{"id":13717444,"url":"https://github.com/CycloneDX/cyclonedx-webpack-plugin","last_synced_at":"2025-05-07T07:31:27.182Z","repository":{"id":36962910,"uuid":"269251371","full_name":"CycloneDX/cyclonedx-webpack-plugin","owner":"CycloneDX","description":"Generate CycloneDX Software Bill of Materials (SBOM) from webpack bundles at compile time.","archived":false,"fork":false,"pushed_at":"2025-04-24T07:48:05.000Z","size":7673,"stargazers_count":26,"open_issues_count":14,"forks_count":9,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-04-24T08:39:10.801Z","etag":null,"topics":["bill-of-materials","bom","cyclonedx","hacktoberfest","javascript","mbom","owasp","package-url","purl","sbom","sbom-generator","sbom-tool","software-bill-of-materials","spdx","webpack","webpack-plugin"],"latest_commit_sha":null,"homepage":"https://cyclonedx.org/","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CycloneDX.png","metadata":{"files":{"readme":"README.md","changelog":"HISTORY.md","contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"custom":["https://owasp.org/donate/?reponame=www-project-cyclonedx\u0026title=OWASP+CycloneDX"]}},"created_at":"2020-06-04T03:27:11.000Z","updated_at":"2025-04-24T07:48:02.000Z","dependencies_parsed_at":"2023-10-16T21:07:37.412Z","dependency_job_id":"540d6f1a-e744-413e-b121-30c3f4173de8","html_url":"https://github.com/CycloneDX/cyclonedx-webpack-plugin","commit_stats":{"total_commits":779,"total_committers":8,"mean_commits":97.375,"dds":"0.20154043645699615","last_synced_commit":"f4fba64dd7db3abe126c486529b5f875046188d1"},"previous_names":[],"tags_count":45,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CycloneDX%2Fcyclonedx-webpack-plugin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CycloneDX%2Fcyclonedx-webpack-plugin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CycloneDX%2Fcyclonedx-webpack-plugin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CycloneDX%2Fcyclonedx-webpack-plugin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CycloneDX","download_url":"https://codeload.github.com/CycloneDX/cyclonedx-webpack-plugin/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252833492,"owners_count":21811196,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bill-of-materials","bom","cyclonedx","hacktoberfest","javascript","mbom","owasp","package-url","purl","sbom","sbom-generator","sbom-tool","software-bill-of-materials","spdx","webpack","webpack-plugin"],"created_at":"2024-08-03T00:01:22.319Z","updated_at":"2025-05-07T07:31:27.146Z","avatar_url":"https://github.com/CycloneDX.png","language":"JavaScript","readme":"# CycloneDX _webpack_ plugin\n\n[![shield_npm-version]][link_npm]\n[![shield_gh-workflow-test]][link_gh-workflow-test]\n[![shield_coverage]][link_codacy]\n[![shield_ossf-best-practices]][link_ossf-best-practices]\n[![shield_license]][license_file]  \n[![shield_website]][link_website]\n[![shield_slack]][link_slack]\n[![shield_groups]][link_discussion]\n[![shield_twitter-follow]][link_twitter]\n\n----\n\nThis plugin for _[webpack]_ creates a _[CycloneDX]_ Software Bill of Materials (SBoM) containing an aggregate of all bundled dependencies.  \nThis is probably the most accurate, complete SBOM generator for webpack-based builds.\n\nThis plugin uses the linkages generated by _webpack_ to create a dependency graph which only contain the dependencies\nthat are actually used (after [tree-shaking](https://webpack.js.org/guides/tree-shaking/)).\n\n## Requirements\n\n* _Node.js_ `\u003e= 20.18`\n* _webpack_ `^5`\n\nHowever, there are older versions of this plugin, that support\n* _Node.js_ v8.0.0 or higher\n* _webpack_ v4.0.0 or higher\n\n## Installing\n\n\n```shell\nnpm i -D @cyclonedx/webpack-plugin\nyarn add -D @cyclonedx/webpack-plugin\n```\n\n## Usage\n\n```javascript\nnew CycloneDxWebpackPlugin(options?: object)\n```\n\n### Options \u0026 Configuration\n\n\u003c!-- the following table is based on `src/plugin.ts`::`CycloneDxWebpackPluginOptions` --\u003e\n\n| Name | Type | Default | Description |\n|:-----|:----:|:-------:|:------------|\n| **`specVersion`** | `{string}`\u003cbr/\u003e one of: `\"1.2\"`, `\"1.3\"`, `\"1.4\"`, `\"1.5\"`, `\"1.6\"` | `\"1.6\"` |  Which version of [CycloneDX-spec] to use.\u003cbr/\u003e Supported values depend on the installed dependency [CycloneDX-javascript-library]. |\n| **`reproducibleResults`** | `{boolean}` | `false` | Whether to go the extra mile and make the output reproducible.\u003cbr/\u003e Reproducibility might result in loss of time- and random-based-values. |\n| **`validateResults`** | `{boolean}` | `true` | Whether to validate the BOM result.\u003cbr/\u003e Validation is skipped, if requirements not met. Requires [transitive optional dependencies](https://github.com/CycloneDX/cyclonedx-javascript-library#optional-dependencies). |\n| **`outputLocation`** | `{string}` | `\"./cyclonedx\"` | Path to write the output to. The path is relative to _webpack_'s overall output path. |\n| **`includeWellknown`** | `{boolean}` | `true` | Whether to write the Wellknowns. |\n| **`wellknownLocation`** | `{string}` | `\"./.well-known\"` | Path to write the Wellknowns to. The path is relative to _webpack_'s overall output path. | \n| **`rootComponentAutodetect`** | `{boolean}` | `true` | Whether to try auto-detection of the RootComponent.\u003cbr/\u003e Tries to find the nearest `package.json` and build a CycloneDX component from it, so it can be assigned to `bom.metadata.component`. |\n| **`rootComponentType`** | `{string}` | `\"application\"` | Set the RootComponent's type.\u003cbr/\u003e See [the list of valid values](https://cyclonedx.org/docs/1.6/json/#metadata_component_type). Supported values depend on [CycloneDX-javascript-library]'s enum `ComponentType`. |\n| **`rootComponentName`** | optional `{string}` | `undefined` | If `rootComponentAutodetect` is disabled, then this value is assumed as the \"name\" of the `package.json`. |\n| **`rootComponentVersion`** | optional `{string}` | `undefined` | If `rootComponentAutodetect` is disabled, then this value is assumed as the \"version\" of the `package.json`. |\n| **`rootComponentVCS`** | optional `{string}` | `undefined` | If `rootComponentAutodetect` is disabled or the Version Control System is not declared in the `package.json`, then this value is used as the URL for [RootComponent's External References'][docs_cdx_metadata_component_externalReferences] of type \"vcs\". |\n| **`rootComponentBuildSystem`** | optional `{string}` | `undefined` | Set the URL for [RootComponent's External References'][docs_cdx_metadata_component_externalReferences] of type \"build-system\".\u003cbr/\u003e This behavior is regardless of `rootComponentAutodetect`'s status. |\n| **`collectEvidence`** | `{boolean}` | `false` | Whether to collect (license) evidence and attach them to the resulting SBOM. |\n\n### Example\n\nIn your [webpack config] add the CycloneDX plugin:\n\n```javascript\nconst { CycloneDxWebpackPlugin } = require('@cyclonedx/webpack-plugin');\n\n/** @type {import('@cyclonedx/webpack-plugin').CycloneDxWebpackPluginOptions} */\nconst cycloneDxWebpackPluginOptions = {\n  specVersion: '1.6',\n  outputLocation: './bom'\n}\n\nmodule.exports = {\n  // ...\n  plugins: [\n    new CycloneDxWebpackPlugin(cycloneDxWebpackPluginOptions)\n  ]\n}\n```\n\nSee extended [examples].\n\n### Support for IETF /.well-known/sbom\n\nThe CycloneDX _webpack_ plugin supports placing the CycloneDX SBOM in a pre-defined location, specifically in\n`/.well-known/sbom`. This option is enabled by default. The behavior can be changed by overriding the values \nof `includeWellknown` and `wellknownLocation`.  \nSee [draft-ietf-opsawg-sbom-access] for more information on the specification, currently an IETF draft.\n\nIn your [webpack config] add the CycloneDX plugin:\n\n```javascript\nconst { CycloneDxWebpackPlugin } = require('@cyclonedx/webpack-plugin');\n\n/** @type {import('@cyclonedx/webpack-plugin').CycloneDxWebpackPluginOptions} */\nconst cycloneDxWebpackPluginOptions = {\n  includeWellknown: true,\n  wellknownLocation: './.well-known'\n}\n\nmodule.exports = {\n  // ...\n  plugins: [\n    new CycloneDxWebpackPlugin(cycloneDxWebpackPluginOptions)\n  ]\n}\n```\n\n### Use with Angular\n\n_Angular_ uses _webpack_ under the hood. Therefore, it is possible to integrate this plugin by utilizing\n[@angular-builders/custom-webpack](https://www.npmjs.com/package/@angular-builders/custom-webpack).  \nSee an example here: [integration with Angular17/webpack5](https://github.com/CycloneDX/cyclonedx-webpack-plugin/tree/master/tests/integration/webpack5-angular17).\n\n### Use with React\n\n_React_ uses _webpack_ under the hood. Therefore, it is possible to integrate this plugin.  \nSee an example here: [integration with React18/webpack5](https://github.com/CycloneDX/cyclonedx-webpack-plugin/tree/master/tests/integration/webpack5-react18).\n\n## Internals\n\nThis _webpack_ plugin utilizes the [CycloneDX library][CycloneDX-javascript-library] to generate the actual data structures.\n\nBesides the class `CycloneDxWebpackPlugin` and the interface `CycloneDxWebpackPluginOptions`,  \nthis _webpack_ plugin does **not** expose any additional _public_ API or classes - all code is intended to be internal and might change without any notice during version upgrades.\n\n## Development \u0026 Contributing\n\nFeel free to open issues, bugreports or pull requests.  \nSee the [CONTRIBUTING][contributing_file] file for details.\n\n## License\n\nPermission to modify and redistribute is granted under the terms of the Apache 2.0 license.  \nSee the [LICENSE][license_file] file for the full license.\n\n[CycloneDX]: https://cyclonedx.org/\n[CycloneDX-spec]: https://github.com/CycloneDX/\n\n[webpack]: https://webpack.js.org/\n[webpack config]: https://webpack.js.org/configuration/\n[draft-ietf-opsawg-sbom-access]: https://datatracker.ietf.org/doc/html/draft-ietf-opsawg-sbom-access\n\n[CycloneDX-javascript-library]: https://github.com/CycloneDX/cyclonedx-javascript-library/\n\n[license_file]: https://github.com/CycloneDX/cyclonedx-webpack-plugin/blob/master/LICENSE\n[contributing_file]: https://github.com/CycloneDX/cyclonedx-webpack-plugin/blob/master/CONTRIBUTING.md\n[examples]: https://github.com/CycloneDX/cyclonedx-webpack-plugin/tree/master/examples\n\n[shield_gh-workflow-test]: https://img.shields.io/github/actions/workflow/status/CycloneDX/cyclonedx-webpack-plugin/nodejs.yml?branch=master\u0026logo=GitHub\u0026logoColor=white \"tests\"\n[shield_npm-version]: https://img.shields.io/npm/v/%40cyclonedx%2fwebpack-plugin/latest?label=npm\u0026logo=npm\u0026logoColor=white \"npm\"\n[shield_license]: https://img.shields.io/github/license/CycloneDX/cyclonedx-webpack-plugin?logo=open%20source%20initiative\u0026logoColor=white \"license\"\n[shield_ossf-best-practices]: https://img.shields.io/cii/percentage/7884?label=OpenSSF%20best%20practices \"OpenSSF best practices\"\n[shield_coverage]: https://img.shields.io/codacy/coverage/100ece8926d548e99d8ca56b9d8cec78?logo=Codacy\u0026logoColor=white \"test coverage\"\n[shield_website]: https://img.shields.io/badge/https://-cyclonedx.org-blue.svg \"homepage\"\n[shield_slack]: https://img.shields.io/badge/slack-join-blue?logo=Slack\u0026logoColor=white \"slack join\"\n[shield_groups]: https://img.shields.io/badge/discussion-groups.io-blue.svg \"groups discussion\"\n[shield_twitter-follow]: https://img.shields.io/badge/Twitter-follow-blue?logo=Twitter\u0026logoColor=white \"twitter follow\"\n\n[link_website]: https://cyclonedx.org/\n[link_gh-workflow-test]: https://github.com/CycloneDX/cyclonedx-webpack-plugin/actions/workflows/nodejs.yml?query=branch%3Amaster\n[link_codacy]: https://app.codacy.com/gh/CycloneDX/cyclonedx-webpack-plugin/dashboard\n[link_ossf-best-practices]: https://www.bestpractices.dev/projects/7884\n[link_npm]: https://www.npmjs.com/package/@cyclonedx/webpack-plugin\n[link_slack]: https://cyclonedx.org/slack/invite\n[link_discussion]: https://groups.io/g/CycloneDX\n[link_twitter]: https://twitter.com/CycloneDX_Spec\n\n[docs_cdx_metadata_component_externalReferences]: https://cyclonedx.org/docs/1.6/json/#metadata_component_externalReferences\n","funding_links":["https://owasp.org/donate/?reponame=www-project-cyclonedx\u0026title=OWASP+CycloneDX"],"categories":["Dependency intelligence"],"sub_categories":["SCA and SBOM"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCycloneDX%2Fcyclonedx-webpack-plugin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FCycloneDX%2Fcyclonedx-webpack-plugin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCycloneDX%2Fcyclonedx-webpack-plugin/lists"}