Norwegian Polka Music

    @cyclonedx/webpack-plugin
    TypeScript icon, indicating that this package has built-in type declarations

    3.1.1 • Public • Published

    shield_gh-workflow-test shield_npm-version shield_license
    shield_website shield_slack shield_groups shield_twitter-follow


    CycloneDX Webpack Plugin

    This plugin for webpack creates a CycloneDX Software Bill of Materials (SBoM) containing an aggregate of all bundled dependencies.
    This plugin uses the linkages generated by webpack to create a dependency graph which only contain the dependencies that are actually used (after tree-shaking).

    Requirements

    • Node.js >= 14
    • webpack ^5

    However, there are older versions of this plugin, that support

    • Node.js v8.0.0 or higher
    • webpack v4.0.0 or higher

    Installing

    npm i -D @cyclonedx/webpack-plugin
    yarn add -D @cyclonedx/webpack-plugin

    Usage

    new CycloneDxWebpackPlugin(options?: object)

    Options & Configuration

    Name Type Default Description
    specVersion {string}
    one of: "1.2", "1.3", "1.4"
    "1.4" Which version of CycloneDX-spec to use.
    Supported values depend on the installed dependency CycloneDX-javascript-library.
    reproducibleResults {boolean} false Whether to go the extra mile and make the output reproducible.
    Reproducibility might result in loss of time- and random-based-values.
    outputLocation {string} "./cyclonedx" Path to write the output to. The path is relative to webpack's overall output path.
    includeWellknown {boolean} true Whether to write the Wellknowns.
    wellknownLocation {string} "./.well-known" Path to write the Wellknowns to. The path is relative to webpack's overall output path.
    rootComponentAutodetect {boolean} true Whether to try auto-detection of the RootComponent.
    Tries to find the nearest package.json and build a CycloneDX component from it, so it can be assigned to bom.metadata.component.
    rootComponentType {string} "application" Set the RootComponent's type.
    See the list of valid values. Supported values depend on CycloneDX-javascript-library's enum ComponentType.
    rootComponentName optional {string} undefined If rootComponentAutodetect is disabled, then this value is assumed as the "name" of the package.json.
    rootComponentVersion optional {string} undefined If rootComponentAutodetect is disabled, then this value is assumed as the "version" of the package.json.

    Example

    In your webpack config add the CycloneDX plugin:

    const { CycloneDxWebpackPlugin } = require('@cyclonedx/webpack-plugin');
    
    /** @type {import('@cyclonedx/webpack-plugin').CycloneDxWebpackPluginOptions} */
    const cycloneDxWebpackPluginOptions = {
      specVersion: '1.4',
      outputLocation: './bom'
    }
    
    module.exports = {
      // ...
      plugins: [
        new CycloneDxWebpackPlugin(cycloneDxWebpackPluginOptions)
      ]
    }

    See extended examples.

    Support for IETF /.well-known/sbom

    The CycloneDX Webpack plugin supports placing the CycloneDX SBOM in a pre-defined location, specifically in /.well-known/sbom. This option is enabled by default. The behavior can be changed by overriding the values of includeWellknown and wellknownLocation.
    See draft-lear-opsawg-sbom-access for more information on the specification, currently an IETF draft.

    In your webpack config add the CycloneDX plugin:

    const { CycloneDxWebpackPlugin } = require('@cyclonedx/webpack-plugin');
    
    /** @type {import('@cyclonedx/webpack-plugin').CycloneDxWebpackPluginOptions} */
    const cycloneDxWebpackPluginOptions = {
      includeWellknown: true,
      wellknownLocation: './.well-known'
    }
    
    module.exports = {
      // ...
      plugins: [
        new CycloneDxWebpackPlugin(cycloneDxWebpackPluginOptions)
      ]
    }

    Use with Angular

    Angular uses Webpack under the hood. Therefore, it is possible to integrate this plugin by utilizing @angular-builders/custom-webpack.

    Use with React

    React uses Webpack under the hood. Therefore, it is possible to integrate this plugin.

    Development & Contributing

    Feel free to open issues, bugreports or pull requests.
    See the CONTRIBUTING file for details.

    License

    Permission to modify and redistribute is granted under the terms of the Apache 2.0 license.
    See the LICENSE file for the full license.

    Install

    npm i @cyclonedx/webpack-plugin

    DownloadsWeekly Downloads

    1,900

    Version

    3.1.1

    License

    Apache-2.0

    Unpacked Size

    41.2 kB

    Total Files

    10

    Last publish

    Collaborators

    • cyclonedx-automation
    • jkowalleck
    • sspringett
    • eoftedal
    • coderpatros