npm-sbom

生成软件物料清单 (SBOM)

选择 CLI 版本:

概要

Synopsis

npm sbom

描述

Description

npm sbom 命令生成软件物料清单 (SBOM),列出当前项目的依赖。SBOM 可以以 SPDXCycloneDX 格式生成。

The npm sbom command generates a Software Bill of Materials (SBOM) listing the dependencies for the current project. SBOMs can be generated in either SPDX or CycloneDX format.

CycloneDX SBOM 示例

Example CycloneDX SBOM

{
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:09f55116-97e1-49cf-b3b8-44d0207e7730",
"version": 1,
"metadata": {
"timestamp": "2023-09-01T00:00:00.001Z",
"lifecycles": [
{
"phase": "build"
}
],
"tools": [
{
"vendor": "npm",
"name": "cli",
"version": "10.1.0"
}
],
"component": {
"bom-ref": "simple@1.0.0",
"type": "library",
"name": "simple",
"version": "1.0.0",
"scope": "required",
"author": "John Doe",
"description": "simple react app",
"purl": "pkg:npm/simple@1.0.0",
"properties": [
{
"name": "cdx:npm:package:path",
"value": ""
}
],
"externalReferences": [],
"licenses": [
{
"license": {
"id": "MIT"
}
}
]
}
},
"components": [
{
"bom-ref": "lodash@4.17.21",
"type": "library",
"name": "lodash",
"version": "4.17.21",
"scope": "required",
"author": "John-David Dalton",
"description": "Lodash modular utilities.",
"purl": "pkg:npm/lodash@4.17.21",
"properties": [
{
"name": "cdx:npm:package:path",
"value": "node_modules/lodash"
}
],
"externalReferences": [
{
"type": "distribution",
"url": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz"
},
{
"type": "vcs",
"url": "git+https://github.com/lodash/lodash.git"
},
{
"type": "website",
"url": "https://lodash.com/"
},
{
"type": "issue-tracker",
"url": "https://github.com/lodash/lodash/issues"
}
],
"hashes": [
{
"alg": "SHA-512",
"content": "bf690311ee7b95e713ba568322e3533f2dd1cb880b189e99d4edef13592b81764daec43e2c54c61d5c558dc5cfb35ecb85b65519e74026ff17675b6f8f916f4a"
}
],
"licenses": [
{
"license": {
"id": "MIT"
}
}
]
}
],
"dependencies": [
{
"ref": "simple@1.0.0",
"dependsOn": ["lodash@4.17.21"]
},
{
"ref": "lodash@4.17.21",
"dependsOn": []
}
]
}

SPDX SBOM 示例

Example SPDX SBOM

{
"spdxVersion": "SPDX-2.3",
"dataLicense": "CC0-1.0",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "simple@1.0.0",
"documentNamespace": "http://spdx.org/spdxdocs/simple-1.0.0-bf81090e-8bbc-459d-bec9-abeb794e096a",
"creationInfo": {
"created": "2023-09-01T00:00:00.001Z",
"creators": ["Tool: npm/cli-10.1.0"]
},
"documentDescribes": ["SPDXRef-Package-simple-1.0.0"],
"packages": [
{
"name": "simple",
"SPDXID": "SPDXRef-Package-simple-1.0.0",
"versionInfo": "1.0.0",
"packageFileName": "",
"description": "simple react app",
"primaryPackagePurpose": "LIBRARY",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"homepage": "NOASSERTION",
"licenseDeclared": "MIT",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:npm/simple@1.0.0"
}
]
},
{
"name": "lodash",
"SPDXID": "SPDXRef-Package-lodash-4.17.21",
"versionInfo": "4.17.21",
"packageFileName": "node_modules/lodash",
"description": "Lodash modular utilities.",
"downloadLocation": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
"filesAnalyzed": false,
"homepage": "https://lodash.com/",
"licenseDeclared": "MIT",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:npm/lodash@4.17.21"
}
],
"checksums": [
{
"algorithm": "SHA512",
"checksumValue": "bf690311ee7b95e713ba568322e3533f2dd1cb880b189e99d4edef13592b81764daec43e2c54c61d5c558dc5cfb35ecb85b65519e74026ff17675b6f8f916f4a"
}
]
}
],
"relationships": [
{
"spdxElementId": "SPDXRef-DOCUMENT",
"relatedSpdxElement": "SPDXRef-Package-simple-1.0.0",
"relationshipType": "DESCRIBES"
},
{
"spdxElementId": "SPDXRef-Package-simple-1.0.0",
"relatedSpdxElement": "SPDXRef-Package-lodash-4.17.21",
"relationshipType": "DEPENDS_ON"
}
]
}

仅包锁定模式

Package lock only mode

如果启用了 package-lock-only,则仅加载包锁(或收缩封装)中的信息。这意味着依赖的 package.json 文件中的信息将不会包含在结果集中(例如描述、主页、引擎)。

If package-lock-only is enabled, only the information in the package lock (or shrinkwrap) is loaded. This means that information from the package.json files of your dependencies will not be included in the result set (e.g. description, homepage, engines).

配置

Configuration

omit

  • 默认值:'dev' 如果 NODE_ENV 环境变量设置为 'production',否则为空。

    Default: 'dev' if the NODE_ENV environment variable is set to 'production', otherwise empty.

  • 类型:"dev"、"optional"、"peer"(可多次设置)

    Type: "dev", "optional", or "peer" (can be set multiple times)

要从磁盘上的安装树中省略的依赖类型。

Dependency types to omit from the installation tree on disk.

请注意,这些依赖仍会被解析并添加到 package-lock.jsonnpm-shrinkwrap.json 文件中。它们只是没有物理安装在磁盘上。

Note that these dependencies are still resolved and added to the package-lock.json or npm-shrinkwrap.json file. They are just not physically installed on disk.

如果一个包类型同时出现在 --include--omit 列表中,那么它将被包括在内。

If a package type appears in both the --include and --omit lists, then it will be included.

如果生成的省略列表包含 'dev',则 NODE_ENV 环境变量将针对所有生命周期脚本设置为 'production'

If the resulting omit list includes 'dev', then the NODE_ENV environment variable will be set to 'production' for all lifecycle scripts.

package-lock-only

  • 默认值:false

    Default: false

  • 类型:布尔值

    Type: Boolean

如果设置为 true,当前操作将只使用 package-lock.json,忽略 node_modules

If set to true, the current operation will only use the package-lock.json, ignoring node_modules.

对于 update,这意味着只会更新 package-lock.json,而不是检查 node_modules 并下载依赖。

For update this means only the package-lock.json will be updated, instead of checking node_modules and downloading dependencies.

对于 list,这意味着输出将基于 package-lock.json 描述的树,而不是 node_modules 的内容。

For list this means the output will be based on the tree described by the package-lock.json, rather than the contents of node_modules.

sbom-format

  • 默认值:null

    Default: null

  • 类型:"cyclonedx" 或 "spdx"

    Type: "cyclonedx" or "spdx"

生成 SBOM 时使用的 SBOM 格式。

SBOM format to use when generating SBOMs.

sbom-type

  • 默认值:"库"

    Default: "library"

  • 类型:"库"、"应用" 或 "框架"

    Type: "library", "application", or "framework"

生成的 SBOM 描述的包类型。对于 SPDX,这是 primaryPackagePurpose 字段的值。对于 CycloneDX,这是 type 字段的值。

The type of package described by the generated SBOM. For SPDX, this is the value for the primaryPackagePurpose field. For CycloneDX, this is the value for the type field.

workspace

  • 默认值:

    Default:

  • 类型:字符串(可以设置多次)

    Type: String (can be set multiple times)

启用在当前项目的已配置工作区的上下文中运行命令,同时通过仅运行此配置选项定义的工作区进行过滤。

Enable running a command in the context of the configured workspaces of the current project while filtering by running only the workspaces defined by this configuration option.

workspace 配置的有效值为:

Valid values for the workspace config are either:

  • 工作区名称

    Workspace names

  • 工作区目录的路径

    Path to a workspace directory

  • 父工作区目录的路径(将导致选择该文件夹中的所有工作区)

    Path to a parent workspace directory (will result in selecting all workspaces within that folder)

npm init 命令设置时,可以将其设置为尚不存在的工作区的文件夹,以创建文件夹并将其设置为项目中的全新工作区。

When set for the npm init command, this may be set to the folder of a workspace which does not yet exist, to create the folder and set it up as a brand new workspace within the project.

此值不会导出到子进程的环境中。

This value is not exported to the environment for child processes.

workspaces

  • 默认值:null

    Default: null

  • 类型:空值或布尔值

    Type: null or Boolean

设置为 true 可在所有已配置工作区的上下文中运行该命令。

Set to true to run the command in the context of all configured workspaces.

显式将此设置为 false 将导致像 install 这样的命令完全忽略工作区。未明确设置时:

Explicitly setting this to false will cause commands like install to ignore workspaces altogether. When not set explicitly:

  • node_modules 树上运行的命令(安装、更新等)会将工作区链接到 node_modules 文件夹。* 执行其他操作(测试、执行、发布等)的命令将在根项目上运行,除非在 workspace 配置中指定了一个或多个工作区。

    Commands that operate on the node_modules tree (install, update, etc.) will link workspaces into the node_modules folder. - Commands that do other things (test, exec, publish, etc.) will operate on the root project, unless one or more workspaces are specified in the workspace config.

此值不会导出到子进程的环境中。

This value is not exported to the environment for child processes.

也可以看看

See Also

npm 中文网 - 粤ICP备13048890号