Yarn community need a good CycloneDx SBOM generator. #6063
Replies: 3 comments
-
Greetings from the CycloneDX team 👋 Nowadays, developers of package managers know that SBOM is a thing, they are waiting for a community request, to justify the effort of implementation ;-) If the @yarnpkg people don't see a need for this topic or don't want to provide the feature themselves, then sure come back to CycloneDX/cyclonedx-node-yarn#12 and CycloneDX/cyclonedx-node-yarn#8, so we can discuss a possible community-owned solution there. PS: in general, the CycloneDX community is proud of their own solutions and implementations to get ecosystems enabled to do proper supply chain assessment, and we will continue doing so. We also love to see ecosystems adopting the topic. 🚀 CC @CycloneDX/core-team |
Beta Was this translation helpful? Give feedback.
-
well, some time went by, and here we are: https://github.com/CycloneDX/cyclonedx-node-yarn/ is ready to use - it is a working and fully-featured CycloneDX SBOM generator as yarn plugin: |
Beta Was this translation helpful? Give feedback.
-
Do you think Meta Package Manager can do the trick? Like:
|
Beta Was this translation helpful? Give feedback.
-
About checking vulnerabilities it seems that industry is moving to generation of standard SBOM (like SPDX or CycloneDX) which is then used to check vulnerabilities or licenses compliance or ...
It seems that yarn doesn't have dedicated tools to do that.
It exists a lot of all-in-one tools which allow to generate that :
But not a small dedicated tool easily integrable in yarn (classic to stable) build.
There is some initiative at : https://github.com/CycloneDX/cyclonedx-node-yarn
Scope of the project is described at : CycloneDX/cyclonedx-node-yarn#8
But currently the project is not really active : CycloneDX/cyclonedx-node-yarn#10
And is searching contributor : CycloneDX/cyclonedx-node-yarn#12
So I share this, just in case yarn community could be interested in it.
Just to let you know when I write that lines :
Beta Was this translation helpful? Give feedback.
All reactions