/cyclonedx-webpack-plugin

Creates CycloneDX Software Bill of Materials (SBOM) from webpack bundles

Primary LanguageJavaScriptApache License 2.0Apache-2.0

Build Status License Latest Website Slack Invite Group Discussion Twitter

CycloneDX Webpack Plugin

The CycloneDX plugin for Webpack creates a valid CycloneDX Software Bill of Materials (SBOM) containing an aggregate of all bundled dependencies. This plugin uses the linkages generated by webpack to create a dependency graph which only contain the dependencies that are actually used.

Requirements

  • Node.js v8.0.0 or higher
  • Webpack v4.0.0 or higher

Usage

Installing

npm i -D @cyclonedx/webpack-plugin

Example

In your webpack config add the CycloneDX plugin:

const { CycloneDxWebpackPlugin } = require('@cyclonedx/webpack-plugin');

module.exports = {
  ...

  plugins: [
    new CycloneDxWebpackPlugin({
      context: '../',
      outputLocation: './artifacts'
    })
  ]
};

Support for IETF /.well-known/sbom

The CycloneDX Webpack plugin supports placing the CycloneDX SBOM in a pre-defined location, specifically in /.well-known/sbom. This option is enabled by default. The behavior can be changed by overriding the values of includeWellknown and wellknownLocation.

See draft-lear-opsawg-sbom-access for more information on the specification, currently an IETF draft.

In your webpack config add the CycloneDX plugin:

const { CycloneDxWebpackPlugin } = require('@cyclonedx/webpack-plugin');

module.exports = {
  ...

  plugins: [
    new CycloneDxWebpackPlugin({
      context: '../',
      outputLocation: './artifacts',
      includeWellknown: true,
      wellknownLocation: './.well-known'
    })
  ]
};

License

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE file for the full license.