Problem with Generating SBOM for Workspaces in a TypeScript Project

[chroberino]

I am using cdxgen to generate SBOMs for a TypeScript project based on Eclipse Theia. My project structure is as follows:

myproj/
├── myproj/theia-app/package.json
├── myproj/theia-app/browser-app/package.json
└── myproj/theia-app/electron-app/package.json

The package.json file in myproj/theia-app/ contains:

"workspaces": [
    "browser-app",
    "electron-app"
]

When I run cdxgen -o sbom.json inside myproj/theia-app/, it successfully generates an SBOM that includes components from both browser-app and electron-app.

However, my goal is to generate separate SBOMs for browser-app and electron-app. When I try to do this by running cdxgen -o sbom.json inside myproj/theia-app/browser-app/ or myproj/theia-app/electron-app/, I receive the following error:

Executing 'npm install' in D:\myproj\theia-app\browser-app
npm install has failed. Generated SBOM will be empty or with a lower precision.

The resulting sbom.json is mostly empty and only contains minimal metadata:

{
    "bomFormat": "CycloneDX",
    "components": [],
    "dependencies": [],
    "metadata": {
        "authors": [
            {
                "name": "OWASP Foundation"
            }
        ],
        "lifecycles": [
            {
                "phase": "build"
            }
        ],
        "timestamp": "2025-02-26T08:46:17Z",
        "tools": {
            "components": [
                {
                    "name": "cdxgen",
                    "version": "11.1.10"
                }
            ]
        }
    },
    "specVersion": "1.6",
    "version": 1
}

Steps to Reproduce

1. Install cdxgen globally: npm i -g @cyclonedx/cdxgen
2. Run cdxgen -o sbom.json inside myproj/theia-app/ → Works as expected.
3. Run cdxgen -o sbom.json inside myproj/theia-app/browser-app/ → Fails with npm install has failed and produces an empty SBOM.
4. Run cdxgen -o sbom.json ./browser-app from myproj/theia-app/ → Same result.

Note that is build my project using yarn.

Expected Behavior

I should be able to generate separate SBOMs for browser-app and electron-app by running cdxgen -o sbom.json inside each respective subfolder.

Alternatively, running cdxgen -o sbom.json ./browser-app from myproj/theia-app/ should work.

Environment

• OS: Windows 10
• Node.js version: 20.18.1
• npm version: 10.8.2
• yarn version: 1.22.22
• cdxgen version: 11.1.10

Question

What do I need to do in order to generate separate SBOMs for browser-app and electron-app without encountering the npm install has failed issue? Is there a specific flag or workaround to make this work in subfolders of a workspace-based project?

[prabhu]

Could you share a sample project to reproduce this? Even I want individual sboms for one of my polyglot project. This could be a special scenario where the split is based on the sub-project.

Related: https://github.com/CycloneDX/cdxgen/issues/689

[chroberino]

Could you share a sample project to reproduce this?

@prabhu you can easily verify this behaviour in the theia-ide project: https://github.com/eclipse-theia/theia-ide My project is based on an earlier version of their structure. However, I just verified the same problem with a fresh clone of the theia-ide repo. There the folders corresponding to my project are:

theia-ide/
├── applications/browser
└── applications/electron

I just did cdxgen -o sbom.json in applications/browser and got

Executing 'npm install' in D:\theia-ide\applications\browser
npm install has failed. Generated SBOM will be empty or with a lower precision.

[prabhu]

Thank you! This requires implementing workspace support for yarn. We added this feature for pnpm and uv recently. Will look for sponsors.

[chroberino]

This requires implementing workspace support for yarn.

Are you sure yarn causes this issue?

Afaik, Theia just recently (version 1.58) moved from yarn to npm. While for my project I still use yarn, it should be npm for Theia.

[prabhu]

I am seeing yarn being used for building etc.

https://github.com/eclipse-theia/theia-ide/blob/master/package.json#L39 https://github.com/eclipse-theia/theia-ide/blob/master/.github/workflows/build.yml#L49

How do you know it is npm?

[chroberino]

How do you know it is npm?

I was assuming it should be npm for Theia, because it was prominently announced for the 1.58 release, e.g. here: https://eclipsesource.com/blogs/2025/02/06/eclipse-theia-1-58-release-news-and-noteworthy/

[prabhu]

Interesting! It does build cleanly with both npm and yarn, which is good. Wish they had committed the package-lock.json in the repo. The workspace feature still needs to be added to cdxgen though since the lock file is not granular enough to specify which workspace and which dependency requested a specific package.

From a quick test, noticed that cdxgen is throwing some warnings even with a lock file, so needs some work.

node /Volumes/Work/CycloneDX/cdxgen/bin/cdxgen.js -t npm -o bom.json .
Parsing /Volumes/Work/sandbox/theia-ide/package-lock.json
Constructing virtual dependency tree based on the lock file. Pass --deep argument to construct the actual dependency tree from disk.
/Volumes/Work/sandbox/theia-ide/package.json doesn't contain the package name. Consider using the 'npm init' command to create a valid package.json file for this project. Assuming the name as '/Volumes/Work/sandbox/theia-ide'.
===== WARNINGS =====
[
  'Invalid ref in dependencies pkg:npm/[email protected]',
  'Invalid ref in dependencies.dependsOn pkg:npm/[email protected]',
  'Invalid ref in dependencies.dependsOn pkg:npm/[email protected]',
  'Invalid ref in dependencies.dependsOn pkg:npm/[email protected]',
  'Invalid ref in dependencies.dependsOn pkg:npm/[email protected]',
  'Invalid ref in dependencies.dependsOn pkg:npm/[email protected]'
]

[chroberino]

Is there any way to work around this for now? Installing dependencies for my project also works fine using when using npm instead of yarn. Why does cdxgen strive to invoke npm install? And why does it fail? (When calling npm install manually it succeeds.)

[prabhu]

Added some fixes to the master. Can you try using the master with "-t npm"?

[chroberino]

Added some fixes to the master. Can you try using the master with "-t npm"?

I have pulled the latest master branch and did node d:\cdxgen\bin\cdxgen.js -t npm -o bom.json in the theia-ide/applications/browser folder. Unfortunately, it is still the same result:

Executing 'yarn install' in D:\theia-ide\applications\browser
yarn install has failed. Generated SBOM will be empty or with a lower precision.

[prabhu]

Give me more time. It works without warnings from the root folder by running cdxgen after doing npm install. The lock file is always getting created in the root folder (due to workspaces), so we simply cannot run any install command from within applications/browser. The question for the eclipse theia team is simple: Where is your SBOM?.

[chroberino]

The question for the eclipse theia team is simple: Where is your SBOM?.

Since, I am just a downstream adopter of the theia project I cannot answer for the Theia team, of course.

For my own theia-adopted project I clearly see two SBOMs: One for the electron build and one for the browser-build. These result in two different applications and they even have different dependencies in their package.json files (e.g. electron-updater, electron-log, but also some theia packages like @theia/dev-container are exclusively available in the electron variant).

[iliescuioana]

Hello @prabhu, I am currently working on an SBOM generation workflow for theia-ide, using the latest cdxgen version 11.8.0. The current project structure is as follows:

theia-ide/
├── theia-ide/applications/browser/package.json
├── theia-ide/applications/electron/package.json
├── theia-ide/theia-extensions/launcher/package.json
├── theia-ide/theia-extensions/product/package.json
├── theia-ide/theia-extensions/updater/package.json
├── theia-ide/package.json
└── theia-ide/yarn.lock

Given its a mono-repo, it has multiple components listed under workspaces in the root level package.json:

  "workspaces": [
    "applications/*",
    "theia-extensions/*"
  ],

each with its own folder and package.json file. The project is currently managed through yarn and has only one yarn.lock file at the root level.

My goal is very similar to this issue - to generate an SBOM for the project that has a complete dependency tree (meaning all components of the mono-repo such as browser, electron, etc. have an accurate dependencies representation).

I attempted 2 ways of doing this using the cdxgen tool:

• 1 SBOM for the entire project Running: cdxgen -t yarn -o bom.json at the root level of the project, the SBOM does not include the workspace components' dependency lists. The 1 reference I could find of each is under the components key in the SBOM.
• individual SBOM for each component Running: cdxgen -t yarn -o bom.json at the root of each components’ folder, the SBOMs come back empty. I assume it's because cdxgen cannot find a yarn.lock file at that level (since there’s only one at root for mono-repos).

Now I’ve taken a look at https://github.com/eclipse-theia/theia-ide/issues/489 - but couldn’t find guidelines on how to actually start to generate SBOM(s) for the project in its current setup (mono-repo managed through yarn) using the cdxgen tool.

My main question is if it's possible to approach the SBOM generation problem for the project through cdxgen at this time and if so, how to do it to get a complete result for all components? Thanks!

[prabhu]

@iliescuioana Kindly give us some time. I am currently running behind on many other projects, so do not have the capacity to look into cdxgen. If you triage and suggest some potential enhancements or fixes, that would be much appreciated.