[BUG] sbom cyclonedx missing properties

[PaddeK]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

Running npm sbom --sbom-format cyclonedx with [email protected] results in an sbom with empty properties in bom-ref entries.

Example:

    {
      "bom-ref": "[email protected]",
      "type": "library",
      "name": "mqtt",
      "version": "5.10.1",
      "scope": "required",
      "description": "A library for the MQTT protocol",
      "purl": "pkg:npm/[email protected]",
      "properties": [],
      "externalReferences": [
        {
          "type": "distribution",
          "url": "https://registry.npmjs.org/mqtt/-/mqtt-5.10.1.tgz"
        },
        {
          "type": "vcs",
          "url": "git://github.com/mqttjs/MQTT.js.git"
        },
        {
          "type": "website",
          "url": "https://github.com/mqttjs/MQTT.js#readme"
        },
        {
          "type": "issue-tracker",
          "url": "https://github.com/mqttjs/MQTT.js/issues"
        }
      ],
      "hashes": [
        {
          "alg": "SHA-512",
          "content": "85708e922f2c00da10ef0fb63b327383aa8c0714edac7f5196754d57ca5a9cb6609e5f8687427fb7893aafc033f3e0bbcb72807325ed9f49a62e2c725289bc4b"
        }
      ],
      "licenses": [
        {
          "license": {
            "id": "MIT"
          }
        }
      ]
    },

Expected Behavior

Running npx @cyclonedx/cyclonedx-npm or using [email protected] have cdx:npm:package:path in properties.

Example:

    {
      "type": "library",
      "name": "mqtt",
      "version": "5.10.1",
      "bom-ref": "[email protected]",
      "description": "A library for the MQTT protocol",
      "licenses": [
        {
          "license": {
            "id": "MIT",
            "acknowledgement": "declared"
          }
        }
      ],
      "purl": "pkg:npm/[email protected]",
      "externalReferences": [
        {
          "url": "git://github.com/mqttjs/MQTT.js.git",
          "type": "vcs",
          "comment": "as detected from PackageJson property \"repository.url\""
        },
        {
          "url": "https://github.com/mqttjs/MQTT.js#readme",
          "type": "website",
          "comment": "as detected from PackageJson property \"homepage\""
        },
        {
          "url": "https://github.com/mqttjs/MQTT.js/issues",
          "type": "issue-tracker",
          "comment": "as detected from PackageJson property \"bugs.url\""
        },
        {
          "url": "https://registry.npmjs.org/mqtt/-/mqtt-5.10.1.tgz",
          "type": "distribution",
          "comment": "as detected from npm-ls property \"resolved\""
        }
      ],
      "properties": [
        {
          "name": "cdx:npm:package:path",
          "value": "node_modules/mqtt"
        }
      ]
    },
   ...

Steps To Reproduce

No response

Environment

• npm: 11.1.0
• Node.js: 22.14.0
• OS Name: macOS 15.3
• System Model Name: Macbook Pro

[kchindam-infy]

@PaddeK i cannot reproduce the issue and i can see only the behaviours of output which u provided . please provide valid steps to reproduce the issue

[PaddeK]

@kchindam-infy i created a minimal repo to reproduce the bug here https://github.com/PaddeK/sbom-bug-reproduction

Just clone then run npm run i and then npm run sbom.

With [email protected] properties are empty, using [email protected] everything is fine.