Skip to content

Tool name: CycloneDX SBOM for npm #50

New issue
New issue
Open
Open
Tool name: CycloneDX SBOM for npm#50
Labels
foss-tool
@jkowalleck

Description

@jkowalleck
jkowalleck
opened on Jan 27, 2025

homepage_url

https://github.com/CycloneDX/cyclonedx-node-npm?tab=readme-ov-file#readme

contact_email

jan.kowalleck [at] owasp.org

code_view_url

https://github.com/CycloneDX/cyclonedx-node-npm

spdx_license_expression

Apache-2.0

description

Create CycloneDX Software Bill of Materials (SBOM) from [npm] projects.

Based on OWASP Software Component Verification Standard for Software Bill of Materials's
criteria, this tool is capable of producing SBOM documents almost passing Level-2 (only signing needs to be done externally).

The resulting SBOM documents follow official specifications and standards,
and might have properties following cdx:npm Namespace Taxonomy
.

primary_languages

TypeScript

short_term_roadmap

all things are community efforts - come and help/contribute

long_term_roadmap

all things are community efforts - come and help/contribute

proprietary_data

  • Yes, the tool depends on proprietary data sources

commercial_features

  • Yes, the tool has a commercial version with different/additional features

capabilities

  • Identifiers - Use Package-URL (PURL) identifiers
  • Identifiers - Use SPDX license expressions
  • Scanning - Analyze package manifests and lockfiles
  • Scanning - Analyze package files
  • Scanning - Scan for copyright
  • Scanning - Scan for license
  • Scanning - Analyze source code
  • Scanning - Analyze containers
  • Scanning - Analyze installed system packages (linux distros)
  • Scanning - Analyze installed application packages
  • Scanning - Other analysis
  • Packages - Inventory packages
  • Packages - Inventory packages dependencies
  • Packages - Resolve dependencies
  • Packages - Navigate or display dependency graph
  • Compliance - Generate CycloneDX SBOMs
  • Compliance - Generate SPDX SBOMs
  • Compliance - Validate CycloneDX SBOM
  • Compliance - Validate SPDX SBOMs
  • Compliance - Generate CycloneDX VEX
  • Compliance - Generate CSAF VEX
  • Compliance - Generate OpenVex
  • Compliance - Generate other compliance documents
  • Policies - Define and check license policies
  • Policies - Define and check security policies
  • Policies - Define and check other policies
  • Data - Database of Package metadata
  • Data - Database of Package dependency relationships
  • Data - Database of License obligations
  • Data - Database of Licenses
  • Data - Database of Vulnerabilities
  • License - Help triage license issues
  • License - Generate license credit and attribution notices
  • License - Generate source code redistribution lists
  • Vulnerabilities - Detect vulnerable code in packages
  • Vulnerabilities - Find known vulnerabilities for package
  • Vulnerabilities - Determine reachable vulnerabilities
  • Vulnerabilities - Help triage vulnerabilities
  • Binaries - Analyze binaries
  • Binaries - Analyze ELF binaries
  • Binaries - Analyze Windows binaries
  • Binaries - Analyze firmware binaries
  • Binaries - Analyze Other binaries
  • Matching - Match source code
  • Matching - Match binary code
  • Tracing - Trace code execution
  • Tracing - Trace build
  • Code Security - Analyze code statically (SAST/linting)
  • Code Security - Analyze code dynamically (DAST)
  • Download - Source package
  • Download - Source repositories
  • Download - Binary package
  • Deployment - Deployable as containers (Docker/OCI/k8s/etc)
  • Deployment - Deployable in CI/CD pipelines
  • Deployment - Deployable as a library
  • Run - Run as a command line tool
  • Run - Run as a web application
  • Run - Run as an API service

other_capabilities

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    foss-tool

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions