Skip to content

Bumps sbomasm, sbomqs and trivy. #117

Bumps sbomasm, sbomqs and trivy.

Bumps sbomasm, sbomqs and trivy. #117

---
name: Phase 1 - Python
on:
push:
paths:
- .github/workflows/phase_1_python.yml
- 'phase_1/Python/**'
env:
PARLAY_VERSION: 0.6.0
SBOMASM_VERSION: 0.1.9
SBOMQS_VERSION: 0.2.3
SEMVER: 0.1.0
TRIVY_VERSION: 0.57.1
SBOM_AUTHOR: "CISA Tiger Group for SBOM Generation Reference Implementations"
SBOM_SUPPLIER: "CISA Tiger Group for SBOM Generation Reference Implementations"
jobs:
Generate_Container:
name: "Generate Container SBOM"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
# We're using native docker build here rather
# than 'docker/build-push-action' to make the run
# more pipeline agnostic.
- name: Build Docker image
working-directory: "phase_1/Python"
run: |
docker build -t phase-1-python .
- name: Install Trivy
run: |
curl -L -o /tmp/trivy.tgz \
"https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"
tar xvf /tmp/trivy.tgz -C /tmp
chmod +x /tmp/trivy
- name: Generate SBOM with Trivy
working-directory: "phase_1/Python"
run: |
/tmp/trivy image \
--format cyclonedx \
--pkg-types os \
--output /tmp/container-sbom.cdx.json \
phase-1-python
/tmp/trivy image \
--format spdx-json \
--pkg-types os \
--output /tmp/container-sbom.spdx.json \
phase-1-python
- name: Upload CycloneDX SBOM
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
with:
name: container-sbom-cyclonedx
path: "/tmp/container-sbom.cdx.json"
- name: Upload SPDX SBOM
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
with:
name: container-sbom-spdx
path: "/tmp/container-sbom.spdx.json"
Generate_Application:
name: "Generate Application SBOM"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Install Trivy
run: |
curl -L -o /tmp/trivy.tgz \
"https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"
tar xvf /tmp/trivy.tgz -C /tmp
chmod +x /tmp/trivy
- name: "CycloneDX: Generate SBOM"
working-directory: "phase_1/Python"
run: |
/tmp/trivy fs \
--format cyclonedx \
--output /tmp/application-sbom.cdx.json \
requirements.txt
- name: "SPDX: Generate SBOM"
working-directory: "phase_1/Python"
run: |
/tmp/trivy fs \
--format spdx-json \
--output /tmp/application-sbom.spdx.json \
requirements.txt
- name: Upload CycloneDX SBOM
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
with:
name: application-sbom-cyclonedx
path: "/tmp/application-sbom.cdx.json"
- name: Upload SPDX SBOM
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
with:
name: application-sbom-spdx
path: "/tmp/application-sbom.spdx.json"
Augment:
name: "Augment SBOMs"
runs-on: ubuntu-latest
needs: [Generate_Container, Generate_Application]
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Download all workflow run artifacts
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
- name: Install sbomasm
run: |
curl -L -o /tmp/sbomasm \
"https://github.com/interlynk-io/sbomasm/releases/download/v${SBOMASM_VERSION}/sbomasm-linux-amd64"
chmod +x /tmp/sbomasm
- name: "CycloneDX: Augment Container SBOM"
run: |
/tmp/sbomasm edit \
--subject Document \
--author "$SBOM_AUTHOR" \
--supplier "$SBOM_SUPPLIER" \
--repository 'https://github.com/CISA-SBOM-Community/SBOM-Generation' \
--license 'Apache-2.0' \
container-sbom-cyclonedx/container-sbom.cdx.json > /tmp/augmented_container-sbom.cdx.tmp
/tmp/sbomasm edit \
--subject primary-component \
--name phase1-python-application \
--author "$SBOM_AUTHOR" \
--supplier "$SBOM_SUPPLIER" \
--version "$GITHUB_SHA" \
--repository 'https://github.com/CISA-SBOM-Community/SBOM-Generation' \
--license 'Apache-2.0' \
/tmp/augmented_container-sbom.cdx.tmp > /tmp/augmented_container-sbom.cdx.json
- name: "CycloneDX: Augment Application SBOM"
run: |
/tmp/sbomasm edit \
--subject Document \
--name phase1-python-application \
--author "$SBOM_AUTHOR" \
--supplier "$SBOM_SUPPLIER" \
--repository 'https://github.com/CISA-SBOM-Community/SBOM-Generation' \
--lifecycle pre-build \
--license 'Apache-2.0' \
application-sbom-cyclonedx/application-sbom.cdx.json > /tmp/augmented_application-sbom.cdx.tmp
/tmp/sbomasm edit \
--subject primary-component \
--name phase1-python-application \
--author "$SBOM_AUTHOR" \
--supplier "$SBOM_SUPPLIER" \
--version "$GITHUB_SHA" \
--repository 'https://github.com/CISA-SBOM-Community/SBOM-Generation' \
--license 'Apache-2.0' \
/tmp/augmented_application-sbom.cdx.tmp >/tmp/augmented_application-sbom.cdx.json
- name: "SPDX: Augment Container SBOM"
run: |
/tmp/sbomasm edit \
--append \
--subject Document \
--name phase1-python-application \
--author "$SBOM_AUTHOR" \
--supplier "$SBOM_SUPPLIER" \
--repository 'https://github.com/CISA-SBOM-Community/SBOM-Generation' \
--lifecycle pre-build \
--license 'Apache-2.0' \
container-sbom-spdx/container-sbom.spdx.json > /tmp/augmented_container-sbom.spdx.tmp
/tmp/sbomasm edit \
--subject primary-component \
--name phase1-python-application \
--author "$SBOM_AUTHOR" \
--supplier "$SBOM_SUPPLIER" \
--version "$GITHUB_SHA" \
--repository 'https://github.com/CISA-SBOM-Community/SBOM-Generation' \
--license 'Apache-2.0' \
/tmp/augmented_container-sbom.spdx.tmp > /tmp/augmented_container-sbom.spdx.json
- name: "SPDX: Augment Application SBOM"
run: |
/tmp/sbomasm edit \
--append \
--subject Document \
--name phase1-python-application \
--author "$SBOM_AUTHOR" \
--supplier "$SBOM_SUPPLIER" \
--repository 'https://github.com/CISA-SBOM-Community/SBOM-Generation' \
--lifecycle pre-build \
--license 'Apache-2.0' \
application-sbom-spdx/application-sbom.spdx.json > /tmp/augmented_application-sbom.spdx.tmp
/tmp/sbomasm edit \
--subject primary-component \
--name phase1-python-application \
--author "$SBOM_AUTHOR" \
--supplier "$SBOM_SUPPLIER" \
--version "$GITHUB_SHA" \
--repository 'https://github.com/CISA-SBOM-Community/SBOM-Generation' \
--license 'Apache-2.0' \
/tmp/augmented_application-sbom.spdx.tmp > /tmp/augmented_application-sbom.spdx.json
- name: Upload Augmented SBOMs
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
with:
name: augmented-sboms
path: "/tmp/augmented_*.json"
Enrich:
name: "Enrich SBOMs"
runs-on: ubuntu-latest
needs: [Augment]
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Download all workflow run artifacts
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
- name: Install parlay
run: |
curl -Ls https://github.com/snyk/parlay/releases/download/v${PARLAY_VERSION}/parlay_Linux_x86_64.tar.gz | tar xvz -C /tmp
chmod +x /tmp/parlay
- name: "CycloneDX: Enrich SBOMs"
run: |
/tmp/parlay ecosystems enrich \
augmented-sboms/augmented_container-sbom.cdx.json > /tmp/enriched_container-sbom.cdx.json
/tmp/parlay ecosystems enrich \
augmented-sboms/augmented_application-sbom.cdx.json > /tmp/enriched_application-sbom.cdx.json
- name: "SPDX: Enrich SBOMs"
run: |
/tmp/parlay ecosystems enrich \
augmented-sboms/augmented_container-sbom.spdx.json > /tmp/enriched_container-sbom.spdx.json
/tmp/parlay ecosystems enrich \
augmented-sboms/augmented_application-sbom.spdx.json > /tmp/enriched_application-sbom.spdx.json
- name: Upload Enriched SBOMs
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
with:
name: enriched-sboms
path: "/tmp/enriched_*.json"
Validate:
name: "Validate SBOMs"
needs: Enrich
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Download SBOMs
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
- name: Install sbomqs
run: |
curl -L -o /tmp/sbomqs \
"https://github.com/interlynk-io/sbomqs/releases/download/v${SBOMQS_VERSION}/sbomqs-linux-amd64"
chmod +x /tmp/sbomqs
- name: "Display SBOM quality score through sbomqs"
run: |
echo \`\`\` >> ${GITHUB_STEP_SUMMARY}
for SBOM in $(find . -iname *.json); do
/tmp/sbomqs score "$SBOM" >> ${GITHUB_STEP_SUMMARY}
done
echo \`\`\` >> ${GITHUB_STEP_SUMMARY}