CycloneDX Webpack Plugin
The CycloneDX plugin for Webpack creates a valid CycloneDX Software Bill of Materials (SBOM) containing an aggregate of all bundled dependencies. This plugin uses the linkages generated by webpack to create a dependency graph which only contain the dependencies that are actually used.
Requirements
- Node.js v8.0.0 or higher
- Webpack v4.0.0 or higher
Usage
Installing
npm i -D @cyclonedx/webpack-plugin
Example
In your webpack config add the CycloneDX plugin:
const { CycloneDxWebpackPlugin } = require('@cyclonedx/webpack-plugin');
module.exports = {
...
plugins: [
new CycloneDxWebpackPlugin({
context: '../',
outputLocation: './artifacts'
})
]
};
Support for IETF /.well-known/sbom
The CycloneDX Webpack plugin supports placing the CycloneDX SBOM in a pre-defined location, specifically in
/.well-known/sbom
. This option is enabled by default. The behavior can be changed by overriding the values
of includeWellknown
and wellknownLocation
.
See draft-lear-opsawg-sbom-access for more information on the specification, currently an IETF draft.
In your webpack config add the CycloneDX plugin:
const { CycloneDxWebpackPlugin } = require('@cyclonedx/webpack-plugin');
module.exports = {
...
plugins: [
new CycloneDxWebpackPlugin({
context: '../',
outputLocation: './artifacts',
includeWellknown: true,
wellknownLocation: './.well-known'
})
]
};
License
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE file for the full license.