Skip to content

Add SBOM generation and Dependency Track upload #50

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 46 commits into
base: ionos-dev
Choose a base branch
from
Draft

Add SBOM generation and Dependency Track upload #50

wants to merge 46 commits into from

Conversation

@thlehmann-ionos
Copy link

No description provided.

@thlehmann-ionos thlehmann-ionos force-pushed the tl/sbom-generation branch 12 times, most recently from 0fb3443 to 8869777 Compare November 4, 2024 15:44
@github-actions
Copy link

Hello there,
Thank you so much for taking the time and effort to create a pull request to our Nextcloud project.

We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process.

Your feedback is valuable to us as we continuously strive to improve our community developer experience. Please take a moment to complete our short survey by clicking on the following link: https://cloud.nextcloud.com/apps/forms/s/i9Ago4EQRZ7TWxjfmeEpPkf6

Thank you for contributing to Nextcloud and we hope to hear from you soon!

(If you believe you should not receive this message, you can add yourself to the blocklist.)

github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 7, 2025
View reviewed changes
.github/workflows/sbom.yaml Outdated
- name: Generate SBOM (composer)
# Output filename can not be configured, is bom.xml
# https://github.com/CycloneDX/gh-php-composer-generate-sbom
uses: CycloneDX/gh-php-composer-generate-sbom@v1

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow

Unpinned 3rd party Action 'SBOM generation' step [Uses Step](1) uses 'CycloneDX/gh-php-composer-generate-sbom' with ref 'v1', not a pinned commit hash
.github/workflows/sbom.yaml
Comment on lines 72 to 121
needs: generate-sbom
runs-on: ubuntu-latest

# https://docs.github.com/en/actions/writing-workflows/choosing-where-your-workflow-runs/running-jobs-in-a-container
container:
image: cyclonedx/cyclonedx-cli:0.27.1

steps:
- name: Download partial BOMs
uses: actions/download-artifact@v4
with:
name: bom-partials

- name: Merge SBOMs
# https://github.com/CycloneDX/cyclonedx-cli#merge-command
# Using v1_3 because with the default (1.6) the upload failed at the DT web interface
#
# The generated SBOM is fixed with sed to remove potentially bad characters
# Slashes are not allowed after the @ in the meta/component's bom-ref
# attribute and purl node.
run: |
cyclonedx merge --input-files bom.composer.xml bom.npm.xml --output-file bom.xml --output-version v1_3
sed -i -r 's;(pkg:composer/__root__)@[^"<]+;\1@merged-sbom;' bom.xml

# Pass merged BOM to next Job
# https://github.com/actions/upload-artifact
- name: Store merged BOM
uses: actions/upload-artifact@v4
with:
name: final-bom
path: bom.xml

upload-sboms:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions

Actions Job or Workflow does not set permissions
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 7, 2025
View reviewed changes
.github/workflows/sbom.yaml Outdated
Comment on lines 105 to 150
needs: merge-sboms
runs-on: ubuntu-latest
steps:
- name: Download partial BOMs
uses: actions/download-artifact@v4
with:
name: final-bom

- name: Dump merged SBOM
run: |
cat bom.xml

# TODO: upload BOMs

Check warning

Code scanning / CodeQL

Workflow does not contain permissions

Actions Job or Workflow does not set permissions
@thlehmann-ionos
[WIP] workflows: add SBOM generation step
638fe29
@thlehmann-ionos
[WIP] sbom: merge SBOMs
140c7dc
@thlehmann-ionos
[WIP] workflow: pass bom.xmls between jobs
3b60f6c
@thlehmann-ionos
[WIP] workflow: set SBOM out version to 1.3
ba59d02 
Upload to DT failed with schema validation error and no details,
maybe the version is to recent.
@thlehmann-ionos
[NOTE] Upload of merged v1.3 SBOM still fails, partial BOMs upload fine
000742a
@thlehmann-ionos
Revert "[WIP] workflow: set SBOM out version to 1.3"
4d289eb 
Problem figured out: the merged SBOM contains a "component" node with a
"bom-ref" attribute and a "purl" node, both contain values including the
current Git branch name, which happens to contain a slash in my case,
which, apparently, is not allowed.

This reverts commit 2e39012.
@thlehmann-ionos
[WIP] workflow: fix merged SBOM
02175f1
@thlehmann-ionos
[WIP] workflow: set SBOM out version to 1.3
76c5a34 
Upload to DT failed with schema validation error and no details,
maybe the version is to recent.
@thlehmann-ionos
[WIP] Use @yclonedx/cyclonedx-npm via npx, not an action
783f82a 
The action was declared to be deprecated [1], [2] was mentioned as
alternative.

[1]: https://github.com/CycloneDX/gh-node-module-generatebom?tab=readme-ov-file
[2]: https://www.npmjs.com/package/%40cyclonedx/cyclonedx-npm
@thlehmann-ionos thlehmann-ionos force-pushed the tl/sbom-generation branch 4 times, most recently from 6877336 to 70219cc Compare July 14, 2025 09:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

feedback-requested

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@thlehmann-ionos @printminion-co