Cdxgen support for Rush monorepo (pnpm lockfile v6)

[justindeocampodd]

Issue:

When integrating cdxgen into our microsoft rush monorepo, the generated BoM file doesn't contain packages located under the "importers" block in our pnpm-lockfile.yaml.

Expected behavior:

cdxgen should parse the "importers" block in PNPM lockfile v6 and include these packages in the generated BoM.

Actual behavior:

Packages under the "importers" block are not included in the BoM.

Investigation:

In utils.js, I noticed that only lockfiles of v9>= have their importers block being parsed:

// In lock file version 9, direct dependencies is under importers
      const rootDirectDeps =
        lockfileVersion >= 9
          ? yamlObj.importers["."]?.dependencies || {}
          : yamlObj.dependencies || {};
      const rootDevDeps =
        lockfileVersion >= 9
          ? yamlObj.importers["."]?.devDependencies || {}
          : {};
      const rootOptionalDeps =
        lockfileVersion >= 9
          ? yamlObj.importers["."]?.optionalDependencies || {}
          : {};

However, here is an example of what our lockfile would look like (contains the importers field)

Questions

1. Is there a specific reason for limiting this feature to v9+ lockfiles?
2. Would it be possible to extend this functionality to v6 lockfiles, which also support the "importers" block according to the lockfile 6.0 specs?
3. Could the parsing function be modified to handle importers other than just "."? Our lockfile contains several projects we'd like to parse in this importers block.

[prabhu]

Thank you. @aryan-rajoria is looking into this. It appears like a missing feature since only the dot attribute is parsed and utilised from the importers block.

[aryan-rajoria]

Hello @justindeocampodd, the changes in PR #1377, creates a sbom that looks like this

rushsbom.json

    { "ref": "pkg:npm/rush", "dependsOn": [] },
    { "ref": "pkg:npm/rush/my-app", "dependsOn": ["pkg:npm/my-controls", "pkg:npm/whatwg-fetch"] },
    { "ref": "pkg:npm/rush/my-controls", "dependsOn": [] },
    { "ref": "pkg:npm/rush/my-toolchain", "dependsOn": ["pkg:npm/colors"] },

is something like this is suitable?

[aryan-rajoria]

I've made some further refinements based on Prabhu's feedback. The updated naming scheme aligns better with the PURL specification.

    { "ref": "pkg:npm/rush", "dependsOn": [] },
    {
      "ref": "pkg:npm/rush/my-app#apps/my-app",
      "dependsOn": ["pkg:npm/my-controls", "pkg:npm/whatwg-fetch"]
    },
    {
      "ref": "pkg:npm/rush/my-controls#libraries/my-controls",
      "dependsOn": []
    },
    {
      "ref": "pkg:npm/rush/my-toolchain#tools/my-toolchain",
      "dependsOn": ["pkg:npm/colors"]
    },

rushsbom2.json

[justindeocampodd]

yes this is fantastic! thank you for the prompt response, approved it

[justindeocampodd]

Whats the cadence for releases? Do we know when we can expect this to land?