This plugin for webpack creates a CycloneDX Software Bill of Materials (SBoM)
containing an aggregate of all bundled dependencies.
This plugin uses the linkages generated by webpack to create a dependency graph which only contain the dependencies
that are actually used (after tree-shaking).
-
Node.js
>= 14 -
webpack
^5
However, there are older versions of this plugin, that support
- Node.js v8.0.0 or higher
- webpack v4.0.0 or higher
npm i -D @cyclonedx/webpack-plugin
yarn add -D @cyclonedx/webpack-pluginnew CycloneDxWebpackPlugin(options?: object)| Name | Type | Default | Description |
|---|---|---|---|
specVersion |
{string}one of: "1.2", "1.3", "1.4", "1.5"
|
"1.4" |
Which version of CycloneDX-spec to use. Supported values depend on the installed dependency CycloneDX-javascript-library. |
reproducibleResults |
{boolean} |
false |
Whether to go the extra mile and make the output reproducible. Reproducibility might result in loss of time- and random-based-values. |
validateResults |
{boolean} |
true |
Whether to validate the BOM result. Validation is skipped, if requirements not met. Requires transitive optional dependencies. |
outputLocation |
{string} |
"./cyclonedx" |
Path to write the output to. The path is relative to webpack's overall output path. |
includeWellknown |
{boolean} |
true |
Whether to write the Wellknowns. |
wellknownLocation |
{string} |
"./.well-known" |
Path to write the Wellknowns to. The path is relative to webpack's overall output path. |
rootComponentAutodetect |
{boolean} |
true |
Whether to try auto-detection of the RootComponent. Tries to find the nearest package.json and build a CycloneDX component from it, so it can be assigned to bom.metadata.component. |
rootComponentType |
{string} |
"application" |
Set the RootComponent's type. See the list of valid values. Supported values depend on CycloneDX-javascript-library's enum ComponentType. |
rootComponentName |
optional {string}
|
undefined |
If rootComponentAutodetect is disabled, then this value is assumed as the "name" of the package.json. |
rootComponentVersion |
optional {string}
|
undefined |
If rootComponentAutodetect is disabled, then this value is assumed as the "version" of the package.json. |
In your webpack config add the CycloneDX plugin:
const { CycloneDxWebpackPlugin } = require('@cyclonedx/webpack-plugin');
/** @type {import('@cyclonedx/webpack-plugin').CycloneDxWebpackPluginOptions} */
const cycloneDxWebpackPluginOptions = {
specVersion: '1.4',
outputLocation: './bom'
}
module.exports = {
// ...
plugins: [
new CycloneDxWebpackPlugin(cycloneDxWebpackPluginOptions)
]
}See extended examples.
The CycloneDX webpack plugin supports placing the CycloneDX SBOM in a pre-defined location, specifically in
/.well-known/sbom. This option is enabled by default. The behavior can be changed by overriding the values
of includeWellknown and wellknownLocation.
See draft-ietf-opsawg-sbom-access for more information on the specification, currently an IETF draft.
In your webpack config add the CycloneDX plugin:
const { CycloneDxWebpackPlugin } = require('@cyclonedx/webpack-plugin');
/** @type {import('@cyclonedx/webpack-plugin').CycloneDxWebpackPluginOptions} */
const cycloneDxWebpackPluginOptions = {
includeWellknown: true,
wellknownLocation: './.well-known'
}
module.exports = {
// ...
plugins: [
new CycloneDxWebpackPlugin(cycloneDxWebpackPluginOptions)
]
}Angular uses webpack under the hood. Therefore, it is possible to integrate this plugin by utilizing
@angular-builders/custom-webpack.
See an example here: integration with Angular13/webpack5.
React uses webpack under the hood. Therefore, it is possible to integrate this plugin.
See an example here: integration with React18/webpack5.
This webpack plugin utilizes the CycloneDX library to generate the actual data structures.
Besides the class CycloneDxWebpackPlugin and the interface CycloneDxWebpackPluginOptions,
this webpack plugin does not expose any additional public API or classes - all code is intended to be internal and might change without any notice during version upgrades.
Feel free to open issues, bugreports or pull requests.
See the CONTRIBUTING file for details.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license.
See the LICENSE file for the full license.