npm-sbom

Output a list of all dependencies in your project

$ npm sbom

$ npm sbom --omit dev --omit optional

$ npm sbom --package-lock-only

npm-sbom [options]

--output
    Specify the output file path for the generated SBOM. If not provided, SBOM is printed to stdout.

--format
    Choose the output format for the SBOM. Supported formats are json (default) and xml.

--pretty
    Pretty-print the JSON or XML output for better human readability.

--output-version <1.4|1.5>
    Specify the CycloneDX schema version to use for the generated SBOM. Common versions are 1.4 and 1.5.

--force-bom-ref-type
    Force a specific type for component BOM-Refs. Options include hash or purl.

--json-file-indent
    Set the indentation level for JSON output. Specify a numeric value for spaces.

--exclude-dev
    Exclude development dependencies from the generated SBOM.

--include-bom-refs
    Explicitly include bom-ref attributes in the generated SBOM components.

--include-optional
    Explicitly include optional dependencies in the generated SBOM.

--include-peer
    Explicitly include peer dependencies in the generated SBOM.

--verbose
    Enable verbose output for additional diagnostic information during SBOM generation.

--help
    Display help information for the command.

--version
    Display the version number of the npm-sbom tool.

The npm-sbom command, typically provided by the @bom-squad/npm-sbom package, is a powerful utility designed to create Software Bill of Materials (SBOMs) for Node.js projects managed with npm.

An SBOM is a formal, machine-readable inventory of components that make up a software application. For Node.js projects, this includes details about direct and transitive npm dependencies.

npm-sbom primarily generates SBOMs in the CycloneDX format, which is a lightweight, full-stack, and multi-domain SBOM standard. These SBOMs are crucial for enhancing software supply chain security, enabling organizations to identify, track, and manage open-source and third-party components within their applications.

By parsing package.json and package-lock.json files, the tool extracts comprehensive information about dependencies, including their versions, licenses, and unique identifiers (like Package URLs - PURLs). This data allows for proactive vulnerability management, compliance auditing, and improved transparency throughout the software development lifecycle. It supports various output options, including JSON and XML, and different CycloneDX schema versions, making it flexible for integration into existing security workflows and tooling.

The npm-sbom command relies on the presence and integrity of package.json and package-lock.json files in the project directory. Issues with these files (e.g., corrupted or outdated lock files) can lead to incomplete or incorrect SBOMs.

While it captures direct and transitive npm dependencies, it may not automatically include non-npm assets, build-time dependencies not managed by npm, or dynamically loaded components. Users might need to augment the generated SBOMs with additional information for a complete picture of their software supply chain.

Currently, the primary focus is on generating CycloneDX formatted SBOMs; direct support for other standards like SPDX might require additional tooling or conversion steps.

There are two primary open-source SBOM standards: CycloneDX and SPDX (Software Package Data Exchange).

CycloneDX, championed by OWASP, is designed to be lightweight, prescriptive, and security-focused, making it ideal for vulnerability management and supply chain risk. It is well-suited for automation and integration into CI/CD pipelines.

SPDX, an ISO standard, offers a broader scope, including detailed licensing information, copyrights, and other provenance data. While more comprehensive, it can sometimes be more complex to implement. npm-sbom primarily focuses on generating SBOMs in the CycloneDX format, aligning with its security and automation-centric approach for Node.js projects.

In today's interconnected software landscape, applications often rely heavily on open-source and third-party components. This introduces significant supply chain security risks, as vulnerabilities in any single component can compromise the entire application.

SBOMs generated by tools like npm-sbom provide a critical inventory that helps organizations:

• Identify known vulnerabilities (CVEs) present in their dependencies.
• Track licensing compliance and avoid legal risks.
• Understand their attack surface and manage risks proactively.
• Respond quickly to newly discovered vulnerabilities by pinpointing affected applications.
• Meet regulatory requirements and industry best practices for software transparency.

The concept of Software Bill of Materials (SBOMs) gained significant traction in the early 2020s, driven by increasing concerns over software supply chain security and various governmental mandates, notably U.S. Executive Order 14028 (May 2021) which emphasized the need for enhanced cybersecurity and SBOM usage.

As a response to this growing demand, various tools emerged to automate SBOM generation for different programming ecosystems. The CycloneDX standard, developed by the OWASP Foundation, became a leading choice due to its flexibility and comprehensive data model. Tools like @bom-squad/npm-sbom (which provides the npm-sbom command) were developed to specifically address the Node.js/npm ecosystem, allowing developers and security teams to easily generate CycloneDX compliant SBOMs directly from their project's dependency metadata. This development reflects a broader industry shift towards greater transparency and accountability in software component management.

npm audit(1), npx cyclonedx-npm(1), spdx-sbom-generator(1), dep-check(1)