Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SBOM generation to go along w/ every release #29443

Open
5 tasks
mbiuki opened this issue Aug 2, 2024 · 2 comments · Fixed by #29467 · May be fixed by #29584
Open
5 tasks

SBOM generation to go along w/ every release #29443

mbiuki opened this issue Aug 2, 2024 · 2 comments · Fixed by #29467 · May be fixed by #29584
Assignees
@mbiuki @rsh1k
Labels
dotCMS : Security OKR : Security & Privacy Owned by Mehdi Team: Security Issues related to security and privacy Triage Type : Task

Comments

@mbiuki
Copy link
Contributor

mbiuki commented Aug 2, 2024
edited
Loading

Parent Issue

No response

Task

We need to automate the generation of Software Bill of Materials (SBOM) using GitHub Actions. This automation should ensure that a new SBOM is generated with each new build and release. The preferred SBOM formats are SPDX and CycloneDX.

Additional Information:

Proposed Objective

Security & Privacy

Proposed Priority

Priority 2 - Important

Acceptance Criteria

  1. A GitHub Actions workflow is created and triggers on every push to the main branch OR on every release.
  2. SBOMs in SPDX and CycloneDX formats are generated and stored in the repository.
  3. SBOM files are attached to the release artifacts and indicated hyperlink in the changelog site.
  4. The process is documented and easy to understand. Change log should have a hyperlink to the latest and greatest SBOM.

External Links... Slack Conversations, Support Tickets, Figma Designs, etc.

No response

Assumptions & Initiation Needs

No response

Quality Assurance Notes & Workarounds

No response

Sub-Tasks & Estimates

No response

Tasks
Beta Give feedback
@mbiuki
Copy link
Contributor Author

mbiuki commented Aug 2, 2024

TODO

Create GitHub Actions Workflow:
Set up a GitHub Actions workflow to run on every push to the main branch and on every release.
The workflow should trigger SBOM generation tools compatible with SPDX and CycloneDX formats.

Integrate SBOM Generation Tool:
Select and integrate an SBOM generation tool that supports SPDX and CycloneDX formats (e.g., Syft, CycloneDX GitHub Action).
Configure the tool to scan the codebase and generate the SBOM.

Store and Attach SBOM:
Save the generated SBOM in the repository.
Attach the SBOM file to the release artifacts.

Testing and Validation:
Test the workflow to ensure SBOM is generated correctly.
Validate the SBOM formats and ensure they meet the required standards.

Documentation:
Document the setup process in the repository’s README or a separate documentation file.
Create a hyperlink in the changelog.
Provide instructions on how to manually trigger the SBOM generation if needed.

@mbiuki
Copy link
Contributor Author

mbiuki commented Aug 3, 2024

FYI, @jdcmsd ☝🏻

@rsh1k rsh1k linked a pull request Aug 4, 2024 that will close this issue
Add SBOM Test to GitHub Workflow #29451
Closed
@mbiuki mbiuki mentioned this issue Aug 8, 2024
Merged
@mbiuki mbiuki linked a pull request Aug 8, 2024 that will close this issue
Add SBOM Test to GitHub Workflow #29467
Merged
@rsh1k rsh1k linked a pull request Aug 15, 2024 that will close this issue
Update legacy-release_sbom-generator.yaml #29584
Open
@mbiuki mbiuki reopened this Aug 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mbiuki mbiuki

@rsh1k rsh1k

Labels
dotCMS : Security OKR : Security & Privacy Owned by Mehdi Team: Security Issues related to security and privacy Triage Type : Task
Projects
dotCMS - Product Planning
Status: In Progress
Milestone
No milestone
2 participants
@mbiuki @rsh1k