules/dep3',
+  edgesOut: [],
+}
+
+const dep5 = {
+  packageName: 'dep5',
+  version: '0.0.5',
+  pkgid: 'dep5@0.0.5',
+  package: {},
+  location: 'node_modules/dep5',
+  edgesOut: [],
+}
+
+const dep4 = {
+  packageName: 'dep4',
+  version: '0.0.4',
+  pkgid: 'npm@npm:dep4@0.0.4',
+  package: {},
+  location: 'dep4',
+  isWorkspace: true,
+  edgesOut: [{ to: dep5 }],
+}
+
+const dep4Link = {
+  packageName: 'dep4',
+  version: '0.0.4',
+  pkgid: 'dep4@0.0.4',
+  package: {},
+  location: 'node_modules/dep4',
+  isLink: true,
+  target: dep4,
+}
+
+dep4.linksIn = new Set([dep4Link])
+
+const dep6 = {
+  packageName: 'dep6',
+  version: '0.0.6',
+  pkgid: 'dep6@0.0.6',
+  extraneous: true,
+  package: {},
+  location: 'node_modules/dep6',
+  edgesOut: [],
+}
+
+t.test('single node - application package type', t => {
+  const res = spdxOutput({ npm, nodes: [root], packageType: 'application' })
+  t.matchSnapshot(JSON.stringify(res))
+  t.end()
+})
+
+t.test('single node - with description', t => {
+  const pkg = { ...rootPkg, description: 'Package description' }
+  const node = { ...root, package: pkg }
+  const res = spdxOutput({ npm, nodes: [node] })
+  t.matchSnapshot(JSON.stringify(res))
+  t.end()
+})
+
+t.test('single node - with distribution url', t => {
+  const node = { ...root, resolved: 'https://registry.npmjs.org/root/-/root-1.0.0.tgz' }
+  const res = spdxOutput({ npm, nodes: [node] })
+  t.matchSnapshot(JSON.stringify(res))
+  t.end()
+})
+
+t.test('single node - with homepage', t => {
+  const pkg = { ...rootPkg, homepage: 'https://foo.bar/README.md' }
+  const node = { ...root, package: pkg }
+  const res = spdxOutput({ npm, nodes: [node] })
+  t.matchSnapshot(JSON.stringify(res))
+  t.end()
+})
+
+t.test('single node - with integrity', t => {
+  /* eslint-disable-next-line max-len */
+  const node = { ...root, integrity: 'sha512-1RkbFGUKex4lvsB9yhIfWltJM5cZKUftB2eNajaDv3dCMEp49iBG0K14uH8NnX9IPux2+mK7JGEOB0jn48/J6w==' }
+  const res = spdxOutput({ npm, nodes: [node] })
+  t.matchSnapshot(JSON.stringify(res))
+  t.end()
+})
+
+t.test('single node - from git url', t => {
+  const node = { ...root, type: 'git', resolved: 'https://github.com/foo/bar#1234' }
+  const res = spdxOutput({ npm, nodes: [node] })
+  t.matchSnapshot(JSON.stringify(res))
+  t.end()
+})
+
+t.test('single node - linked', t => {
+  const node = { ...root, isLink: true, target: { edgesOut: [] } }
+  const res = spdxOutput({ npm, nodes: [node] })
+  t.matchSnapshot(JSON.stringify(res))
+  t.end()
+})
+
+t.test('node - with deps', t => {
+  const node = { ...root,
+    edgesOut: [
+      { to: dep1, type: 'peer' },
+      { to: dep2, type: 'optional' },
+      { to: dep3, type: 'dev' },
+      { to: dep4 },
+      { to: undefined },
+      { to: { packageName: 'foo' } },
+    ] }
+  const res = spdxOutput({ npm, nodes: [node, dep1, dep2, dep3, dep4Link, dep4, dep5, dep6] })
+  t.matchSnapshot(JSON.stringify(res))
+  t.end()
+})
+
+// Check that all of the generated test snapshots validate against the SPDX schema
+t.test('schema validation', t => {
+  const ajv = new Ajv()
+
+  // Compile schema
+  const spdxSchema = require('../../schemas/spdx/spdx-2.3.schema.json')
+  const validate = ajv.compile(spdxSchema)
+
+  // Load snapshots for all tests in this file
+  const sboms = require('../../../tap-snapshots/test/lib/utils/sbom-spdx.js.test.cjs')
+
+  // Check that all snapshots validate against the SPDX schema
+  Object.entries(sboms).forEach(([name, sbom]) => {
+    t.ok(validate(JSON.parse(sbom)), { snapshot: name, error: validate.errors?.[0] })
+  })
+  t.end()
+})

tap-snapshots/test/lib/utils/sbom-spdx.js.test.cjs

@@ -0,0 +1,240 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$id": "http://cyclonedx.org/schema/jsf-0.82.schema.json",
+  "type": "object",
+  "title": "JSON Signature Format (JSF) standard",
+  "$comment" : "JSON Signature Format schema is published under the terms of the Apache License 2.0. JSF was developed by Anders Rundgren (anders.rundgren.net@gmail.com) as a part of the OpenKeyStore project. This schema supports the entirely of the JSF standard excluding 'extensions'.",
+  "definitions": {
+    "signature": {
+      "type": "object",
+      "title": "Signature",
+      "oneOf": [
+        {
+          "additionalProperties": false,
+          "properties": {
+            "signers": {
+              "type": "array",
+              "title": "Signature",
+              "description": "Unique top level property for Multiple Signatures. (multisignature)",
+              "items": {"$ref": "#/definitions/signer"}
+            }
+          }
+        },
+        {
+          "additionalProperties": false,
+          "properties": {
+            "chain": {
+              "type": "array",
+              "title": "Signature",
+              "description": "Unique top level property for Signature Chains. (signaturechain)",
+              "items": {"$ref": "#/definitions/signer"}
+            }
+          }
+        },
+        {
+          "title": "Signature",
+          "description": "Unique top level property for simple signatures. (signaturecore)",
+          "$ref": "#/definitions/signer"
+        }
+      ]
+    },
+    "signer": {
+      "type": "object",
+      "title": "Signature",
+      "required": [
+        "algorithm",
+        "value"
+      ],
+      "additionalProperties": false,
+      "properties": {
+        "algorithm": {
+          "oneOf": [
+            {
+              "type": "string",
+              "title": "Algorithm",
+              "description": "Signature algorithm. The currently recognized JWA [RFC7518] and RFC8037 [RFC8037] asymmetric key algorithms. Note: Unlike RFC8037 [RFC8037] JSF requires explicit Ed* algorithm names instead of \"EdDSA\".",
+              "enum": [
+                "RS256",
+                "RS384",
+                "RS512",
+                "PS256",
+                "PS384",
+                "PS512",
+                "ES256",
+                "ES384",
+                "ES512",
+                "Ed25519",
+                "Ed448",
+                "HS256",
+                "HS384",
+                "HS512"
+              ]
+            },
+            {
+              "type": "string",
+              "title": "Algorithm",
+              "description": "Signature algorithm. Note: If proprietary signature algorithms are added, they must be expressed as URIs.",
+              "format": "uri"
+            }
+          ]
+        },
+        "keyId": {
+          "type": "string",
+          "title": "Key ID",
+          "description": "Optional. Application specific string identifying the signature key."
+        },
+        "publicKey": {
+          "title": "Public key",
+          "description": "Optional. Public key object.",
+          "$ref": "#/definitions/publicKey"
+        },
+        "certificatePath": {
+          "type": "array",
+          "title": "Certificate path",
+          "description": "Optional. Sorted array of X.509 [RFC5280] certificates, where the first element must contain the signature certificate. The certificate path must be contiguous but is not required to be complete.",
+          "items": {
+            "type": "string"
+          }
+        },
+        "excludes": {
+          "type": "array",
+          "title": "Excludes",
+          "description": "Optional. Array holding the names of one or more application level properties that must be excluded from the signature process. Note that the \"excludes\" property itself, must also be excluded from the signature process. Since both the \"excludes\" property and the associated data it points to are unsigned, a conforming JSF implementation must provide options for specifying which properties to accept.",
+          "items": {
+            "type": "string"
+          }
+        },
+        "value": {
+          "type": "string",
+          "title": "Signature",
+          "description": "The signature data. Note that the binary representation must follow the JWA [RFC7518] specifications."
+        }
+      }
+    },
+    "keyType": {
+      "type": "string",
+      "title": "Key type",
+      "description": "Key type indicator.",
+      "enum": [
+        "EC",
+        "OKP",
+        "RSA"
+      ]
+    },
+    "publicKey": {
+      "title": "Public key",
+      "description": "Optional. Public key object.",
+      "type": "object",
+      "required": [
+        "kty"
+      ],
+      "additionalProperties": true,
+      "properties": {
+        "kty": {
+          "$ref": "#/definitions/keyType"
+        }
+      },
+      "allOf": [
+        {
+          "if": {
+            "properties": { "kty": { "const": "EC" } }
+          },
+          "then": {
+            "required": [
+              "kty",
+              "crv",
+              "x",
+              "y"
+            ],
+            "additionalProperties": false,
+            "properties": {
+              "kty": {
+                "$ref": "#/definitions/keyType"
+              },
+              "crv": {
+                "type": "string",
+                "title": "Curve name",
+                "description": "EC curve name.",
+                "enum": [
+                  "P-256",
+                  "P-384",
+                  "P-521"
+                ]
+              },
+              "x": {
+                "type": "string",
+                "title": "Coordinate",
+                "description": "EC curve point X. The length of this field must be the full size of a coordinate for the curve specified in the \"crv\" parameter. For example, if the value of \"crv\" is \"P-521\", the decoded argument must be 66 bytes."
+              },
+              "y": {
+                "type": "string",
+                "title": "Coordinate",
+                "description": "EC curve point Y. The length of this field must be the full size of a coordinate for the curve specified in the \"crv\" parameter. For example, if the value of \"crv\" is \"P-256\", the decoded argument must be 32 bytes."
+              }
+            }
+          }
+        },
+        {
+          "if": {
+            "properties": { "kty": { "const": "OKP" } }
+          },
+          "then": {
+            "required": [
+              "kty",
+              "crv",
+              "x"
+            ],
+            "additionalProperties": false,
+            "properties": {
+              "kty": {
+                "$ref": "#/definitions/keyType"
+              },
+              "crv": {
+                "type": "string",
+                "title": "Curve name",
+                "description": "EdDSA curve name.",
+                "enum": [
+                  "Ed25519",
+                  "Ed448"
+                ]
+              },
+              "x": {
+                "type": "string",
+                "title": "Coordinate",
+                "description": "EdDSA curve point X. The length of this field must be the full size of a coordinate for the curve specified in the \"crv\" parameter. For example, if the value of \"crv\" is \"Ed25519\", the decoded argument must be 32 bytes."
+              }
+            }
+          }
+        },
+        {
+          "if": {
+            "properties": { "kty": { "const": "RSA" } }
+          },
+          "then": {
+            "required": [
+              "kty",
+              "n",
+              "e"
+            ],
+            "additionalProperties": false,
+            "properties": {
+              "kty": {
+                "$ref": "#/definitions/keyType"
+              },
+              "n": {
+                "type": "string",
+                "title": "Modulus",
+                "description": "RSA modulus."
+              },
+              "e": {
+                "type": "string",
+                "title": "Exponent",
+                "description": "RSA exponent."
+              }
+            }
+          }
+        }
+      ]
+    }
+  }
+}

test/lib/commands/sbom.js

@@ -1213,6 +1213,33 @@ define('local-address', {
   flatten,
 })
 
+define('sbom-format', {
+  default: null,
+  type: [
+    'cyclonedx',
+    'spdx',
+  ],
+  description: `
+    SBOM format to use when generating SBOMs.
+  `,
+  flatten,
+})
+
+define('sbom-type', {
+  default: 'library',
+  type: [
+    'library',
+    'application',
+    'framework',
+  ],
+  description: `
+    The type of package described by the generated SBOM. For SPDX, this is the
+    value for the \`primaryPackagePurpose\` fieled. For CycloneDX, this is the
+    value for the \`type\` field.
+  `,
+  flatten,
+})
+
 define('location', {
   default: 'user',
   short: 'L',

test/lib/utils/sbom-cyclonedx.js

@@ -435,6 +435,15 @@ Object {
   "save-prod": Array [
     "boolean value (true or false)",
   ],
+  "sbom-format": Array [
+    "cyclonedx",
+    "spdx",
+  ],
+  "sbom-type": Array [
+    "library",
+    "application",
+    "framework",
+  ],
   "scope": Array [
     Function String(),
   ],