bun icon indicating copy to clipboard operation
bun copied to clipboard
Published 3 months ago verified publisher icon oven-sh

SBOM support for supply chain security integrations

Open schewara opened this issue 2 years ago • 4 comments

What is the problem this feature would solve?

There is currently no proper way to automatically scan for vulnerabilities or license issues as part of a CI/CD pipeline.

What is the feature you are proposing to solve the problem?

Bun is a fairly new project and therefore it is to be expected that most of the existing vulnerability scanners do not yet support bun. Some tools might implement bun support in the near future, while other maybe will never (or in a future far far away) support it.

To improve the current situation, it would be great if Bun would provide a functionality to output a standardized software bill of materials (SBOM) file, like SPDX or CycloneDX as part of bun install or bun pm

This would make integration and support with most security tools almost a no brainer, as the tool vendors don't have to integrate and maintain another format of another tool.

What alternatives have you considered?

As we are using Trivy we considered using the yarn.lock file, (as discussed in https://github.com/aquasecurity/trivy/discussions/5996), but this seems to be only a workaround until full support is integrated into it.

schewara avatar Jan 25 '24 13:01 schewara

One of the downsides to the binary lock file (bun.lockb) is that SBOM and SCA tools can't natively use this file to find packages being used. As @schewara mentions you can use the yarn.lock file, but it is a workaround.

6mile avatar Jan 31 '24 17:01 6mile

Newer npm versions support this, see npm sbom for example: npm sbom --sbom-format cyclonedx

jase88 avatar Jul 01 '24 08:07 jase88

I'm trying to set this up but I've tried Trivy which does officially support bun.lock files, however I have the repository set up as a monorepo with several different Bun projects in there configured as workspaces. I would like to be able to generate a SBOM within each workspace, however Trivy looks for the lock file inside the scanned directory and not at the one in the root of the repository. I have a similar issue with npm sbom: it looks for package-lock.json which isn't present at all in a Bun project.

Any plans to build this into the Bun CLI soon? If so, please make it so you can generate the SBOM for a workspace and it will scan the parent project for the lock file.

sebovzeoueb avatar Aug 07 '25 17:08 sebovzeoueb

I'm looking at this from a different perspective.

I don't want to scan all of my packages for vulnerabilities, but instead only those which I deploy. It is not good enough to simply look at all production dependencies, because some might be hidden behind unreachable code paths, and some might be wrongfully declared dependencies (or devDependencies).

How I do it right now is by bundling with rollup, using rollup-plugin-sbom and scanning the result with trivy sbom.

Bun also bundles, and has bundler plugins. If there was a bundler plugin that would give me the list of bundled node_modules, that would be a great start. Or a plugin that directly creates an SBOM.

codepunkt avatar Dec 25 '25 21:12 codepunkt