Not all min.js dependencies found

[PVullings-ASC]

Hi all,

We have a large .NET project with a backbone/marionette (i.e. html, javascript) frontend.

When cdxgen is run over the project, it finds all the NuGET dependencies (great) but only a couple of the javascript dependencies.

I see from the docs that cdxgen processes .min.js files. The javascript dependencies for this project are in a scripts folder (and sub folders, some many layers deep), and almost all have .min.js files but are not being detected.

Some examples that are not detected are TinyMCE, marionette, bootstrap, underscore.

I am running cdxgen without specifying a type:

cdxgen --required-only -o sbom.json

1. Am I doing anything that is preventing the other js dependencies from being found?
2. Is there a way I can force cdxgen to find them (e.g. list them all in a file somewhere)? - this isn't ideal, but better than nothing :)

Thank you!

[prabhu]

min.js detection is quite low accuracy relying on some comment patterns to identify the package name and version. The ideal approach is to use a package manager and bundling tool instead of vendoring the .min.js files in the repo. Maybe creating separate package.json files for each of these vendored dependency might work with some little tweaking.

Some users are known to use other cyclonedx tools to generate an sbom from a csv file and then merge with the cdxgen sbom.