add sub-namespace `cdx:npm`

[jkowalleck]

closes #20

TODO

checklist for myself:

• [x] see https://github.com/CycloneDX/cyclonedx-property-taxonomy/pull/21#issuecomment-1207481279 and https://github.com/CycloneDX/cyclonedx-property-taxonomy/pull/21#issuecomment-1207941916
• [x] validate if bundled dependencies are marked on their parent(root/cause) or on themself(effect)
  • npm flags components as inBundle when they are bundled with their parent

[stevespringett]

One thing that would be really useful to add (and hopefully can be determined during BOM creation) is whether or not a component has scripts that are executed upon install.

If this can be determined, adding cdx:npm:package:install-scripts-present (boolean) would be really useful along with one or more of cdx:npm:package:install-script with the value of the script.

[stevespringett]

Adding support for config, engines, and os would also be useful.

[jkowalleck]

re: https://github.com/CycloneDX/cyclonedx-property-taxonomy/pull/21#issuecomment-1207481279

Adding support for config, engines, and os would also be useful.

i am not planning to fetch these information in my current implementation. and i did not want to propose a complete list of properties, just the ones i currently need.

As this is a living standard, the future will tell what to add, right?

engine

in package,json its written as https://docs.npmjs.com/cli/v8/configuring-npm/package-json#engines example:

{
  "engines": {
    "node": ">=16.0.7",
    "npm": "6 - 8"
  }
}

Could be cdx:npm:engine:<NAME> to represent this. What do you thing?

OS

in package,json its written as https://docs.npmjs.com/cli/v8/configuring-npm/package-json#os

Could be cdx:npm:os to represent this. What do you thing?

config

in package,json its written as https://docs.npmjs.com/cli/v8/configuring-npm/package-json#config

Could be cdx:npm:package:config:<NAME> to represent this. What do you thing?

[stevespringett]

I think the proposal for engine, os, and config are good. We should likely include it in the taxonomy even if you're not implementing them just yet. Others may choose to do so (e.g. CDXGen).

What are your thoughts on install scripts?

[jkowalleck]

updated.

• finalized the bundled-component marker
• incorporated engine and os.
• skipped on config and scripts as i have currently no idea what the content should be. will leave it to the first person woh might implements/uses it.

[jkowalleck]

@stevespringett could you advice how a boolean value should be represented? currently i went with case-sensitive true/false. is this okay?

[stevespringett]

could you advice how a boolean value should be represented? currently i went with case-sensitive true/false. is this okay?

I think that's ok. But question to the group... Is cdx:npm:package:install-scripts-present valuable or can this be derived from the presence of one or more cdx:npm:package:install-script?

install-scripts-present seems redundant.

[jkowalleck]

regarding install-time scripts: see https://docs.npmjs.com/cli/v8/using-npm/scripts#npm-install the list of all (custom) scripts that can run during the install phase. remember: each script may also call other scripts internally. remember: local installs run additional scripts, when the package is not pre-made.

[jkowalleck]

thank you for the initial feedback. finalized the docs that i see in need for a merge. additions are welcome in later pull-requests, but the current {minimal} state is the one i'd love to see in the specs.

ready for review.

[stevespringett]

Thanks @jkowalleck. LGTM