[BUG] sbom cyclonedx missing properties · Issue #8105 · npm/cli · GitHub
Skip to content

[BUG] sbom cyclonedx missing properties #8105

Closed
Closed
[BUG] sbom cyclonedx missing properties#8105
Labels
Bugthing that needs fixingNeeds Triageneeds review for next steps

Description

@PaddeK
PaddeK
opened on Feb 13, 2025

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

Running npm sbom --sbom-format cyclonedx with npm@11.1.0 results in an sbom with empty properties in bom-ref entries.

Example:

    {
      "bom-ref": "mqtt@5.10.1",
      "type": "library",
      "name": "mqtt",
      "version": "5.10.1",
      "scope": "required",
      "description": "A library for the MQTT protocol",
      "purl": "pkg:npm/mqtt@5.10.1",
      "properties": [],
      "externalReferences": [
        {
          "type": "distribution",
          "url": "https://registry.npmjs.org/mqtt/-/mqtt-5.10.1.tgz"
        },
        {
          "type": "vcs",
          "url": "git://github.com/mqttjs/MQTT.js.git"
        },
        {
          "type": "website",
          "url": "https://github.com/mqttjs/MQTT.js#readme"
        },
        {
          "type": "issue-tracker",
          "url": "https://github.com/mqttjs/MQTT.js/issues"
        }
      ],
      "hashes": [
        {
          "alg": "SHA-512",
          "content": "85708e922f2c00da10ef0fb63b327383aa8c0714edac7f5196754d57ca5a9cb6609e5f8687427fb7893aafc033f3e0bbcb72807325ed9f49a62e2c725289bc4b"
        }
      ],
      "licenses": [
        {
          "license": {
            "id": "MIT"
          }
        }
      ]
    },

Expected Behavior

Running npx @cyclonedx/cyclonedx-npm or using npm@11.0.0 have cdx:npm:package:path in properties.

Example:

    {
      "type": "library",
      "name": "mqtt",
      "version": "5.10.1",
      "bom-ref": "mqtt@5.10.1",
      "description": "A library for the MQTT protocol",
      "licenses": [
        {
          "license": {
            "id": "MIT",
            "acknowledgement": "declared"
          }
        }
      ],
      "purl": "pkg:npm/mqtt@5.10.1",
      "externalReferences": [
        {
          "url": "git://github.com/mqttjs/MQTT.js.git",
          "type": "vcs",
          "comment": "as detected from PackageJson property \"repository.url\""
        },
        {
          "url": "https://github.com/mqttjs/MQTT.js#readme",
          "type": "website",
          "comment": "as detected from PackageJson property \"homepage\""
        },
        {
          "url": "https://github.com/mqttjs/MQTT.js/issues",
          "type": "issue-tracker",
          "comment": "as detected from PackageJson property \"bugs.url\""
        },
        {
          "url": "https://registry.npmjs.org/mqtt/-/mqtt-5.10.1.tgz",
          "type": "distribution",
          "comment": "as detected from npm-ls property \"resolved\""
        }
      ],
      "properties": [
        {
          "name": "cdx:npm:package:path",
          "value": "node_modules/mqtt"
        }
      ]
    },
   ...

Steps To Reproduce

No response

Environment

  • npm: 11.1.0
  • Node.js: 22.14.0
  • OS Name: macOS 15.3
  • System Model Name: Macbook Pro

Metadata

Metadata

Assignees

No one assigned

    Labels

    Bugthing that needs fixingNeeds Triageneeds review for next steps

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions