Include NPM dependencies in the SBOM

[heruan]

To properly support V24 the SBOM must include not only Maven dependencies but also NPM dependencies coming from web components.

CycloneDX is currently used to generate the SBOM from the Maven POM using their own Maven plugin, and the suite also provides an NPM plugin. It would be convenient to have all the dependencies in a single SBOM file, and it would be even better if the CycloneDX Maven plugin could be able to scan NPM dependencies. Some research needs to be done:

• [x] Verify if the CycloneDX Maven plugin can be configured to scan also NPM packages
• [x] Check if the CycloneDX Maven and NPM plugins can use the same output file and merge dependencies together
• [x] If the latter is not possible, investigate if it's possible to merge the two SBOMs into a single one manually

A V24 demo project should be added to the repositories so it can be used a prototype while testing the above options.

[tamasmak]

A V24 Spring demo application has been created in PR76. This PR beside the appsec-kit-demo-v24-spring also includes the appsec-kit-v24 module where the appsec-kit-backend is used. These are the findings until now:

• The backend works well with V24: can parse the SBOM from Maven dependencies, can get the vulnerabilities from OSV API, only a new GitHub releases URL for Flow versions needs to be added later to get the vulnerability analysis properly.
• The V24 Spring demo application can generate the SBOM from Maven dependencies with cyclonedx-maven-plugin
• The cyclonedx-maven-plugin can’t be configured to scan also the NPM packages.
• The last two goals from this ticket are still in in-progress. In V24 there are no package.json and package-lock.json files because in development mode Flow avoids populating node_modules and running Vite by using a prebuilt frontend bundle. It is under investigation now how the cyclonedx-npmplugin could be run to get the NPM dependencies and also if it can be used with project directories or workspaces without package.json files.
• Currently the PR76 build fails because there are new modules in the project which use newer Java version. This is the appsec-kit-v24 which requires Java 17 or 19. This is also in-progress to fix the build in TeamCity.

[tamasmak]

To be able to verify the last two goals of this ticket I've created a V23 Spring demo application where the package.json is still present. With this I could test the usage of the cyclonedx-npm plugin and that how could we combine (in memory) the generated SBOMs from maven and npm dependencies.

To use thecyclonedx-npm plugin it should be installed as a development dependency of the current project: npm install --save-dev @cyclonedx/cyclonedx-npm

To generate the SBOM from npm dependencies the cyclonedx-npm plugin should be run in the postinstall step. The following should be added to the package.json:

"scripts": {
  "postinstall": "npx @cyclonedx/cyclonedx-npm --omit dev --output-file target/classes/resources/bom-npm.json --output-format JSON"
}

This will generate the bom-npm.json SBOM file in the target/classes/resources/ directory if the directory exists.

There is no built-in solution in cyclonedx-maven-plugin nor in cyclonedx-npm plugin to combine two SBOM files or to use one output for both plugins. Only the cyclonedx-cli tool has the merge functionality but we want to ommit using cli tools for now. To achieve this a custom combiner is needed. There are already some solutions for this in https://github.com/CycloneDX/sbom-combiner https://github.com/CycloneDX/sbom-commons-combiner but these solutions are not deployed in the Maven repository and depend on dependencies which are not available anymore. However, based on these I've created a similar solution in one BillOfMaterialsCombiner class which can combine the content of two SBOMs in a memory or can write it to a file if needed.

The final step of this ticket is to investigate how could we apply these steps in V24.

[knoobie]

Outsider's perspective: Vaadin 24 has three modes of interest in my opinion:

• frontendHotDeploy of the maven configuration set to true enforce vite / package.json in the project: the above mentioned solution for Vaadin 23 could be applied
• the default production bundle: the SBOM of this could be published by the platform build and included in the production bundle
• a custom production bundle commited to the repository: there should be guidelines for the developer how to create create a SBOM for this bundle and referencing it inside the build process for the cylonedx maven plugin to consume

Edit: Another thing to consider: There is a difference between the package(-lock).json and the real Javascript to be on runtime in the production build, because flow only includes the components it can find using byte code scanning.. Meaning, the npm scan might contain a lot more components than used in the final product, resulting in a false bom. (even tho the same could be said for all the vaadin-core components that are transitive dependencies and might not even be used by the developer (and I highly doubt that a lot of people are excluding the dependencies they don't used))