New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[feature][npm] Generate SBOM for npm #1982

Open

laurentsimon opened this issue Apr 11, 2023 · 2 comments

Labels

area:nodejs type:feature

Collaborator

laurentsimon commented Apr 11, 2023

This could be enabled thru a sbom-generate: true and sbom-format: xxx options. I think a scan of the package.json would work, although I'm not 100% sure if additional deps could be pulled in thru the script...

A larger question we need to answer before doing that is how we attest to the SBOM: thru a dedicated provenance, thru a new predicateType, thru byproduct of the existing provenance.

The text was updated successfully, but these errors were encountered:

laurentsimon added the type:feature label

ianlewis added the area:nodejs label

ianlewis mentioned this issue

[question] Feedback on Node.js builder OpenZeppelin/defender-client#277

Open

ljharb commented Sep 1, 2023

See npm/rfcs#714

Presumably this is primarily useful for an end-user application, since it can be autogenerated at any time from a lockfile and node_modules directory?

Collaborator Author

laurentsimon commented Sep 5, 2023

Correct, only for end applications. Thanks for the link, we'll take a look.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment