How to generate a Nodejs SBOM in CycloneDX format

Generating a SBOM can sometimes be very simple and other times a royal pain. For this first SBOM tutorial, I’m going down the very simple path! :-)

Using the open source ios-triage app, the following steps will build a CycloneDX SBOM in json format. As I’m hoping this blog is useful for folks new to security and/or programming, I’m going to provide a step-by-step approach.

Note: these commands were run on macOS but can be easily adapted for Linux or Windows

The general steps will be:

  1. Download ios-triage source code
  2. Install nodejs (via nvm)
  3. Globally install the CycloneDX Node.js Module
  4. Generate the CycloneDX SBOM with cyclonedx-node

All of the steps are run from the command line. My preferred terminal client is iTerm2 but you can simple run any terminal app on your computer.

Download ios-triage source code

You can head over to the ios-triage repo and click the Code button for various options to download the source code. If you already have git installed and configured, you can simple clone the repo with:

$ mkdir -p ~/spfexpert/
$ cd ~/spfexpert/
$ git clone https://github.com/ahoog42/ios-triage.git

Other options include GitHub Desktop, the GitHub CLI or you can simply download it over https and unzip it on your computer.

Install nodejs (via nvm)

The CycloneDX tool we’re going to run is built with Node.js. You can simply visit their website, download the Node.js runtime and you should be all set. However, if you plan on tinkering with Node.js, it probably makes sense to install nvm (Node Version Manager). You can follow the most up to date install directions on nvm’s website but here’s the tl;dr:

$ curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.1/install.sh | bash
(restart your terminal)
$ nvm install --lts
$ nvm use --lts

You should now have the Long Term Support (lts) version of Node.js installed and can check to make sure everything is working with this command:

$ node --version
v16.17.0

Globally install the CycloneDX Node.js Module

Next we’ll install the CycloneDX SBOM tool globally on your computer with this command:

$ npm install -g @cyclonedx/bom

Generate the CycloneDX SBOM with cyclonedx-node

Finally, we’re going to generate the CycloneDX SBOM for ios-triage with this command:

$ cd ios-triage
$ cyclonedx-node --output bom.json

You should now have a new file in your ios-triage folder called bom.json can can view it with you editor of choice. The tool I prefer to use is jq which you can easily install no macOS with Homebrew:

$ brew install jq
$ jq . bom.json | less

You can explore the CycloneDX specification further on their website as well as a wealth of other SBOM information.

Next Steps

If you’re new to Software Bill of Materials, I hope you found this blog useful. I’m planning on a number of follow up parts to this series including:

  1. Technical introduction to Software Bill of Materials (SBOMs)
  2. How to generate a Node.JS SBOM in CycloneDX format
  3. Source code vs binary analysis for SBOMs
  4. How to generate an Android (React Native) SBOM in CycloneDX format
  5. Generating an Android SBOM on each build of your mobile app with GitHub Actions
  6. Generating an iOS SBOM on each build of your mobile app with GitHub Actions
  7. Leveraging Dependency-Track to continuously analyze your mobile SBOMs

If you have any suggestions for other topics or feedback in general, please connect with me and let me know!