SBOM support for supply chain security integrations

[schewara]

What is the problem this feature would solve?

There is currently no proper way to automatically scan for vulnerabilities or license issues as part of a CI/CD pipeline.

What is the feature you are proposing to solve the problem?

Bun is a fairly new project and therefore it is to be expected that most of the existing vulnerability scanners do not yet support bun. Some tools might implement bun support in the near future, while other maybe will never (or in a future far far away) support it.

To improve the current situation, it would be great if Bun would provide a functionality to output a standardized software bill of materials (SBOM) file, like SPDX or CycloneDX as part of bun install or bun pm

This would make integration and support with most security tools almost a no brainer, as the tool vendors don't have to integrate and maintain another format of another tool.

What alternatives have you considered?

As we are using Trivy we considered using the yarn.lock file, (as discussed in https://github.com/aquasecurity/trivy/discussions/5996), but this seems to be only a workaround until full support is integrated into it.

[6mile]

One of the downsides to the binary lock file (bun.lockb) is that SBOM and SCA tools can't natively use this file to find packages being used. As @schewara mentions you can use the yarn.lock file, but it is a workaround.

[jase88]

Newer npm versions support this, see npm sbom for example: npm sbom --sbom-format cyclonedx