Tool name: CycloneDX webpack plugin #52
Description
homepage_url
https://github.com/CycloneDX/cyclonedx-webpack-plugin#readme-ov-file
contact_email
jan.kowalleck [at] owasp.org
code_view_url
https://github.com/CycloneDX/cyclonedx-webpack-plugin
spdx_license_expression
Apache-2.0
description
This plugin for webpack creates a CycloneDX Software Bill of Materials (SBoM) containing an aggregate of all bundled dependencies.
This plugin uses the linkages generated by webpack to create a dependency graph which only contain the dependencies that are actually used (after tree-shaking).
primary_languages
TypeScript
short_term_roadmap
all things are community efforts - come and help/contribute
- render property
cdx:reproducibleCycloneDX/cyclonedx-webpack-plugin#1201 - feat: add copyright to evidence collection CycloneDX/cyclonedx-webpack-plugin#1338
- Add support for node v24
- Have known bugs fixed
- Continue supporting the community in contributing new features
long_term_roadmap
all things are community efforts - come and help/contribute
- basic support of upcoming CycloneDX 1.7.
CDX 1.7 is expected around May/June 2025. - feat: have "formulation" as part of the BOM - MBOM CycloneDX/cyclonedx-webpack-plugin#1019
- feat: File-type components and hashes CycloneDX/cyclonedx-webpack-plugin#1235
- Continue supporting the community in contributing new features
proprietary_data
- Yes, the tool depends on proprietary data sources
commercial_features
- Yes, the tool has a commercial version with different/additional features
capabilities
- Identifiers - Use Package-URL (PURL) identifiers
- Identifiers - Use SPDX license expressions
- Scanning - Analyze package manifests and lockfiles
- Scanning - Analyze package files
- Scanning - Scan for copyright
- Scanning - Scan for license
- Scanning - Analyze source code
- Scanning - Analyze containers
- Scanning - Analyze installed system packages (linux distros)
- Scanning - Analyze installed application packages
- Scanning - Other analysis
- Packages - Inventory packages
- Packages - Inventory packages dependencies
- Packages - Resolve dependencies
- Packages - Navigate or display dependency graph
- Compliance - Generate CycloneDX SBOMs
- Compliance - Generate SPDX SBOMs
- Compliance - Validate CycloneDX SBOM
- Compliance - Validate SPDX SBOMs
- Compliance - Generate CycloneDX VEX
- Compliance - Generate CSAF VEX
- Compliance - Generate OpenVex
- Compliance - Generate other compliance documents
- Policies - Define and check license policies
- Policies - Define and check security policies
- Policies - Define and check other policies
- Data - Database of Package metadata
- Data - Database of Package dependency relationships
- Data - Database of License obligations
- Data - Database of Licenses
- Data - Database of Vulnerabilities
- License - Help triage license issues
- License - Generate license credit and attribution notices
- License - Generate source code redistribution lists
- Vulnerabilities - Detect vulnerable code in packages
- Vulnerabilities - Find known vulnerabilities for package
- Vulnerabilities - Determine reachable vulnerabilities
- Vulnerabilities - Help triage vulnerabilities
- Binaries - Analyze binaries
- Binaries - Analyze ELF binaries
- Binaries - Analyze Windows binaries
- Binaries - Analyze firmware binaries
- Binaries - Analyze Other binaries
- Matching - Match source code
- Matching - Match binary code
- Tracing - Trace code execution
- Tracing - Trace build
- Code Security - Analyze code statically (SAST/linting)
- Code Security - Analyze code dynamically (DAST)
- Download - Source package
- Download - Source repositories
- Download - Binary package
- Deployment - Deployable as containers (Docker/OCI/k8s/etc)
- Deployment - Deployable in CI/CD pipelines
- Deployment - Deployable as a library
- Run - Run as a command line tool
- Run - Run as a web application
- Run - Run as an API service
other_capabilities
No response