Large discrepancies in number of components between "cyclonedx/bom v3.10.6" and "cyclonedx/cyclonedx-npm v1.6.0"

[EvgeniaPatsoni]

Hello,

Environment information:

• OS: 20.04.2 LTS (Focal Fossa)
• npm: v6.14.14
• node: v14.17.5

---

This is more of a "general knowledge question", as I am trying to conclude to which cyclonedx module/version generates the most representative results. I am sorry in advance if this is not the right place to be asking it.

My use case is that I need to generate bom.xml files for some angular projects and then send them to Dependency Track platform for analysis.

Up until version 3 of @cyclonedx/bom, I was generating my bom.xml files as follows:

    npm install -g @cyclonedx/bom@3.10.6
    cyclonedx-bom -o bom.xml

The bom.xml that was generated in the way above, outputs 430 Components in Dependency Track.

---

However I understand that major version 4 release of @cyclonedx/bom introduced breaking changes.
So, I now try to utilize @cyclonedx/cyclonedx-npm, and I generate my bom.xml files like this:

   npm install --global @cyclonedx/cyclonedx-npm
   cyclonedx-npm --omit dev --ignore-npm-errors --output-format xml --output-file bom.xml

The bom.xml file that was generated in the way above, outputs 170 Components in Dependency Track.
(Without the --omit dev flag, I get >700 components)

Both tests were obviously ran for the exact same project.

---

So my question is, why is there such a large discrepancy in the final number of Components, for the same project, between @cyclonedx/bom@3.10.6 and @cyclonedx/cyclonedx-npm@1.6.0 ?

Thank you in advance

[jkowalleck]

the sort answer: @cyclonedx/bom had issues detecting all the dependencies, so some were not in the SBOM result.

The long answer:
@cyclonedx/cyclonedx-npm not only finds ALL the dependencies, but it also does not run artificial component deduplication. The reasons are described here and are discussed here and here ... and there.