Generate sbom files

[n0nvme]

Contribution

• I'd be willing to implement this feature (contributing guide)

Describe the user story

I need SBOM's to implement SCA pipeline for repos managed by pnpm. Npm can generate them out of the box(link), but for pnpm all solutions looks a bit painful

Describe the solution you'd like

Add pnpm sbom command which works nearly like npm sbom.

Describe the drawbacks of your solution

No response

Describe alternatives you've considered

generating lock file by npm as discussed in #5926 seems to be a bad idea

[zkochan]

I this for checking licenses? We have a command for that: https://pnpm.io/cli/licenses

[n0nvme]

It's for vulnerability scanning. License command can't help me here. I need to send SBOM's to DependencyTrack

[Saturate]

I'm currently trying to generate SBOM via the pnpm list command with pnpm list --json --prod --depth Infinity --recursive but getting an error looking like this:

{
  "error": {
    "code": "pnpm",
    "message": "Invalid string length"
  }
}

The idea is to build a CycloneDX SBOM with this information, but the --depth Infinity seems to do something wrong.

If I get it working @n0nvme I'll let you know, then you'll be able to generate a SBOM with ease, even if it's not supported out of the box.

[mbeckem]

Trivy works reasonably well for pnpm based projects, e.g. trivy fs --format cyclonedx -o sbom.json .

Unfortunately this requires another tool; ideally pnpm could do this by itself. Pretty much all needed information should already be present in pnpm-lock.yaml.

[mbonaci]

FYI From what I gathered this explains the origins of the Invalid string length issue: #7378
This one tracks the pnpm list resolution: #8731

[jayvdb]

fwiw, I tried syft, and ran into anchore/syft#3914

trivy WFM.

[agalindo-init]

Hi, to generate a SBOM e.g. as cyclonedx json you can also use https://github.com/CycloneDX for pnpm projects:

1. Install globally pnpm install -g @cyclonedx/cdxgen
2. Move to folder with your package.json, pnpm-lock.yaml and if exists pnpm-workspace.yaml
3. Run command for type pnpm pnpm cdxgen -t pnpm

Depending on the size of your project this might take some minutes, but will generate a bom.json 🍦

[mbeckem]

Hi, to generate a SBOM e.g. as cyclonedx json you can also use CDXGen for pnpm projects:

1. Install globally `pnpm install -g @cyclone/cdxgen`

2. Move to folder with your _package.json_, _pnpm-lock.yaml_ and if exists _pnpm-workspace.yaml_

3. Run command for type _pnpm_ `pnpm cdxgen -t pnpm`

Depending on the size of your project this might take some minutes, but will generate a bom.json 🍦

Thanks for the tip. Your link points to an error page, I think you mean this site: https://cyclonedx.github.io/cdxgen/

[jayvdb]

When I tried cdxgen, it didnt include the full dependency tree. It may have been fixed, but there are still a lot of "pnpm" bugs at https://github.com/CycloneDX/cdxgen/issues?q=sort%3Aupdated-desc%20is%3Aissue%20is%3Aopen%20pnpm

[wjaspers]

For what its worth, this is blocking JFrog audits from succeeding, particularly when a project has a large dependency tree.

[zkochan]

The list command will be fixed by this PR: #10586