Skip to content

Generate SBOMs for a release #43

Generate SBOMs for a release

Generate SBOMs for a release #43

name: Generate SBOMs for a release
on:
workflow_dispatch:
inputs:
#checkov:skip=CKV_GHA_7:This is a false positive
release:
description: 'SecObserve release (without the v)'
required: true
permissions: read-all
jobs:
generate_sboms:
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
with:
node-version: 20
-
name: Checkout
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
ref: 'v${{ github.event.inputs.release }}'
-
name: Install programs
env:
CDXGEN_VERSION: 10.9.4
SBOM_UTILITY_VERSION: 0.16.0
CYCLONE_DX_CLI_VERSION: 0.25.1
run: |
npm install -g @cyclonedx/cdxgen@"$CDXGEN_VERSION"
cd /usr/local/bin
wget --no-verbose https://github.com/CycloneDX/sbom-utility/releases/download/v"$SBOM_UTILITY_VERSION"/sbom-utility-v"$SBOM_UTILITY_VERSION"-linux-amd64.tar.gz -O - | tar -zxf -
wget --no-verbose https://github.com/CycloneDX/cyclonedx-cli/releases/download/v"$CYCLONE_DX_CLI_VERSION"/cyclonedx-linux-x64
cp cyclonedx-linux-x64 /usr/local/bin/cyclonedx
chmod +x /usr/local/bin/cyclonedx
-
name: Generate SBOM for backend application
env:
VERSION: ${{ github.event.inputs.release }}
FETCH_LICENSE: 1
working-directory: ./sbom
run: |
mv ../backend/poetry_requirements.txt ../backend/poetry_requirements.sic
sed -i "s|REPLACE_VERSION|$VERSION|g" ./configuration/patch_backend_application.json
cdxgen ../backend --type python --required-only --profile license-compliance --no-auto-compositions --output sbom_backend_application.json
sbom-utility trim --keys=externalReferences,properties,evidence,authors,lifecycles --quiet --input-file sbom_backend_application.json \
| sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \
| sbom-utility patch --patch-file ./configuration/patch_backend_application.json --quiet --input-file - --output-file sbom_backend_application_"$VERSION".json
sbom-utility validate --input-file sbom_backend_application_"$VERSION".json
rm sbom_backend_application.json
mv ../backend/poetry_requirements.sic ../backend/poetry_requirements.txt
-
name: Generate SBOM for frontend application
env:
VERSION: ${{ github.event.inputs.release }}
working-directory: ./sbom
run: |
sed -i "s|REPLACE_VERSION|$VERSION|g" ./configuration/patch_frontend_application.json
cdxgen ../frontend --type npm --no-babel --required-only --profile license-compliance --no-auto-compositions --project-name secobserve --output sbom_frontend_application.json
sbom-utility trim --keys=externalReferences,properties,evidence,authors,lifecycles --quiet --input-file sbom_frontend_application.json \
| sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \
| sbom-utility patch --patch-file ./configuration/patch_frontend_application.json --quiet --input-file - --output-file sbom_frontend_application_"$VERSION".json
sbom-utility validate --input-file sbom_frontend_application_"$VERSION".json
rm sbom_frontend_application.json
-
name: Generate SBOM for backend container
env:
VERSION: ${{ github.event.inputs.release }}
working-directory: ./sbom
run: |
sed -i "s|REPLACE_VERSION|$VERSION|g" ./configuration/patch_backend_container.json
cdxgen maibornwolff/secobserve-backend:$VERSION --type container --exclude-type python --exclude-type ruby --profile license-compliance --no-auto-compositions --output sbom_backend_container.json
sbom-utility trim --keys=externalReferences,properties,evidence,authors,lifecycles,services --quiet --input-file sbom_backend_container.json \
| sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \
| sbom-utility patch --patch-file ./configuration/patch_backend_container.json --quiet --input-file - --output-file sbom_backend_container_"$VERSION".json
sbom-utility validate --input-file sbom_backend_container_"$VERSION".json
rm sbom_backend_container.json
-
name: Generate SBOM for frontend container
env:
VERSION: ${{ github.event.inputs.release }}
working-directory: ./sbom
run: |
sed -i "s|REPLACE_VERSION|$VERSION|g" ./configuration/patch_frontend_container.json
cdxgen maibornwolff/secobserve-frontend:$VERSION --type container --exclude-type npm --exclude-type ruby --profile license-compliance --no-auto-compositions --output sbom_frontend_container.json
sbom-utility trim --keys=externalReferences,properties,evidence,authors,lifecycles,services --quiet --input-file sbom_frontend_container.json \
| sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \
| sbom-utility patch --patch-file ./configuration/patch_frontend_container.json --quiet --input-file - --output-file sbom_frontend_container_"$VERSION".json
sbom-utility validate --input-file sbom_frontend_container_"$VERSION".json
rm sbom_frontend_container.json
-
name: Merge SBOMs
env:
VERSION: ${{ github.event.inputs.release }}
working-directory: ./sbom
run: |
sed -i "s|REPLACE_VERSION|$VERSION|g" ./configuration/patch_complete.json
cyclonedx merge --hierarchical --name "SecObserve" --version "$VERSION" --input-files sbom_backend_application_"$VERSION".json sbom_frontend_application_"$VERSION".json sbom_backend_container_"$VERSION".json sbom_frontend_container_"$VERSION".json --output-format json \
| sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \
| sbom-utility patch --patch-file ./configuration/patch_complete.json --quiet --input-file - --output-file sbom_"$VERSION".json
sbom-utility validate --input-file sbom_"$VERSION".json
-
name: Commit SBOMs
uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5
with:
skip_fetch: true
create_branch: true
commit_message: "chore: generate SBOMs for release ${{ github.event.inputs.release }}"
branch: "chore/sboms_release_${{ github.event.inputs.release }}"
file_pattern: "sbom/sbom*.json"