fix: preserve serialNumber UUID in CycloneDX SBOM output #8837

[saksham-malhotra-27]

As mentioned in the issue #8837, BOM files in cyclonedx format created by npm-sbom contain an invalid statically UUID value in the serialNumber field: "serialNumber": "urn:uuid:***", because it was being redacted each time.

This change uses output.standard() with { [META]: true, redact: false } to bypass redaction for SBOM output, following the same pattern used in lib/commands/token.js for outputting authentication tokens that should not be redacted.

Before:

"serialNumber": "urn:uuid:***"

After:

"serialNumber": "urn:uuid:12345678-1234-1234-1234-123456789abc"

Testing

• All existing tests pass
• Verified locally that serialNumber now displays the complete UUID

References

Fixes #8837

[wraithgar]

It looks like because our fixture serial number is all 0's they weren't being redacted. If we update the test to use a real uuid then we can make sure it ends up in the snapshots unredacted.

[saksham-malhotra-27]

It looks like because our fixture serial number is all 0's they weren't being redacted. If we update the test to use a real uuid then we can make sure it ends up in the snapshots unredacted.

Yup, found it. Even after making it a random-
const FAKE_UUID = '12345678-90ab-cdef-1234-567890abcdef'

it totally works:

let me know if there's something else left. Thank you.

[wraithgar]

Great, thanks. That's a best effort there and we can land this now once CI is green. Thanks for fixing this.