SBOM is different from cyclonedx-node-module's SBOM

[qianyi888]

Utils both use same "--spec-version 1.3", but result format is different.This is why?
for Example, purl and bom-ref in cyclonedx-node-module are like this:

They in cyclonedx-node-npm are like this:

Another issue: cyclonedx-node-module resolved hash value, but cyclonedx-node-npm not resolve.Will this issue be resolved in future versions?

[jkowalleck]

all true. the resulting CyconeDX documents are still correct.

---

for Example, purl and bom-ref in cyclonedx-node-module are like this:

This tool is more precise when generating PURLs. this is in favour of the PURL spec for NPM: https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#npm
Per CycloneDX spec, the bom-ref can be any value. no need to match the PURL.

[jkowalleck]

Another issue: cyclonedx-node-module resolved hash value, but cyclonedx-node-npm not resolve.Will this issue be resolved in future versions?

This should be a bug. there is even a demo/integration test for this feature: https://github.com/CycloneDX/cyclonedx-node-npm/tree/main/demo/package-integrity

would you provide a reproducible example and file an issue here: https://github.com/CycloneDX/cyclonedx-node-npm/issues/new/choose