Usage in a multi-product monorepo

[SF97]

Hello

First and foremost, thank you for this project :) We need to build SBOMs for compliance and vulnerability scanning, and it is great!

Now to my question :)
We run a large monorepo in my company. This monorepo has two products in it. It has microservices that are mostly in JavaScript with dependencies managed by pnpm. Some microservices belong to one product only, and some are shared between both products. The structure is similar to this:

services
    common
       service 1
       service 2
       ...
    product-1
       service 1
       service 2
       ...
    product-2
       service 1
       service 2
       ...

Each service depends on libs that are in different folders.

Ideally, we would like to get an SBOM for each service in the repository, but an SBOM per product should also work. I've been trying to get an SBOM for each service with this tool, but I haven't had any success so far. When running the tool inside each service, the SBOM information only contains info about the tool:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:f4c0098e-c613-4acb-80bd-2177e7690452",
  "version": 1,
  "metadata": {
    "timestamp": "2023-09-09T12:54:21.957Z",
    "tools": {
      "components": [
        {
          "group": "@cyclonedx",
          "name": "cdxgen",
          "version": "9.7.1",
          "purl": "pkg:npm/%40cyclonedx/[email protected]",
          "type": "application",
          "bom-ref": "pkg:npm/@cyclonedx/[email protected]"
        }
      ]
    },
    "authors": [
      {
        "name": "Prabhu Subramanian",
        "email": "[email protected]"
      }
    ]
  },
  "components": [],
  "services": [],
  "dependencies": []
}

I guess this is due to the pnpm-lock file being at the top of the repository.

If I run the tool at the top of the repository, information about dependencies is shown. However, the information accounts for both products, and I need to have information per-product

Is there a way to get an SBOM for a single service in the monorepo, no matter where it is located?

[prabhu]

@SF97, thank you for the kind words. Wondering if we can run from the root of the repository and then filter based on component.properties. Is there anything useful in those attributes?

[SF97]

I don't think there's anything useful there for this use case. It's mostly objects with name property set to SrcFile and value set to the path of root pnpm-lock file

[prabhu]

Can you also run the evinse tool?

evinse -i bom.json -o bom.evinse.json -l javascript <path to the application>

This will set component.evidence.occurrences, which can be used to filter.

[SF97]

The original bom already has component.evidence.occurrences, but evinse made some changes to it. I've filtered the bom file by component.evidence.occurrences before and after evinse and the results are the same: I can filter direct dependencies of the service, but not transitive ones, at least not directly. Would I need to filter the dependencies of each direct dependency, and so on, until I get a complete BOM file?

One other thing that I noticed is that the bom does not include my own dependencies. For instance, I have this:

lib/
    lib1
services/
    service 1

service 1 depends on lib1, which has some other dependencies. So, in fact, service 1 includes has all dependencies of lib1. However, there is no reference of lib1 in the generated BOM file, althought all its dependencies are there through analysis of lockfile and "ImportedModules". Is this intended behavior? It looks like the BOM is not complete, because it's missing lib1, but I'm not an expert at the matter, by far.

[prabhu]

@SF97, this is a great analysis. Could you share the lock files and generated sbom with me?

https://discord.gg/tmmtjCEHNV

Alternatively, could you create a sample application to reproduce this issue and work with us to implement it?

[SF97]

I can't share the lock files and SBOM due to compliance reasons, but I created a repo here: https://github.com/SF97/cdxgen-analysis which demonstrate what I'm talking about. If you look at the generated SBOM there is no reference to "first-party-lib". There's no reference to the service name, either. I've joined the Discord channel, so feel free to ping me for anything I can help with :)