Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

📣 looking for contributors #12

Closed
jkowalleck opened this issue Dec 15, 2023 · 8 comments
Closed

📣 looking for contributors #12

jkowalleck opened this issue Dec 15, 2023 · 8 comments
Labels
help wanted Extra attention is needed

Comments

@jkowalleck
Copy link
Member

jkowalleck commented Dec 15, 2023

CycloneDX is a community effort, free for all.

Based on #8
This project is currently looking for contributors/champions.

Drop a note, or ping, if you are interested.

@jkowalleck jkowalleck added the help wanted Extra attention is needed label Dec 15, 2023
@jkowalleck jkowalleck pinned this issue Dec 15, 2023
@fkluthe

This comment was marked as off-topic.

@jkowalleck

This comment was marked as off-topic.

@sbernard31

This comment was marked as off-topic.

@jkowalleck

This comment was marked as off-topic.

@sbernard31
Copy link

(Just in case it helps : yarnpkg/berry#6063)

@AugustusKling
Copy link
Contributor

@jkowalleck I've experimented yesterday with creating a Yarn plugin to generate CycloneDX SBoMs. The generated files look good at first glance.

Note however that I don't want to make any promises just yet without doing some further assessments if the taken approach is sound. Expect some update on this in a couple of days.

@AugustusKling
Copy link
Contributor

@jkowalleck, @sbernard31 see draft in PR #13. This plugin generates correctly looking SBOMs for the projects I've tested with as far as I can judge.

Easiest way to test on existing Yarn projects is yarn plugin import https://raw.githubusercontent.com/AugustusKling/cyclonedx-node-yarn/1.0-dev/bundles/%40yarnpkg/plugin-sbom.js followed by yarn sbom --component-type=application --output-file=sbom.cdx.json if you want to trust minified code by a random guy.

The more sensible way is:

  1. Checkout the repo.
  2. yarn install
  3. Carefully check source code.
  4. Build using yarn build or yarn build:dev
  5. Change to your project directory.
  6. Import plugin yarn plugin import /wherever-your-checkout-is/bundles/@yarnpkg/plugin-sbom.js
  7. yarn sbom --component-type=application --output-file=sbom.cdx.json

@jkowalleck jkowalleck unpinned this issue Mar 8, 2024
@jkowalleck jkowalleck modified the milestone: v1.0 Mar 20, 2024
@jkowalleck
Copy link
Member Author

Implementation is coming to an end, nearly all features are done.
closing issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
help wanted Extra attention is needed
Projects
None yet
Development

No branches or pull requests

4 participants