Need a SBOM report for Infor GRC Product

[AdityaBhinge]

Hi, Aditya here from the Infor GRC automation team. Infor GRC has been generating SBOM reports for vulnerability scanning. Recently, we have been asked to obtain SBOM reports from third-party resources we have been using. Therefore, I request you to provide me with the SBOM report for the package ids-enterprise-ng, version 17.5.9.

[tmcconechy]

@AdityaBhinge you can generate an SBOM from the following page(s) one for each repo that you use

https://github.com/infor-design/enterprise-ng/network/dependencies https://github.com/infor-design/enterprise-wc/network/dependencies https://github.com/infor-design/enterprise/network/dependencies

Click Export SBOM on that page at a higher level the dependencies are:

Enterprise: jQuery, d3 Enterprise NG: Angular / enterprise

I dont quite get why the SBOM is so extremely large and if its all needed

[AdityaBhinge]

Thanks @tmcconechy for quick response

[AdityaBhinge]

@tmcconechy I have seen the report it is of lates code of the repository, can I get version specific report of the mentioned library, as we are not currently using lates version of those. Also is it possible to get SBOM in CycloneDX format as report is required to be provided in that format

[tmcconechy]

No github doesnt have a way to do that. But i do not think the dependencies (except some version numbers) have ever changed except for dev dependencies (internal build tools ect)...

Are you using the HUGE github one or just

Enterprise: jQuery, d3
Enterprise NG: Angular / enterprise

If just the actual dependencies then i can tell you the versions for that version your using if you tell me the version.

Can you just run CycloneDX on the repo? I dont have this.

[tmcconechy]

@AdityaBhinge learning more about this i think you can run https://www.npmjs.com/package/@cyclonedx/cyclonedx-npm on your package json and get it in the right format it should include those components if there are dependencies.