Skip to content

Commit 095fd2b

Browse files
dknaussclaude
andcommitted
Add CycloneDX SBOM generation and future options to roadmap
Add cyclonedx-php-composer as a dev dependency with `composer sbom` script to generate bom.json (CycloneDX 1.6 JSON). Ship bom.json in the repo for supply chain transparency. Add Possible Features section to roadmap covering CI-generated SBOMs, JS dependency tracking, whole-site SBOM tooling, and Playwright JS testing. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent 016426a commit 095fd2b

4 files changed

Lines changed: 4020 additions & 3 deletions

File tree

ROADMAP.md

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -122,3 +122,34 @@ These items were considered and intentionally excluded:
122122
WebAuthn's `navigator.credentials.get()` ceremony. The
123123
[WebAuthn Provider for Two Factor](https://wordpress.org/plugins/two-factor-provider-webauthn/)
124124
plugin is recommended in the readme. No WP Sudo changes needed.
125+
126+
## Possible Features
127+
128+
Ideas worth considering but not yet committed to.
129+
130+
### SBOM Enhancements
131+
132+
A CycloneDX SBOM (`bom.json`) is generated via `composer sbom` and shipped in the
133+
repo. Currently it reflects only the PHP/Composer dependency graph (which is
134+
minimal — zero production dependencies). Future options:
135+
136+
- **GitHub Action for CI-generated SBOMs** — use
137+
[CycloneDX/gh-php-composer-generate-sbom](https://github.com/CycloneDX/gh-php-composer-generate-sbom)
138+
to regenerate `bom.json` on every release tag. Ensures the SBOM is always in
139+
sync with `composer.lock`.
140+
- **JS dependency tracking** — if Gutenberg integration (item 8) introduces an
141+
npm build step, add `@cyclonedx/cyclonedx-npm` to capture front-end
142+
dependencies in a separate or merged SBOM.
143+
- **Whole-site SBOM tooling** — for site operators (not plugin authors), tools
144+
like [wpbom](https://wordpress.org/plugins/wpbom/) and the methodology in
145+
[FrontEndSBOM](https://github.com/CaseyFaheyNetgoalie/FrontEndSBOM) can
146+
inventory all plugins, themes, and their dependency chains. Could be referenced
147+
in WP Sudo's security documentation as a recommended practice.
148+
149+
### JS Testing with Playwright
150+
151+
No JS tests exist today. The vanilla JS files have no build step and limited
152+
surface area, so the cost-benefit of Jest + JSDOM mocks is low. The natural
153+
trigger is Gutenberg integration (item 8), which would require browser-level
154+
testing anyway. At that point, add Playwright E2E tests covering the existing
155+
challenge page flow alongside the new editor integration.

0 commit comments

Comments
 (0)