Node
To install CycloneDX for Node with npm, you must first make sure you have node and npm installed on your system. Then, follow these steps:
- Open a terminal or command line.
- Install the
@cyclonedx/cyclonedx-npmpackage globally.
npm install -g @cyclonedx/cyclonedx-npm
- We can now run the dependency analysis using CycloneXD with the following command
cyclonedx-npm --output-file sbom.json
We can add --omit dev if we do not want development dependencies to be parsed.
Integration with Gitlab
Now that we know how to integrate with node, let's add our stage in the CI so that it is executed on each commit and sent to the Dependecy-track dependency management platform.
.gitlab-ci.yml
sbom_scan_node:
stage: sbom_scan
image: harbor.opensecdevops.com/osdo/cyclonedx-npm@sha256:692c7d4a163548c90cf6b0d041ae99e113ef33c841aac3cd58c8ac6fc3c04a9f
dependencies: ['npm']
script:
- cyclonedx-npm --output-file sbom.json --omit dev --short-PURLs
- sh .gitlab-ci/dependency-track.sh
allow_failure: true
artifacts:
expire_in: 1 days
paths:
- sbom.json
reports:
cyclonedx: sbom.json
Once the sbom file is loaded in the Dependecy-track platform we will see the dependencies and their update status and known vulnerabilities.
