feat: detail runtime dependencies #1396
Description
Is your feature request related to a problem? Please describe.
i am detailing my runtime tonode via package.json::engines - see https://docs.npmjs.com/cli/v11/configuring-npm/package-json#engines
{
"engines": {
"node": ">=0.10.3 <15"
}
}I want this information being detailed in the SBOM generated by this very tool.
Describe the solution you'd like
the sourced information may stem from package manifest (package.json) or from lockfile or from npm-ls
- populate
$.metadata.component.propertieswithcdx:npm:package:constraint:engine:<name> = <version range>being whatever value found in the package manifest. as per https://cyclonedx.github.io/cyclonedx-property-taxonomy/cdx/npm.html - optional, for known JS runtimes: for CycloneDX 1.7 add a component to the components list, that has the following attributes:
- type:
platform - group: empty
- name:
node, ordenoor whatever it is ... - version: unset
- versionRange: a VERS value
vers:npm/...- see https://github.com/package-url/vers-spec/blob/main/VERSION-RANGE-SPEC.md - isExternal:
true - packageUrl: empty, as
- have this new component a dependency of
$metadata.component
- type:
Describe alternatives you've considered
none
Additional context
docs:
- packageJSON "engines": https://docs.npmjs.com/cli/v11/configuring-npm/package-json#engines
- CDX properties taxonomy
cdx:npm:https://cyclonedx.github.io/cyclonedx-property-taxonomy/cdx/npm.html - CDX "isExternal" feature: feat: support for external components with version-ranges specification#586
- CDX "versionRange" feature: JIT compilers & interpreters are "platforms" specification#647
- VERS spec: https://github.com/package-url/vers-spec/blob/main/VERSION-RANGE-SPEC.md
Contribution
- I am willing to provide an implementation
- I will wait until somebody else implements it