Open
Description
cdxgen tool is opinionated and takes a position under certain situations when generating the SBoM. The broader vision I had in mind when this was merely a hobby project was:
- No nuts or gluten must be left behind - cdxgen would report everything it finds, including dev and test dependencies but would attempt to categorize them as
optionaldependencies (although using scope attribute to represent optionality is a regret that needs fixing at some point!) - Any SBoM is better than no SBoM - Often, security people might attempt to scan and generate SBoM for projects without the development tools like Java/Maven/Node.js installed. cdxgen would still work under these environments (by using fallback logic) but offer helpful messages to improve the SBoM accuracy
With growing popularity, it is time to start documenting the tool's logic, assumptions, and positions to help consumers and integrators. What would be nice is to add rich comments inline and find a way to export the documentation in markdown format to the repo.
Please recommend any suitable tools and techniques available for node.js projects.