Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Snyk SBOM #8249

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Snyk SBOM #8249

wants to merge 3 commits into from

Conversation

enzowritescode
Copy link

@enzowritescode enzowritescode commented Oct 8, 2024
edited
Loading

Summary

Generate SBOM (software bill of materials ) on release

Ticket Link

https://mattermost.atlassian.net/browse/SEC-6362

Release Note

NONE

@enzowritescode enzowritescode marked this pull request as ready for review October 9, 2024 15:58
saturninoabril
saturninoabril reviewed Oct 9, 2024
View reviewed changes
.github/workflows/github-release.yml
@@ -47,6 +47,14 @@ jobs:
path: Mattermost-unsigned.ipa
name: Mattermost-unsigned.ipa

-name: ci/sbom-ios
uses: ./.github/actions/snyk-sbom
working-directory: ./ios
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(echoing my comment in the ticket)

Will this be able to pick up JS dependencies from the root (package*.json)? Same question with android.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should.. npm will check in the parent folder if needed

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After checking with the generated SBOMs from @enzowritescode, the build-specific SBOMs did not contain npm packages. Here is the summary:

## sbom_ios.json
- purl (total) -- 178
- pkg:cocoapods -- 170
- pkg:swift -- 8

## sbom_android.json
- purl (total) -- 5953
- pkg:maven -- 5953

As compared to SBOM for the whole project:

## sbom.json
- purl (total) -- 7546
- pkg:gem -- 138
- pkg:npm -- 1120
- pkg:maven -- 6110
- pkg:cocoapods -- 170
- pkg:swift -- 8

saturninoabril
saturninoabril approved these changes Oct 9, 2024
View reviewed changes
Copy link
Member

@saturninoabril saturninoabril left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @enzowritescode, LGTM. Left comment for my reference only.

@saturninoabril saturninoabril self-requested a review October 9, 2024 22:02
@enzowritescode enzowritescode marked this pull request as draft October 9, 2024 22:03
@enzowritescode
Copy link
Author

Converting back to a draft while I discuss with Snyk the dependencies/lockfile issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@enahum enahum enahum left review comments

@toninis toninis Awaiting requested review from toninis

@saturninoabril saturninoabril Awaiting requested review from saturninoabril

Assignees
No one assigned
Labels
release-note-none
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@enzowritescode @saturninoabril @enahum @mm-cloud-bot