cyclonedx-node-module icon indicating copy to clipboard operation
cyclonedx-node-module copied to clipboard
verified publisher icon CycloneDX

Support for {yarn,npm} workspaces

Open georgearnall opened this issue 5 years ago • 10 comments

We use a mono repo with yarn workspaces. I've tried running cyclonedx-bom at the repo root and in individual projects but it doesn't detect any packages. Cli Error:

There are no components in the BOM. The project may not contain dependencies or node_modules does not exist. Executing npm install prior to CycloneDX may solve the issue.

Testing with a single project repository works as expected.

Is this supported?

georgearnall avatar Sep 25 '20 11:09 georgearnall

The CycloneDX node module relies on read-installed. If read-installed is compatible with your use case, then it should work (or be made to work).

stevespringett avatar Sep 25 '20 15:09 stevespringett

@georgearnall I don't know how your monorepo is structured. But you might need to iterate through each project in the monorepo and use the append feature to combine the individual SBOMs. Is this a public or private repo?

coderpatros avatar Sep 27 '20 11:09 coderpatros

Thanks for your comments. I have set up a test repository for you to take a closer look if you have time. https://github.com/georgearnall/yarn-workspaces-example

I have tried running cyclonedx on a sub project but I think because the node_modules folder doesn't contain anything (because dependencies are placed in the root) read-installed doesn't pick up the dependencies.

georgearnall avatar Oct 02 '20 13:10 georgearnall

We've just stumbled into this issue too with our monorepo

namloc2001 avatar Jan 26 '21 17:01 namloc2001

read-installed has never get update for about 6 years. I think this dependency should be fixed.

link89 avatar Aug 27 '21 01:08 link89

this issue is related to #180

jkowalleck avatar Dec 11 '21 08:12 jkowalleck

Also experiencing the same There are no components in the BOM message, using npm workspaces.

Codex- avatar Aug 18 '22 00:08 Codex-

currently looking into the namespaces topic for the upcoming https://github.com/CycloneDX/cyclonedx-node-npm (currently in beta phase). @Codex- , Could you point me to an npm example project, and describe howto set it up and use it, and describe the expected outcome? I would love to incorporate this info https://github.com/CycloneDX/cyclonedx-node-npm/tree/1.0-dev/demo/local-workspaces

jkowalleck avatar Aug 18 '22 13:08 jkowalleck

There is an alternative CycloneDX generator for npm projects, that you might want to try: https://www.npmjs.com/package/%40cyclonedx/cyclonedx-npm It is supports most features of this(old) implementation, and it supports npm workspaces.

Nope, there is still no implementation for yarn that supports workspaces. Feel free to help out in the respective project: https://github.com/CycloneDX/cyclonedx-node-yarn

jkowalleck avatar Aug 20 '22 10:08 jkowalleck

I'll test cyclonedx-npm today and post any issues over on that repo, cheers.

Codex- avatar Aug 30 '22 23:08 Codex-