feat: add a job generating software bill of materials

Signed-off-by: Clement Bois <clement.bois@orange.com>

README.md

@@ -181,6 +181,18 @@ exports.config = {
 }
 ```
 
+### `ng-sbom` job
+
+This job generates a [SBOM](https://cyclonedx.org/) file listing installed packages using [@cyclonedx/cyclonedx-npm](https://www.npmjs.com/package/@cyclonedx/cyclonedx-npm).
+
+It is bound to the `test` stage, and uses the following variables:
+
+| Name                  | description                            | default value     |
+| --------------------- | -------------------------------------- | ----------------- |
+| `NG_SBOM_DISABLED` | Set to `true` to disable this job | _none_ |
+| `NG_SBOM_VERSION` | The version of @cyclonedx/cyclonedx-npm used to emit SBOM | _none_ (uses latest) |
+| `NG_SBOM_OPTS` | Options for @cyclonedx/cyclonedx-npm used for SBOM analysis | `--omit dev` |
+
 ### `ng-publish` job
 
 The Angular template features a `ng-publish` job to publish the built project.

kicker.json

@@ -101,6 +101,25 @@
           "advanced": true
         }
       ]
+    },
+    {
+      "id": "sbom",
+      "name": "Software Bill of Materials",
+      "description": "This job generates a file listing all dependencies using [@cyclonedx/cyclonedx-npm](https://www.npmjs.com/package/@cyclonedx/cyclonedx-npm)",
+      "disable_with": "NG_SBOM_DISABLED",
+      "variables": [
+        {
+          "name": "NG_SBOM_VERSION",
+          "description": "Version of the @cyclonedx/cyclonedx-npm used for SBOM analysis",
+          "advanced": true
+        },
+        {
+          "name": "NG_SBOM_OPTS",
+          "description": "Options for @cyclonedx/cyclonedx-npm used for SBOM analysis",
+          "default": "--omit dev",
+          "advanced": true
+        }
+      ]
     }
   ]
 }

templates/gitlab-ci-angular.yml

@@ -65,6 +65,8 @@ variables:
   # Angular Build
   NG_BUILD_ARGS: "build"
 
+  NG_SBOM_OPTS: "--omit dev"
+
   # default production ref name (pattern)
   PROD_REF: '/^(master|main)$/'
   # default integration ref name (pattern)
@@ -499,8 +501,9 @@ ng-build:
     expire_in: 1 day
 
 ###############################################################################################
-#                                      test stage:                                           #
-#                                        - ng-e2e                                           #
+#                                      test stage:                                            #
+#                                        - ng-e2e                                             #
+#                                        - ng-sbom                                            #
 ###############################################################################################
 ng-e2e:
   extends: .ng-cli-base
@@ -521,6 +524,27 @@ ng-e2e:
       when: never
     - !reference [.test-policy, rules]
 
+ng-sbom:
+  extends: .ng-cli-base
+  stage: test
+  # force no dependency
+  dependencies: []
+  script:
+    - mkdir -p -m 777 reports
+    - npx -y @cyclonedx/cyclonedx-npm${NG_SBOM_VERSION:+@$NG_SBOM_VERSION} --output-format JSON --output-file reports/ng-sbom.cyclonedx.json $NG_SBOM_OPTS
+    - chmod a+r reports/ng-sbom.cyclonedx.json
+  rules:
+    # exclude if disabled
+    - if: '$NG_SBOM_DISABLED == "true"'
+      when: never
+    - !reference [.test-policy, rules]
+  artifacts:
+    name: "SBOM for Angular from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
+    when: always
+    expire_in: 1 week
+    paths:
+      - $NG_WORKSPACE_DIR/reports/ng-sbom.cyclonedx.json
+
 ###############################################################################################
 #                                      publish stage:                                         #
 #                                        - npm-publish                                        #