Merge pull request #50 from NHSDigital/APM-6390

sbom configuration

Author: CLJ2006

.github/README.md

@@ -0,0 +1,58 @@
+# SBOM & Vulnerability Scanning Automation
+
+This repository uses GitHub Actions to automatically generate a Software Bill of Materials (SBOM), scan for vulnerabilities, and produce package inventory reports.
+
+All reports are named with the repository name for easy identification.
+
+## Features
+
+SBOM Generation: Uses Syft to generate an SPDX JSON SBOM.
+SBOM Merging: Merges SBOMs for multiple tools if needed.
+SBOM to CSV: Converts SBOM JSON to a CSV report.
+Vulnerability Scanning: Uses Grype to scan the SBOM for vulnerabilities and outputs a CSV report.
+Package Inventory: Extracts a simple package list (name, type, version) as a CSV.
+Artifacts: All reports are uploaded as workflow artifacts with the repository name in the filename.
+
+## Workflow Overview
+
+The main workflow is defined in .github/workflows/sbom.yml
+
+## Scripts
+
+scripts/create-sbom.sh
+Generates an SBOM for the repo and for specified tools, merging them as needed.
+scripts/update-sbom.py
+Merges additional SBOMs into the main SBOM.
+.github/scripts/sbom_json_to_csv.py
+Converts the SBOM JSON to a detailed CSV report.
+.github/scripts/grype_json_to_csv.py
+Converts Grype’s vulnerability scan JSON output to a CSV report.
+Output columns: REPO, NAME, INSTALLED, FIXED-IN, TYPE, VULNERABILITY, SEVERITY
+.github/scripts/sbom_packages_to_csv.py
+Extracts a simple package inventory from the SBOM.
+Output columns: name, type, version
+
+## Example Reports
+
+Vulnerability Report
+grype-report-[RepoName].csv
+REPO,NAME,INSTALLED,FIXED-IN,TYPE,VULNERABILITY,SEVERITY
+my-repo,Flask,2.1.2,,library,CVE-2022-12345,High
+...
+
+Package Inventory
+sbom-packages-[RepoName].csv
+name,type,version
+Flask,library,2.1.2
+Jinja2,library,3.1.2
+...
+
+## Usage
+
+Push to main branch or run the workflow manually.
+Download artifacts from the workflow run summary.
+
+## Customization
+
+Add more tools to scripts/create-sbom.sh as needed.
+Modify scripts to adjust report formats or add more metadata.

.github/scripts/grype_json_to_csv.py

@@ -0,0 +1,28 @@
+import json
+import csv
+import sys
+
+input_file = sys.argv[1] if len(sys.argv) > 1 else "grype-report.json"
+output_file = sys.argv[2] if len(sys.argv) > 2 else "grype-report.csv"
+
+with open(input_file, "r", encoding="utf-8") as f:
+    data = json.load(f)
+
+columns = ["NAME", "INSTALLED", "FIXED-IN", "TYPE", "VULNERABILITY", "SEVERITY"]
+
+with open(output_file, "w", newline="", encoding="utf-8") as csvfile:
+    writer = csv.DictWriter(csvfile, fieldnames=columns)
+    writer.writeheader()
+    for match in data.get("matches", []):
+        pkg = match.get("artifact", {})
+        vuln = match.get("vulnerability", {})
+        row = {
+            "NAME": pkg.get("name", ""),
+            "INSTALLED": pkg.get("version", ""),
+            "FIXED-IN": vuln.get("fix", {}).get("versions", [""])[0] if vuln.get("fix", {}).get("versions") else "",
+            "TYPE": pkg.get("type", ""),
+            "VULNERABILITY": vuln.get("id", ""),
+            "SEVERITY": vuln.get("severity", ""),
+        }
+        writer.writerow(row)
+print(f"CSV export complete: {output_file}")

.github/scripts/sbom_json_to_csv.py

@@ -0,0 +1,74 @@
+import json
+import csv
+import sys
+from pathlib import Path
+from tabulate import tabulate
+
+input_file = sys.argv[1] if len(sys.argv) > 1 else "sbom.json"
+output_file = sys.argv[2] if len(sys.argv) > 2 else "sbom.csv"
+
+with open(input_file, "r", encoding="utf-8") as f:
+    sbom = json.load(f)
+
+packages = sbom.get("packages", [])
+
+columns = [
+    "name",
+    "versionInfo",
+    "type",
+    "supplier",
+    "downloadLocation",
+    "licenseConcluded",
+    "licenseDeclared",
+    "externalRefs"
+]
+
+def get_type(pkg):
+    spdxid = pkg.get("SPDXID", "")
+    if "-" in spdxid:
+        parts = spdxid.split("-")
+        if len(parts) > 2:
+            return parts[2]
+    refs = pkg.get("externalRefs", [])
+    for ref in refs:
+        if ref.get("referenceType") == "purl":
+            return ref.get("referenceLocator", "").split("/")[0]
+    return ""
+
+def get_external_refs(pkg):
+    refs = pkg.get("externalRefs", [])
+    return ";".join([ref.get("referenceLocator", "") for ref in refs])
+
+with open(output_file, "w", newline="", encoding="utf-8") as csvfile:
+    writer = csv.DictWriter(csvfile, fieldnames=columns)
+    writer.writeheader()
+    for pkg in packages:
+        row = {
+            "name": pkg.get("name", ""),
+            "versionInfo": pkg.get("versionInfo", ""),
+            "type": get_type(pkg),
+            "supplier": pkg.get("supplier", ""),
+            "downloadLocation": pkg.get("downloadLocation", ""),
+            "licenseConcluded": pkg.get("licenseConcluded", ""),
+            "licenseDeclared": pkg.get("licenseDeclared", ""),
+            "externalRefs": get_external_refs(pkg)
+        }
+        writer.writerow(row)
+
+print(f"CSV export complete: {output_file}")
+
+with open("sbom_table.txt", "w", encoding="utf-8") as f:
+    table = []
+    for pkg in packages:
+        row = [
+            pkg.get("name", ""),
+            pkg.get("versionInfo", ""),
+            get_type(pkg),
+            pkg.get("supplier", ""),
+            pkg.get("downloadLocation", ""),
+            pkg.get("licenseConcluded", ""),
+            pkg.get("licenseDeclared", ""),
+            get_external_refs(pkg)
+        ]
+        table.append(row)
+    f.write(tabulate(table, columns, tablefmt="grid"))

.github/scripts/sbom_packages_to_csv.py

@@ -0,0 +1,28 @@
+import json
+import csv
+import sys
+import os
+
+input_file = sys.argv[1] if len(sys.argv) > 1 else "sbom.json"
+repo_name = sys.argv[2] if len(sys.argv) > 2 else os.getenv("GITHUB_REPOSITORY", "unknown-repo").split("/")[-1]
+output_file = f"sbom-packages-{repo_name}.csv"
+
+with open(input_file, "r", encoding="utf-8") as f:
+    sbom = json.load(f)
+
+packages = sbom.get("packages", [])
+
+columns = ["name", "type", "version"]
+
+with open(output_file, "w", newline="", encoding="utf-8") as csvfile:
+    writer = csv.DictWriter(csvfile, fieldnames=columns)
+    writer.writeheader()
+    for pkg in packages:
+        row = {
+            "name": pkg.get("name", ""),
+            "type": pkg.get("type", ""),
+            "version": pkg.get("versionInfo", "")
+        }
+        writer.writerow(row)
+
+print(f"Package list CSV generated: {output_file}")

.github/workflows/pr.yml

@@ -27,7 +27,7 @@ jobs:
           echo ::set-output name=candidate::$(grep version pr/pyproject.toml | awk -F\" '{print $2}')
 
       - name: Install Python 3.8
-        uses: actions/setup-python@v1
+        uses: actions/setup-python@v5
         with:
           python-version: 3.8
 

.github/workflows/sbom.yml

@@ -0,0 +1,110 @@
+name: SBOM Vulnerability Scanning
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: "Run SBOM check"
+        required: true
+        type: choice
+        options:
+          - yes
+          - no
+
+env:
+  SYFT_VERSION: "1.27.1"
+  TF_VERSION: "1.12.2"
+
+jobs:
+  deploy:
+    name: Software Bill of Materials
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5        
+
+      - name: Setup Python 3.13
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd
+
+      - uses: terraform-linters/setup-tflint@ae78205cfffec9e8d93fd2b3115c7e9d3166d4b6
+        name: Setup TFLint
+
+      - name: Set architecture variable
+        id: os-arch
+        run: |
+          case "${{ runner.arch }}" in
+            X64) ARCH="amd64" ;;
+            ARM64) ARCH="arm64" ;;
+          esac
+          echo "arch=${ARCH}" >> $GITHUB_OUTPUT
+
+      - name: Download and setup Syft
+        run: |
+          DOWNLOAD_URL="https://github.com/anchore/syft/releases/download/v${{ env.SYFT_VERSION }}/syft_${{ env.SYFT_VERSION }}_linux_${{ steps.os-arch.outputs.arch }}.tar.gz"
+          echo "Downloading: ${DOWNLOAD_URL}"
+
+          curl -L -o syft.tar.gz "${DOWNLOAD_URL}"
+          tar -xzf syft.tar.gz
+          chmod +x syft
+
+          # Add to PATH for subsequent steps
+          echo "$(pwd)" >> $GITHUB_PATH       
+
+      - name: Create SBOM
+        run: bash scripts/create-sbom.sh terraform python tflint
+
+      - name: Convert SBOM JSON to CSV
+        run: |
+          pip install --upgrade pip
+          pip install tabulate  
+          REPO_NAME=$(basename $GITHUB_REPOSITORY)
+          python .github/scripts/sbom_json_to_csv.py sbom.json SBOM_${REPO_NAME}.csv
+
+      - name: Upload SBOM CSV as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom-csv
+          path: SBOM_${{ github.event.repository.name }}.csv
+
+      - name: Install Grype
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
+
+      - name: Scan SBOM for Vulnerabilities (JSON)
+        run: |
+          grype sbom:sbom.json -o json > grype-report.json
+          
+      
+
+      - name: Convert Grype JSON to CSV
+        run: |
+          pip install --upgrade pip
+          REPO_NAME=$(basename $GITHUB_REPOSITORY)
+          python .github/scripts/grype_json_to_csv.py grype-report.json grype-report-${REPO_NAME}.csv
+
+
+      - name: Upload Vulnerability Report
+        uses: actions/upload-artifact@v4
+        with:
+          name: grype-report
+          path: grype-report-${{ github.event.repository.name }}.csv
+
+      - name: Generate Package Inventory CSV
+        run: |
+          pip install --upgrade pip
+          REPO_NAME=$(basename $GITHUB_REPOSITORY)
+          python .github/scripts/sbom_packages_to_csv.py sbom.json $REPO_NAME
+
+      - name: Upload Package Inventory CSV
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom-packages
+          path: sbom-packages-${{ github.event.repository.name }}.csv

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "proxygen-cli"
-version = "2.1.19"
+version = "2.1.20"
 description = "CLI for interacting with NHSD APIM's proxygen service"
 authors = ["Ben Strutt <ben.strutt1@nhs.net>"]
 readme = "README.md"

scripts/create-sbom.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+
+REPO_ROOT=$(git rev-parse --show-toplevel)
+
+# Generate SBOM for current directory
+syft -o spdx-json . > "$REPO_ROOT/sbom.json"
+
+# Generate and merge SBOMs for each tool passed as argument
+for tool in "$@"; do
+  echo "Creating SBOM for $tool and merging"
+  tool_path=$(command -v "$tool")
+  if [[ -z "$tool_path" ]]; then
+    echo "Warning: '$tool' not found in PATH. Skipping." >&2
+    continue
+  fi
+  syft -q -o spdx-json "$tool_path" | python "$REPO_ROOT/scripts/update-sbom.py"
+done

scripts/update-sbom.py

@@ -0,0 +1,21 @@
+import json
+import sys
+from pathlib import Path
+
+
+def main() -> None:
+    with Path("sbom.json").open("r") as f:
+        sbom = json.load(f)
+
+    tool = json.loads(sys.stdin.read())
+
+    sbom.setdefault("packages", []).extend(tool.setdefault("packages", []))
+    sbom.setdefault("files", []).extend(tool.setdefault("files", []))
+    sbom.setdefault("relationships", []).extend(tool.setdefault("relationships", []))
+
+    with Path("sbom.json").open("w") as f:
+        json.dump(sbom, f)
+
+
+if __name__ == "__main__":
+    main()