1 min to read
How to create SBOM for NodeJS application during the build phase of Continuous Integration in Gitlab
Software bill of materials
Install the CycloneDX NPM module
npm install -g @cyclonedx/bom
Test it by running
cyclonedx-bom -o bom.xml
You can now examine the resulting bom.xml file.
With the setup working we can integrate it into the build phase of Continuous Integration. In the .gitlab-ci.yml file add a section for SBOM generation
variables:
# SBOM
GITLAB_TOKEN: "gitlab_token"
GITLAB_USER: 'maverick'
GITLAB_EMAIL: "consolemaverick@gmail.com"
COMMIT_MESSAGE: 'Update SBOM'
CI_PROJECT_PATH: "group_name/project_name"
CI_SERVER_HOST: "gitlab.company.com"
sbom:
stage: build
script:
- curl -sL https://deb.nodesource.com/setup_12.x | bash -
- apt-get install -y nodejs
- node -v
- npm install -g @cyclonedx/bom
- curl "https://install.meteor.com/?release=1.6.1" | sh
- git config --global user.email "${GIT_USER_EMAIL:-$GITLAB_EMAIL}"
- git config --global user.name "${GIT_USERNAME:-$GITLAB_USER}"
- git checkout "${CI_COMMIT_BRANCH}"
- git remote set-url origin "https://${GITLAB_USER}:${GITLAB_TOKEN}@${CI_SERVER_HOST}/${CI_PROJECT_PATH}.git"
- git pull
- cd frontend
- meteor npm install
- cyclonedx-bom -o bom.xml
- cd ../admin
- meteor npm install
- cyclonedx-bom -o bom.xml
- cd ..
- git add admin/bom.xml
- git add frontend/bom.xml
- |-
# Check if we have modifications to commit
CHANGES=$(git status --porcelain | wc -l)
if [ "$CHANGES" -gt "0" ]; then
git status
git commit -m "${COMMIT_MESSAGE}"
git push origin "${CI_COMMIT_BRANCH}" -o ci.skip
fi
You will need to generate a Gitlab personal access token with read/write repository permissions replacing the GITLAB_TOKEN variable above.
