[BUG] SBOM packages and relationships missing under some circumstances

[martinkuba]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

When I try to generate SBOM for the opentelemetry-js repository, the output is missing some packages and relationships.

The repository is a monorepo with many sub-packages. They are defined using npm workspaces and listed under the packages and experimental/packages directories. Ideally, I would like to generate an SBOM file for each sub-package.

When I run the command below to generate SBOM for a single sub-package (packages/opentelemetry-core), it is missing in the relationships section (the dependency is in the packages/opentelemetry-semantic-conventions directory).

npm sbom --sbom-format spdx --omit dev --workspace packages/opentelemetry-core > sbom.json

The relationship is missing even when I generate SBOM for the whole repository by running this in the root directory:

npm sbom --sbom-format spdx --omit dev > sbom.json

In addition, the SBOM output for the whole repository is missing some dependencies completely even in the packages section of the SBOM file. For example, the sub-package in folder packages/opentelemetry-sdk-trace-node has a dependency on semver, but semver is not included in the SBOM file at all.

Expected Behavior

npm sbom should capture all dependencies in a repository with workspaces.

Steps To Reproduce

First issue:

1. Generate SBOM file using these steps

git clone git@github.com:open-telemetry/opentelemetry-js.git
cd opentelemetry-js
npm ci
npm sbom --sbom-format spdx --omit dev --workspace packages/opentelemetry-core > sbom.json

2. In the generated SBOM file, note that the package @opentelemetry/semantic-conventions is listed under packages, but NOT under dependencies.

Second issue:

1. Generate SBOM file using these steps

git clone git@github.com:open-telemetry/opentelemetry-js.git
cd opentelemetry-js
npm ci
npm sbom --sbom-format spdx --omit dev > sbom.json

2. In the generates SBOM file, note that the semver package is completely missing (in both packages and relationships sections), even though the package in packages/opentelemetry-sdk-trace-node depends on it.

Environment

• npm: 10.4.0
• Node.js: v18.18.0
• OS Name: macOS 14.2.1

[pkuijper]

Is this bug getting solved, I also have the experience of missing dependencies when I run
npm sbom --omit "dev" --sbom-format cyclonedx

When I run
npm list --omit "dev" --all
I get a list with more dependencies then with the SBoM command

The purpose is to get an overview of whether there are dependencies with vulnerabilities. If not all dependencies are included, the command is not really useful

Example:
I created a angular project with "ng new test"
Added package angular/localize with command "npm i @angular/localize"
Run "npm install"

If I list dependencies (npm list --omit "dev" --all) and run SBoM (npm sbom --omit "dev" --sbom-format cyclonedx), the list contains more dependencies than the SBoM, for example the dependency "chokidar" is missing in SBoM.
When I create a SBoM with CycloneDX (cyclonedx-npm --omit "dev" --output-file C:\temp\deptestnpmDxSBom1.json) the result contains the dependency "chokidar"

[jkowalleck]

did you try the official CycloneDX SBOM generator for npm? Does this tool have the same issues?