[sbom] Towards generating a build and post-build sboms (and eventually reproducibility) #489
Description
Feature Description:
I am the author of an SBOM tool called cdxgen. There is an open issue filed against the tool regarding problems generating an SBOM for Theia. Based on my investigation, here are some suggestions to improve the codebase and enable tools like mine to generate an accurate SBOM.
-
Clean Up the yarn bits
For technical reasons, this project is still a yarn project, despite what is stated in the blog. The repository includes a yarn.lock file, and the package.json files specify yarn as the engine, as seen in the browser and electron configurations. The dockerfile and the build process also use yarn. Perhaps the blog was published prematurely? -
Consider the Dependency Tree
The dependency tree generated by Yarn is entirely different from that of npm, so it is not a simple replacement. In fact, based on my quick test, the npm package-lock file lists more vulnerable dependencies than Yarn. Some work is needed to improve the npm dependency tree, such as using overrides. -
Address SBOM Reproducibility
The project's dependency tree varies depending on the operating system and possibly the Python version used. While the build uses Python 3.11, the version range is not formally specified. Clearly defining this range is essential for generating an accurate and reproducible SBOM. -
Split SBOMs
Although the initial goal is to generate a single accurate SBOM, users may prefer separate SBOMs—for example, one for the browser version and one for the electron version, as explained in this comment. This may require custom scripts or enhancements to the SBOM tools, as the project always produces a single lock file in the root directory, regardless of where theinstallcommand is executed.
The CycloneDX and cdxgen teams can offer support on a best-effort basis; however, including SBOM generation in your roadmap for this year and evaluating available tooling options would be beneficial, as things rarely work out-of-the-box.