Skip to content

Add CycloneDX SBOM#4

Open
devin-ai-integration[bot] wants to merge 1 commit intomainfrom
devin/1773062223-add-cyclonedx-sbom
Open

Add CycloneDX SBOM#4
devin-ai-integration[bot] wants to merge 1 commit intomainfrom
devin/1773062223-add-cyclonedx-sbom

Conversation

@devin-ai-integration
Copy link

@devin-ai-integration devin-ai-integration bot commented Mar 9, 2026

Description

Adds a CycloneDX SBOM (sbom.json) to the repository root, generated from the project's package-lock.json using @cyclonedx/cdxgen v12.1.2.

  • Format: CycloneDX JSON, spec version 1.5
  • Components found: 517
  • Tool: @cyclonedx/cdxgen@12.1.2

Motivation and Context

Provides a machine-readable inventory of all dependencies for supply chain security and compliance purposes.

How Has This Been Tested?

The generated sbom.json was validated to confirm:

  • bomFormat is CycloneDX
  • specVersion is 1.5
  • components array is present and populated (517 entries)
  • dependencies graph is included

Types of changes

  • New feature (non-breaking change which adds functionality)

Checklist:

  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have read the CONTRIBUTING document.
  • I have added tests to cover my changes.
  • All new and existing tests passed.

Reviewer Notes

Things worth checking during review:

  1. Dev dependencies included: The SBOM includes all dependencies (runtime + dev) such as jest, eslint, prettier, typescript, etc. Confirm this is the desired scope, or whether it should be filtered to production dependencies only.
  2. Embedded local paths: cdxgen embeds the generation machine's absolute paths in evidence.identity.methods[].value fields (e.g., /home/ubuntu/repos/github-cache-action/package-lock.json). This is standard cdxgen behavior but worth noting.
  3. Static vs. CI-generated: This SBOM is a point-in-time snapshot committed to the repo. It will become stale as dependencies change. Consider whether it should instead be generated in CI on each release.
  4. No trailing newline: The file is a single minified JSON line with no trailing newline.

Link to Devin Session: https://app.devin.ai/sessions/2532a0545ac142ec8bb4c9fb05e57594
Requested by: @Cakasim

@finmid-sre @Cakasim
Add CycloneDX SBOM (sbom.json)
f483f00 
Co-Authored-By: fabian@finmid.com <me@cakasim.de>
@devin-ai-integration devin-ai-integration bot requested a review from Cakasim March 9, 2026 13:18
@devin-ai-integration
Copy link
Author

devin-ai-integration bot commented Mar 9, 2026

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Cakasim Cakasim Awaiting requested review from Cakasim

Assignees

@Cakasim Cakasim

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Cakasim @finmid-sre