diff --git a/README.md b/README.md index 9a3ddcf6d8335958c1c22d315d21a80b386d3ec5..bef5348bc41621e7cbfa5c550b1add6042dcc55d 100644 --- a/README.md +++ b/README.md @@ -181,6 +181,18 @@ exports.config = { } ``` +### `ng-sbom` job + +This job generates a [SBOM](https://cyclonedx.org/) file listing installed packages using [@cyclonedx/cyclonedx-npm](https://www.npmjs.com/package/@cyclonedx/cyclonedx-npm). + +It is bound to the `test` stage, and uses the following variables: + +| Name | description | default value | +| --------------------- | -------------------------------------- | ----------------- | +| `NG_SBOM_DISABLED` | Set to `true` to disable this job | _none_ | +| `NG_SBOM_VERSION` | The version of @cyclonedx/cyclonedx-npm used to emit SBOM | _none_ (uses latest) | +| `NG_SBOM_OPTS` | Options for @cyclonedx/cyclonedx-npm used for SBOM analysis | `--omit dev` | + ### `ng-publish` job The Angular template features a `ng-publish` job to publish the built project. diff --git a/kicker.json b/kicker.json index 5bf4d4a1687b91ded7c0bb5b56f1a0f048ee3cf9..beab39121c0383bacd168dee168836a4e859e61a 100644 --- a/kicker.json +++ b/kicker.json @@ -101,6 +101,25 @@ "advanced": true } ] + }, + { + "id": "sbom", + "name": "Software Bill of Materials", + "description": "This job generates a file listing all dependencies using [@cyclonedx/cyclonedx-npm](https://www.npmjs.com/package/@cyclonedx/cyclonedx-npm)", + "disable_with": "NG_SBOM_DISABLED", + "variables": [ + { + "name": "NG_SBOM_VERSION", + "description": "Version of the @cyclonedx/cyclonedx-npm used for SBOM analysis", + "advanced": true + }, + { + "name": "NG_SBOM_OPTS", + "description": "Options for @cyclonedx/cyclonedx-npm used for SBOM analysis", + "default": "--omit dev", + "advanced": true + } + ] } ] } diff --git a/templates/gitlab-ci-angular.yml b/templates/gitlab-ci-angular.yml index d93f4f3eb8e6951e28065cadc6d52d925711cebc..8908609f15b2b707ea52650c9b1cd34fcdf27fc5 100644 --- a/templates/gitlab-ci-angular.yml +++ b/templates/gitlab-ci-angular.yml @@ -65,6 +65,8 @@ variables: # Angular Build NG_BUILD_ARGS: "build" + NG_SBOM_OPTS: "--omit dev" + # default production ref name (pattern) PROD_REF: '/^(master|main)$/' # default integration ref name (pattern) @@ -499,8 +501,9 @@ ng-build: expire_in: 1 day ############################################################################################### -# test stage: # -# - ng-e2e # +# test stage: # +# - ng-e2e # +# - ng-sbom # ############################################################################################### ng-e2e: extends: .ng-cli-base @@ -521,6 +524,27 @@ ng-e2e: when: never - !reference [.test-policy, rules] +ng-sbom: + extends: .ng-cli-base + stage: test + # force no dependency + dependencies: [] + script: + - mkdir -p -m 777 reports + - npx -y @cyclonedx/cyclonedx-npm${NG_SBOM_VERSION:+@$NG_SBOM_VERSION} --output-format JSON --output-file reports/ng-sbom.cyclonedx.json $NG_SBOM_OPTS + - chmod a+r reports/ng-sbom.cyclonedx.json + rules: + # exclude if disabled + - if: '$NG_SBOM_DISABLED == "true"' + when: never + - !reference [.test-policy, rules] + artifacts: + name: "SBOM for Angular from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG" + when: always + expire_in: 1 week + paths: + - $NG_WORKSPACE_DIR/reports/ng-sbom.cyclonedx.json + ############################################################################################### # publish stage: # # - npm-publish #