Problem with Generating SBOM for Workspaces in a TypeScript Project

[chroberino]

I am using cdxgen to generate SBOMs for a TypeScript project based on Eclipse Theia. My project structure is as follows:

myproj/
├── myproj/theia-app/package.json
├── myproj/theia-app/browser-app/package.json
└── myproj/theia-app/electron-app/package.json

The package.json file in myproj/theia-app/ contains:

"workspaces": [
    "browser-app",
    "electron-app"
]

When I run cdxgen -o sbom.json inside myproj/theia-app/, it successfully generates an SBOM that includes components from both browser-app and electron-app.

However, my goal is to generate separate SBOMs for browser-app and electron-app. When I try to do this by running cdxgen -o sbom.json inside myproj/theia-app/browser-app/ or myproj/theia-app/electron-app/, I receive the following error:

Executing 'npm install' in D:\myproj\theia-app\browser-app
npm install has failed. Generated SBOM will be empty or with a lower precision.

The resulting sbom.json is mostly empty and only contains minimal metadata:

{
    "bomFormat": "CycloneDX",
    "components": [],
    "dependencies": [],
    "metadata": {
        "authors": [
            {
                "name": "OWASP Foundation"
            }
        ],
        "lifecycles": [
            {
                "phase": "build"
            }
        ],
        "timestamp": "2025-02-26T08:46:17Z",
        "tools": {
            "components": [
                {
                    "name": "cdxgen",
                    "version": "11.1.10"
                }
            ]
        }
    },
    "specVersion": "1.6",
    "version": 1
}

Steps to Reproduce

1. Install cdxgen globally: npm i -g @cyclonedx/cdxgen
2. Run cdxgen -o sbom.json inside myproj/theia-app/ → Works as expected.
3. Run cdxgen -o sbom.json inside myproj/theia-app/browser-app/ → Fails with npm install has failed and produces an empty SBOM.
4. Run cdxgen -o sbom.json ./browser-app from myproj/theia-app/ → Same result.

Note that is build my project using yarn.

Expected Behavior

I should be able to generate separate SBOMs for browser-app and electron-app by running cdxgen -o sbom.json inside each respective subfolder.

Alternatively, running cdxgen -o sbom.json ./browser-app from myproj/theia-app/ should work.

Environment

• OS: Windows 10
• Node.js version: 20.18.1
• npm version: 10.8.2
• yarn version: 1.22.22
• cdxgen version: 11.1.10

Question

What do I need to do in order to generate separate SBOMs for browser-app and electron-app without encountering the npm install has failed issue? Is there a specific flag or workaround to make this work in subfolders of a workspace-based project?

[prabhu]

Could you share a sample project to reproduce this? Even I want individual sboms for one of my polyglot project. This could be a special scenario where the split is based on the sub-project.

Related: #689

[chroberino]

Could you share a sample project to reproduce this?

@prabhu you can easily verify this behaviour in the theia-ide project: https://github.com/eclipse-theia/theia-ide
My project is based on an earlier version of their structure.
However, I just verified the same problem with a fresh clone of the theia-ide repo.
There the folders corresponding to my project are:

theia-ide/
├── applications/browser
└── applications/electron

I just did cdxgen -o sbom.json in applications/browser and got

Executing 'npm install' in D:\theia-ide\applications\browser
npm install has failed. Generated SBOM will be empty or with a lower precision.

[prabhu]

Thank you! This requires implementing workspace support for yarn. We added this feature for pnpm and uv recently. Will look for sponsors.

[chroberino]

This requires implementing workspace support for yarn.

Are you sure yarn causes this issue?

Afaik, Theia just recently (version 1.58) moved from yarn to npm. While for my project I still use yarn, it should be npm for Theia.

[prabhu]

I am seeing yarn being used for building etc.

https://github.com/eclipse-theia/theia-ide/blob/master/package.json#L39
https://github.com/eclipse-theia/theia-ide/blob/master/.github/workflows/build.yml#L49

How do you know it is npm?

[chroberino]

How do you know it is npm?

I was assuming it should be npm for Theia, because it was prominently announced for the 1.58 release, e.g. here:
https://eclipsesource.com/blogs/2025/02/06/eclipse-theia-1-58-release-news-and-noteworthy/

[prabhu]

Interesting! It does build cleanly with both npm and yarn, which is good. Wish they had committed the package-lock.json in the repo. The workspace feature still needs to be added to cdxgen though since the lock file is not granular enough to specify which workspace and which dependency requested a specific package.

From a quick test, noticed that cdxgen is throwing some warnings even with a lock file, so needs some work.

node /Volumes/Work/CycloneDX/cdxgen/bin/cdxgen.js -t npm -o bom.json .
Parsing /Volumes/Work/sandbox/theia-ide/package-lock.json
Constructing virtual dependency tree based on the lock file. Pass --deep argument to construct the actual dependency tree from disk.
/Volumes/Work/sandbox/theia-ide/package.json doesn't contain the package name. Consider using the 'npm init' command to create a valid package.json file for this project. Assuming the name as '/Volumes/Work/sandbox/theia-ide'.
===== WARNINGS =====
[
  'Invalid ref in dependencies pkg:npm/[email protected]',
  'Invalid ref in dependencies.dependsOn pkg:npm/[email protected]',
  'Invalid ref in dependencies.dependsOn pkg:npm/[email protected]',
  'Invalid ref in dependencies.dependsOn pkg:npm/[email protected]',
  'Invalid ref in dependencies.dependsOn pkg:npm/[email protected]',
  'Invalid ref in dependencies.dependsOn pkg:npm/[email protected]'
]

[chroberino]

Is there any way to work around this for now?
Installing dependencies for my project also works fine using when using npm instead of yarn. Why does cdxgen strive to invoke npm install? And why does it fail? (When calling npm install manually it succeeds.)

[prabhu]

Added some fixes to the master. Can you try using the master with "-t npm"?

[chroberino]

Added some fixes to the master. Can you try using the master with "-t npm"?

I have pulled the latest master branch and did node d:\cdxgen\bin\cdxgen.js -t npm -o bom.json in the theia-ide/applications/browser folder. Unfortunately, it is still the same result:

Executing 'yarn install' in D:\theia-ide\applications\browser
yarn install has failed. Generated SBOM will be empty or with a lower precision.

[prabhu]

Give me more time. It works without warnings from the root folder by running cdxgen after doing npm install. The lock file is always getting created in the root folder (due to workspaces), so we simply cannot run any install command from within applications/browser. The question for the eclipse theia team is simple: Where is your SBOM?.

[chroberino]

The question for the eclipse theia team is simple: Where is your SBOM?.

Since, I am just a downstream adopter of the theia project I cannot answer for the Theia team, of course.

For my own theia-adopted project I clearly see two SBOMs: One for the electron build and one for the browser-build. These result in two different applications and they even have different dependencies in their package.json files (e.g. electron-updater, electron-log, but also some theia packages like @theia/dev-container are exclusively available in the electron variant).