build: add BOM files to dist packages

fixes juice-shop#2028

Signed-off-by: Jan Kowalleck <[email protected]>

.github/workflows/ci.yml

@@ -268,6 +268,7 @@ jobs:
       - name: "Install CLI tools"
         run: |
           npm install -g @angular/cli@$ANGULAR_CLI_VERSION
+          npm install -g @cyclonedx/cyclonedx-npm@^1.2
           npm install -g grunt-cli
       - name: "Set packaging options for Grunt"
         run: |
@@ -277,7 +278,6 @@ jobs:
       - name: "Package application"
         run: |
           npm install --production
-          npm install -g grunt-cli
           npm run package:ci
       - name: "Unpack application archive"
         run: |

.github/workflows/release.yml

@@ -20,6 +20,7 @@ jobs:
       - name: "Install CLI tools"
         run: |
           npm install -g @angular/cli
+          npm install -g @cyclonedx/cyclonedx-npm@^1.2
           npm install -g grunt-cli
       - name: "Set packaging options for Grunt"
         run: |
@@ -36,7 +37,6 @@ jobs:
       - name: "Package application"
         run: |
           npm install --production
-          npm install -g grunt-cli
           npm run package:ci
       - name: 'Attach packaged archive to tag release'
         uses: softprops/action-gh-release@v1

.gitignore

@@ -30,6 +30,8 @@ vagrant/.vagrant/
 JSON
 JSON.map
 frontend/src/**/*.js
+/bom.json
+/bom.xml
 
 # IDEs
 .idea/

Gruntfile.js

@@ -42,12 +42,15 @@ module.exports = function (grunt) {
               'config.schema.yml',
               'build/**',
               '!build/reports/**',
+              'bom.json',
+              'bom.xml',
               'config/*.yml',
               'data/*.ts',
               'data/static/**',
               'data/chatbot/.gitkeep',
               'encryptionkeys/**',
               'frontend/dist/frontend/**',
+              'frontend/dist/bom/**',
               'frontend/src/**/*.ts',
               'ftp/**',
               'i18n/.gitkeep',

frontend/angular.json

@@ -16,7 +16,7 @@
       "schematics": {},
       "architect": {
         "build": {
-          "builder": "@angular-devkit/build-angular:browser",
+          "builder": "@angular-builders/custom-webpack:browser",
           "options": {
             "outputPath": "dist/frontend",
             "index": "src/index.html",
@@ -46,7 +46,13 @@
             "buildOptimizer": false,
             "sourceMap": true,
             "optimization": false,
-            "namedChunks": true
+            "namedChunks": true,
+            "customWebpackConfig": {
+              "path": "./webpack.angular.js",
+              "mergeRules": {
+                "externals": "replace"
+              }
+            }
           },
           "configurations": {
             "production": {

frontend/package.json

@@ -12,6 +12,7 @@
   },
   "private": true,
   "dependencies": {
+    "@angular-builders/custom-webpack": "^15.0.0",
     "@angular-devkit/build-angular": "^15.0.4",
     "@angular-material-extensions/password-strength": "^6.0.0",
     "@angular/animations": "^15.0.4",
@@ -28,6 +29,7 @@
     "@angular/platform-browser": "^15.0.4",
     "@angular/platform-browser-dynamic": "^15.0.4",
     "@angular/router": "^15.0.4",
+    "@cyclonedx/webpack-plugin": "^3.6.0",
     "@fortawesome/fontawesome-svg-core": "~1.2.30",
     "@fortawesome/free-brands-svg-icons": "^5.14.0",
     "@fortawesome/free-regular-svg-icons": "^5.14.0",

frontend/webpack.angular.js

@@ -0,0 +1,13 @@
+// this file contains extras that should override angular's default configs
+
+const { CycloneDxWebpackPlugin } = require('@cyclonedx/webpack-plugin')
+
+module.exports = {
+  plugins: [
+    // @see https://www.npmjs.com/package/@cyclonedx/webpack-plugin
+    new CycloneDxWebpackPlugin({
+      outputLocation: '../bom', // The path is relative to webpack's overall output path,
+      includeWellknown: false
+    })
+  ]
+}

package.json

@@ -57,7 +57,7 @@
     "lint:config": "schema validate -s config.schema.yml",
     "lint:fix": "eslint *.[jt]s data lib models routes test views rsn --fix && cd frontend && ng lint --fix && npx stylelint \"**/*.scss\" --fix && cd ..",
     "package": "grunt package",
-    "package:ci": "npm prune --production && npm dedupe && cd frontend && npm prune --legacy-peer-deps --production && cd .. && grunt package",
+    "package:ci": "npm prune --production && npm dedupe && cd frontend && npm prune --legacy-peer-deps --production && cd .. && npm run --silent sbom && grunt package",
     "serve": "concurrently --kill-others \"ts-node app.ts\" \"cd frontend && ng serve\"",
     "serve:dev": "concurrently --kill-others \"ts-node-dev app.ts\" \"cd frontend && ng serve\"",
     "start": "node build/app",
@@ -68,7 +68,10 @@
     "rsn": "ts-node rsn/rsn.ts",
     "rsn:verbose": "ts-node rsn/rsn-verbose.ts",
     "rsn:update": "ts-node rsn/rsn-update.ts",
-    "vagrant": "cd vagrant && vagrant up"
+    "vagrant": "cd vagrant && vagrant up",
+    "sbom": "npm run sbom:json && npm run sbom:xml",
+    "sbom:json": "cyclonedx-npm --omit=dev --output-format=JSON --output-file=bom.json",
+    "sbom:xml": " cyclonedx-npm --omit=dev --output-format=XML  --output-file=bom.xml"
   },
   "jest": {
     "preset": "ts-jest",
@@ -179,6 +182,7 @@
     "z85": "^0.0.2"
   },
   "devDependencies": {
+    "@cyclonedx/cyclonedx-npm": "^1.12.0",
     "@istanbuljs/nyc-config-typescript": "^1.0.1",
     "@types/chai": "^4.2.14",
     "@types/chai-as-promised": "^7.1.3",
@@ -276,4 +280,4 @@
       "inject"
     ]
   }
-}
+}