Hi all,
Just speaking to what would need to be collected into a SBOM, we have three sources:
- The Composer package lists (examples:
composer.json/composer.lock– but there a few) - The NPM package list (
package.json/package-lock.json) - Probably still one or two 3rd party pieces of code committed directly to the repo, though we have nearly cleaned up all of these bad habits
I don’t have experience with SBOM or SPDX more specifically, but given the number of packages that are included from the two dependency management tools, I think the only viable approach would be to identify a tool that could collect them together into an SPDX. Attempting to do this manually would not be sustainable.
I’m pretty sure this will be a solved problem, since our use of Composer and NPM in concert is far from unique. For example, here is a tool to generate SPDX from NPM.
Regards,
Alec Smecher
Public Knowledge Project Team