@cyclonedx/webpack-plugin
Advanced tools
Creates CycloneDX Software Bill of Materials (SBoM) from webpack projects
This plugin for webpack creates a CycloneDX Software Bill of Materials (SBoM)
containing an aggregate of all bundled dependencies.
This plugin uses the linkages generated by webpack to create a dependency graph which only contain the dependencies
that are actually used (after tree-shaking).
>= 14^5However, there are older versions of this plugin, that support
npm i -D @cyclonedx/webpack-plugin
yarn add -D @cyclonedx/webpack-plugin
new CycloneDxWebpackPlugin(options?: object)
| Name | Type | Default | Description |
|---|---|---|---|
specVersion | {string}one of: "1.2", "1.3", "1.4", "1.5", "1.6" | "1.4" | Which version of CycloneDX-spec to use. Supported values depend on the installed dependency CycloneDX-javascript-library. |
reproducibleResults | {boolean} | false | Whether to go the extra mile and make the output reproducible. Reproducibility might result in loss of time- and random-based-values. |
validateResults | {boolean} | true | Whether to validate the BOM result. Validation is skipped, if requirements not met. Requires transitive optional dependencies. |
outputLocation | {string} | "./cyclonedx" | Path to write the output to. The path is relative to webpack's overall output path. |
includeWellknown | {boolean} | true | Whether to write the Wellknowns. |
wellknownLocation | {string} | "./.well-known" | Path to write the Wellknowns to. The path is relative to webpack's overall output path. |
rootComponentAutodetect | {boolean} | true | Whether to try auto-detection of the RootComponent. Tries to find the nearest package.json and build a CycloneDX component from it, so it can be assigned to bom.metadata.component. |
rootComponentType | {string} | "application" | Set the RootComponent's type. See the list of valid values. Supported values depend on CycloneDX-javascript-library's enum ComponentType. |
rootComponentName | optional {string} | undefined | If rootComponentAutodetect is disabled, then this value is assumed as the "name" of the package.json. |
rootComponentVersion | optional {string} | undefined | If rootComponentAutodetect is disabled, then this value is assumed as the "version" of the package.json. |
collectEvidence | {boolean} | false | Whether to collect (license) evidence and attach them to the resulting SBOM. |
In your webpack config add the CycloneDX plugin:
const { CycloneDxWebpackPlugin } = require('@cyclonedx/webpack-plugin');
/** @type {import('@cyclonedx/webpack-plugin').CycloneDxWebpackPluginOptions} */
const cycloneDxWebpackPluginOptions = {
specVersion: '1.6',
outputLocation: './bom'
}
module.exports = {
// ...
plugins: [
new CycloneDxWebpackPlugin(cycloneDxWebpackPluginOptions)
]
}
See extended examples.
The CycloneDX webpack plugin supports placing the CycloneDX SBOM in a pre-defined location, specifically in
/.well-known/sbom. This option is enabled by default. The behavior can be changed by overriding the values
of includeWellknown and wellknownLocation.
See draft-ietf-opsawg-sbom-access for more information on the specification, currently an IETF draft.
In your webpack config add the CycloneDX plugin:
const { CycloneDxWebpackPlugin } = require('@cyclonedx/webpack-plugin');
/** @type {import('@cyclonedx/webpack-plugin').CycloneDxWebpackPluginOptions} */
const cycloneDxWebpackPluginOptions = {
includeWellknown: true,
wellknownLocation: './.well-known'
}
module.exports = {
// ...
plugins: [
new CycloneDxWebpackPlugin(cycloneDxWebpackPluginOptions)
]
}
Angular uses webpack under the hood. Therefore, it is possible to integrate this plugin by utilizing
@angular-builders/custom-webpack.
See an example here: integration with Angular17/webpack5.
React uses webpack under the hood. Therefore, it is possible to integrate this plugin.
See an example here: integration with React18/webpack5.
This webpack plugin utilizes the CycloneDX library to generate the actual data structures.
Besides the class CycloneDxWebpackPlugin and the interface CycloneDxWebpackPluginOptions,
this webpack plugin does not expose any additional public API or classes - all code is intended to be internal and might change without any notice during version upgrades.
Feel free to open issues, bugreports or pull requests.
See the CONTRIBUTING file for details.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license.
See the LICENSE file for the full license.
FAQs
Creates CycloneDX Software Bill of Materials (SBoM) from webpack projects
We found that @cyclonedx/webpack-plugin demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.