Use webpack instead of npm to create sbom (#129) (!111) · Merge requests · Recovery Cat Source / Rcc Client

James Jenkinson requested to merge 129-create-sbom-with-webpack into 129-create-software-bill-of-materials-on-build Dec 13, 2022

The Current form of the merge request builds the software bill of materials based on the package configuration, however this doesn't take into account unused packages, for example:

Packages that are only used in development, not in production (for example linting)
Packages that are no longer being used, but we forgot to remove from the package json
Packages that are removed via tree-shaking (i.e. child packages that we don't need, as they code that the parent uses for it is not being used by us)
Packages that are used in another variant (e.g. used in the patient app, but not in the doctor app)

We can account for these by instead building the sbom via webpack, which is applying tree-shaking to remove unused packages

This also has the advantage that we don't need an extra step to build the sbom, as it's injected as part of the normal webpack bundling process

Cons

The downside here is that we're loading the sbom file asynchronously via ajax, as the cyclonedx plugin doesn't have an option to inject the result into the application bundle

This would mean that users without an internet connection would not be able to read the list, however this is probably a small issue

Edited Dec 13, 2022 by James Jenkinson

Use webpack instead of npm to create sbom (#129)

Cons

Merge request reports