npm-sbom
选择命令行版本:
See Details
目录
概要
¥Synopsis
npm sbom
描述
¥Description
npm sbom
命令生成软件物料清单 (SBOM),列出当前项目的依赖。SBOM 可以以 SPDX 或 CycloneDX 格式生成。
¥The npm sbom
command generates a Software Bill of Materials (SBOM) listing the dependencies for the current project. SBOMs can be generated in either SPDX or CycloneDX format.
CycloneDX SBOM 示例
¥Example CycloneDX SBOM
{"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json","bomFormat": "CycloneDX","specVersion": "1.5","serialNumber": "urn:uuid:09f55116-97e1-49cf-b3b8-44d0207e7730","version": 1,"metadata": {"timestamp": "2023-09-01T00:00:00.001Z","lifecycles": [{"phase": "build"}],"tools": [{"vendor": "npm","name": "cli","version": "10.1.0"}],"component": {"bom-ref": "simple@1.0.0","type": "library","name": "simple","version": "1.0.0","scope": "required","author": "John Doe","description": "simple react app","purl": "pkg:npm/simple@1.0.0","properties": [{"name": "cdx:npm:package:path","value": ""}],"externalReferences": [],"licenses": [{"license": {"id": "MIT"}}]}},"components": [{"bom-ref": "lodash@4.17.21","type": "library","name": "lodash","version": "4.17.21","scope": "required","author": "John-David Dalton","description": "Lodash modular utilities.","purl": "pkg:npm/lodash@4.17.21","properties": [{"name": "cdx:npm:package:path","value": "node_modules/lodash"}],"externalReferences": [{"type": "distribution","url": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz"},{"type": "vcs","url": "git+https://github.com/lodash/lodash.git"},{"type": "website","url": "https://lodash.nodejs.cn/"},{"type": "issue-tracker","url": "https://github.com/lodash/lodash/issues"}],"hashes": [{"alg": "SHA-512","content": "bf690311ee7b95e713ba568322e3533f2dd1cb880b189e99d4edef13592b81764daec43e2c54c61d5c558dc5cfb35ecb85b65519e74026ff17675b6f8f916f4a"}],"licenses": [{"license": {"id": "MIT"}}]}],"dependencies": [{"ref": "simple@1.0.0","dependsOn": ["lodash@4.17.21"]},{"ref": "lodash@4.17.21","dependsOn": []}]}
SPDX SBOM 示例
¥Example SPDX SBOM
{"spdxVersion": "SPDX-2.3","dataLicense": "CC0-1.0","SPDXID": "SPDXRef-DOCUMENT","name": "simple@1.0.0","documentNamespace": "http://spdx.org/spdxdocs/simple-1.0.0-bf81090e-8bbc-459d-bec9-abeb794e096a","creationInfo": {"created": "2023-09-01T00:00:00.001Z","creators": ["Tool: npm/cli-10.1.0"]},"documentDescribes": ["SPDXRef-Package-simple-1.0.0"],"packages": [{"name": "simple","SPDXID": "SPDXRef-Package-simple-1.0.0","versionInfo": "1.0.0","packageFileName": "","description": "simple react app","primaryPackagePurpose": "LIBRARY","downloadLocation": "NOASSERTION","filesAnalyzed": false,"homepage": "NOASSERTION","licenseDeclared": "MIT","externalRefs": [{"referenceCategory": "PACKAGE-MANAGER","referenceType": "purl","referenceLocator": "pkg:npm/simple@1.0.0"}]},{"name": "lodash","SPDXID": "SPDXRef-Package-lodash-4.17.21","versionInfo": "4.17.21","packageFileName": "node_modules/lodash","description": "Lodash modular utilities.","downloadLocation": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz","filesAnalyzed": false,"homepage": "https://lodash.nodejs.cn/","licenseDeclared": "MIT","externalRefs": [{"referenceCategory": "PACKAGE-MANAGER","referenceType": "purl","referenceLocator": "pkg:npm/lodash@4.17.21"}],"checksums": [{"algorithm": "SHA512","checksumValue": "bf690311ee7b95e713ba568322e3533f2dd1cb880b189e99d4edef13592b81764daec43e2c54c61d5c558dc5cfb35ecb85b65519e74026ff17675b6f8f916f4a"}]}],"relationships": [{"spdxElementId": "SPDXRef-DOCUMENT","relatedSpdxElement": "SPDXRef-Package-simple-1.0.0","relationshipType": "DESCRIBES"},{"spdxElementId": "SPDXRef-Package-simple-1.0.0","relatedSpdxElement": "SPDXRef-Package-lodash-4.17.21","relationshipType": "DEPENDS_ON"}]}
仅包锁定模式
¥Package lock only mode
如果启用了 package-lock-only,则仅加载包锁(或收缩封装)中的信息。这意味着依赖的 package.json 文件中的信息将不会包含在结果集中(例如描述、主页、引擎)。
¥If package-lock-only is enabled, only the information in the package lock (or shrinkwrap) is loaded. This means that information from the package.json files of your dependencies will not be included in the result set (e.g. description, homepage, engines).
配置
¥Configuration
omit
-
默认值:'dev' 如果
NODE_ENV
环境变量设置为 'production',否 则为空。¥Default: 'dev' if the
NODE_ENV
environment variable is set to 'production', otherwise empty. -
类型:"dev"、"optional"、"peer"(可多次设置)
¥Type: "dev", "optional", or "peer" (can be set multiple times)
要从磁盘上的安装树中省略的依赖类型。
¥Dependency types to omit from the installation tree on disk.
请注意,这些依赖仍会被解析并添加到 package-lock.json
或 npm-shrinkwrap.json
文件中。它们只是没有物理安装在磁盘上。
¥Note that these dependencies are still resolved and added to the package-lock.json
or npm-shrinkwrap.json
file. They are just not physically installed on disk.
如果一个包类型同时出现在 --include
和 --omit
列表中,那么它将被包括在内。
¥If a package type appears in both the --include
and --omit
lists, then it will be included.
如果生成的省略列表包含 'dev'
,则 NODE_ENV
环境变量将针对所有生命周期脚本设置为 'production'
。
¥If the resulting omit list includes 'dev'
, then the NODE_ENV
environment variable will be set to 'production'
for all lifecycle scripts.
package-lock-only
-
默认值:false
¥Default: false
-
类型:布尔值
¥Type: Boolean
如果设置为 true,当前操作将只使用 package-lock.json
,忽略 node_modules
。
¥If set to true, the current operation will only use the package-lock.json
, ignoring node_modules
.
对于 update
,这意味着只会更新 package-lock.json
,而不是检查 node_modules
并下载依赖。
¥For update
this means only the package-lock.json
will be updated, instead of checking node_modules
and downloading dependencies.
对于 list
,这意味着输出将基于 package-lock.json
描述的树,而不是 node_modules
的内容。
¥For list
this means the output will be based on the tree described by the package-lock.json
, rather than the contents of node_modules
.
sbom-format
-
默认值:null
¥Default: null
-
类型:"cyclonedx" 或 "spdx"
¥Type: "cyclonedx" or "spdx"
生成 SBOM 时使用的 SBOM 格式。
¥SBOM format to use when generating SBOMs.
sbom-type
-
默认值:"库"
¥Default: "library"
-
类型:"库"、"应用" 或 "框架"
¥Type: "library", "application", or "framework"
生成的 SBOM 描述的包类型。对于 SPDX,这是 primaryPackagePurpose
字段的值。对于 CycloneDX,这是 type
字段的值。
¥The type of package described by the generated SBOM. For SPDX, this is the value for the primaryPackagePurpose
field. For CycloneDX, this is the value for the type
field.
workspace
-
默认值:
¥Default:
-
类型:字符串(可以设置多次)
¥Type: String (can be set multiple times)
启用在当前项目的已配置工作区的上下文中运行命令,同时通过仅运行此配置选项定义的工作区进行过滤。