Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add augmentation and enrichment to keycloak pipeline #29

Merged
merged 20 commits into from
Oct 1, 2024
Merged

Add augmentation and enrichment to keycloak pipeline #29

merged 20 commits into from
Oct 1, 2024

Conversation

idunbarh
Copy link
Contributor

@idunbarh idunbarh commented Sep 30, 2024
edited
Loading

This PR adds the remaining capabilities to the Phase 1 Keycloak workflow.

This PR adds:

Additionally there are several tweaks:

  • Changing trivy to scan offline due to how long the workflow was running
  • validating only the enriched SBOMs

You can find the SBOM Quality Scoring here.

@idunbarh
feat: adding cyclonedx augmentation to keycloak
cf25897 
Signed-off-by: Ian Dunbar-Hall <ian.dunbar-hall@lmco.com>
@idunbarh
feat: adding augmentation to phase 1 keycloak
8dfba99 
Signed-off-by: Ian Dunbar-Hall <ian.dunbar-hall@lmco.com>
@idunbarh
adding sbomasm download to the workflow
b3231ce 
Signed-off-by: Ian Dunbar-Hall <ian.dunbar-hall@lmco.com>
@idunbarh
fix: update trivy parallel to 4, to match number of cpus in github ru…
f272863 
…nners

Signed-off-by: Ian Dunbar-Hall <ian.dunbar-hall@lmco.com>
@idunbarh
adding docs and parlay for enriching
781adf2 
Signed-off-by: Ian Dunbar-Hall <ian.dunbar-hall@lmco.com>
@idunbarh
fixing parlay tar issue
76c2f67 
Signed-off-by: Ian Dunbar-Hall <ian.dunbar-hall@lmco.com>
@idunbarh
fixing parlay tar issue
65679ea 
Signed-off-by: Ian Dunbar-Hall <ian.dunbar-hall@lmco.com>
@idunbarh
only validating enriched SBOMs
9f1ab84 
Signed-off-by: Ian Dunbar-Hall <ian.dunbar-hall@lmco.com>
@idunbarh idunbarh linked an issue Sep 30, 2024 that may be closed by this pull request
Add augmentation to keycloak pipeline #24
Closed
@idunbarh idunbarh requested review from douglasdennis, tiegz and a team September 30, 2024 05:04
@idunbarh
fixing link
d03df22 
Signed-off-by: Ian Dunbar-Hall <ian.dunbar-hall@lmco.com>
djmoch
djmoch reviewed Sep 30, 2024
View reviewed changes
Copy link
Contributor

@djmoch djmoch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see any mention of sbomasm in the README, while parlay and snyk are both discussed. Am I just missing the discussion of sbomasm? Should we add some discussion to the README?

@idunbarh
minor spelling
4bc2c15 
Signed-off-by: Ian Dunbar-Hall <ian.dunbar-hall@lmco.com>
@idunbarh
Copy link
Contributor Author

I don't see any mention of sbomasm in the README, while parlay and snyk are both discussed. Am I just missing the discussion of sbomasm? Should we add some discussion to the README?

Its included under ...

- `Augment Keycloak SPDX` and `Augment Keycloak CycloneDX` Jobs
  - __Tool__
    - [sbomasm](https://github.com/interlynk-io/sbomasm)

I'm not super happy with how this info is presented, which leads to details being missed.

tiegz
tiegz reviewed Sep 30, 2024
View reviewed changes
Copy link
Collaborator

@tiegz tiegz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good! Left a few minor changes/questions

.github/workflows/phase_1_keycloak.yml Outdated Show resolved Hide resolved
.github/workflows/phase_1_keycloak.yml Outdated Show resolved Hide resolved
.github/workflows/phase_1_keycloak.yml Outdated Show resolved Hide resolved
.github/workflows/phase_1_keycloak.yml Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
phase_1/keycloak/README.md Outdated Show resolved Hide resolved
phase_1/keycloak/README.md Outdated Show resolved Hide resolved
idunbarh and others added 5 commits September 30, 2024 16:15
@idunbarh @tiegz
Update phase_1/keycloak/README.md
269e2f9 
Co-authored-by: Tieg Zaharia <tieg.zaharia@gmail.com>
@idunbarh @tiegz
Update phase_1/keycloak/README.md
44845cf 
Co-authored-by: Tieg Zaharia <tieg.zaharia@gmail.com>
@idunbarh @tiegz
Update .github/workflows/phase_1_keycloak.yml
ded06da 
Co-authored-by: Tieg Zaharia <tieg.zaharia@gmail.com>
@idunbarh
switching parallel back to 0 to autodetect number of cores.
ab27b7a 
Signed-off-by: Ian Dunbar-Hall <ian.dunbar-hall@lmco.com>
@idunbarh
updates based on PR comments
5fd5835 
Signed-off-by: Ian Dunbar-Hall <ian.dunbar-hall@lmco.com>
@douglasdennis
Copy link
Contributor

It looks like there is a bug or something in parlay where it doesn't fill in supplier information for SPDX. A quick search found this open issue: snyk/parlay#76

I didn't see a fix in there, but I've only scanned pretty quickly.

douglasdennis
douglasdennis reviewed Oct 1, 2024
View reviewed changes
Copy link
Contributor

@douglasdennis douglasdennis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm still running through some of the scorecard to see what the enrichments are doing. What would be the best way to handle that? Maybe merge this and then start opening issues that get PRs to fix? Or do we want to keep tackling stuff in this PR?

phase_1/keycloak/README.md Outdated Show resolved Hide resolved
.github/workflows/phase_1_keycloak.yml Show resolved Hide resolved
.github/workflows/phase_1_keycloak.yml Show resolved Hide resolved
@idunbarh
Copy link
Contributor Author

idunbarh commented Oct 1, 2024

I'm still running through some of the scorecard to see what the enrichments are doing. What would be the best way to handle that? Maybe merge this and then start opening issues that get PRs to fix? Or do we want to keep tackling stuff in this PR?

My vote would be merge, and then continue to improve through additional PRs.

idunbarh and others added 2 commits September 30, 2024 21:29
@idunbarh @douglasdennis
Update phase_1/keycloak/README.md
d2035a4 
Co-authored-by: Douglas Dennis <douglasdennisjr@gmail.com>
@idunbarh
removed noop author option from SPDX
fdc1720 
Signed-off-by: Ian Dunbar-Hall <ian.dunbar-hall@lmco.com>
@dasarpjonam
Copy link
Collaborator

@idunbarh - Thanks for putting this together. This looks good to me. The sbomqs is too verbose. it could be a artifact. we can have a green (pass) or red(fail) stamp based on the sbomqs output.

@idunbarh
Adding the --append option to SPDX augmentation to ensure the tool in…
4d57439 
…formation is not overridden

Signed-off-by: Ian Dunbar-Hall <ian.dunbar-hall@lmco.com>
vpetersson
vpetersson approved these changes Oct 1, 2024
View reviewed changes
Copy link
Collaborator

@vpetersson vpetersson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added minor comments.

.github/workflows/phase_1_keycloak.yml Show resolved Hide resolved
.github/workflows/phase_1_keycloak.yml Show resolved Hide resolved
@idunbarh
saving copies of enriched sbom as final to make it clear
13ac670 
Signed-off-by: Ian Dunbar-Hall <ian.dunbar-hall@lmco.com>
@idunbarh
switching back to offline scanning due to workflows taking longer tha…
0c23f62 
…n 1 hour to run

Signed-off-by: Ian Dunbar-Hall <ian.dunbar-hall@lmco.com>
@idunbarh idunbarh merged commit 336d4d9 into main Oct 1, 2024
9 checks passed
@idunbarh idunbarh deleted the 24-add-augmentation-to-keycloak-pipeline branch October 1, 2024 18:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@douglasdennis douglasdennis douglasdennis left review comments

@dasarpjonam dasarpjonam dasarpjonam left review comments

@djmoch djmoch djmoch approved these changes

@vpetersson vpetersson vpetersson approved these changes

@tiegz tiegz tiegz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add augmentation to keycloak pipeline
6 participants
@idunbarh @douglasdennis @dasarpjonam @tiegz @vpetersson @djmoch