Generate SBOMs for JS components

[toddbaert]

We have SBOMs currently for Java and Go. We could use them here as well. I recommend this utility: https://github.com/marketplace/actions/cyclonedx-node-js-generate-sbom (we're using the clyclonedx format elsewhere and it's popular).

Definition of done:

• SBOMs generated and attached to release artifact in GH, or otherwise made publicly available (for every release)
• runtime dependencies only included
• only includes dependencies of module in question (not of repo)

[lukas-reining]

If someone else likes, this person can take it.
Otherwise I would do it 🙂

[lukas-reining]

Just out of interest @toddbaert.
As OpenFeature is a CNCF project, wouldn't it make sense to use SPDX as format?
(Edit: Just saw that CNCF is "supporter" of CycloneDX regarding to the Cyclone page, thought that CNCF might prefer SPDX as it is a Linux Foundation Project)

If so we could just use npm sbom to generate it, which we could also use for CycloneDX.

[toddbaert]

If someone else likes, this person can take it. Otherwise I would do it 🙂

Feel free!

Just out of interest @toddbaert. As OpenFeature is a CNCF project, wouldn't it make sense to use SPDX as format? (Edit: Just saw that CNCF is "supporter" of CycloneDX regarding to the Cyclone page, thought that CNCF might prefer SPDX as it is a Linux Foundation Project)

If so we could just use npm sbom to generate it, which we could also use for CycloneDX.

CycloneDX is a bit more minimalist and was specifically designed for SBOMs, whereas SPDX, is more general. We also use it in the Java SDK, so that's why I favor it, but I would be fine with SPDX as well.

As far as tooling, I think a github action is the easiest way since it will save you a bit of github yaml, but again I don't mind as long as it works!

Let me know if I should assign this to you.

[lukas-reining]

Okay, sounds good to me!
I assigned myself and will do this in the next days.

[toddbaert]

Thanks! Whatever we do here we also can eventually do in the contribs. That will probably be a bit harder because it's a monorepo.

open-feature/js-sdk-contrib#629