chore: set sbom timestamp

phi-ag · Sep 27, 2024 · ed1d2f0 · ed1d2f0
1 parent a83e2bf
commit ed1d2f0
Show file tree

Hide file tree

Showing 5 changed files with 38 additions and 3 deletions.
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
@@ -13,6 +13,9 @@ jobs:
         with:
           submodules: recursive
 
+      - name: Export commit timestamp
+        run: echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
+
       - name: Emscripten
         uses: ./.github/actions/emscripten
 

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -24,6 +24,10 @@ jobs:
         with:
           submodules: recursive
 
+      - name: Export commit timestamp
+        if: ${{ steps.release.outputs.release_created }}
+        run: echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
+
       - name: Emscripten
         if: ${{ steps.release.outputs.release_created }}
         uses: ./.github/actions/emscripten

diff --git a/package.json b/package.json
@@ -54,6 +54,7 @@
     "@trivago/prettier-plugin-sort-imports": "4.3.0",
     "@types/eslint__js": "8.42.3",
     "@types/node": "22.7.3",
+    "@types/uuid": "10.0.0",
     "@vitest/coverage-v8": "2.1.1",
     "eslint": "9.11.1",
     "globals": "15.9.0",
@@ -62,12 +63,13 @@
     "prettier": "3.3.3",
     "typescript": "5.6.2",
     "typescript-eslint": "8.7.0",
+    "uuid": "10.0.0",
     "vitest": "2.1.1"
   },
   "pnpm": {
     "ignoredOptionalDependencies": [
-      "fsevents",
-      "@pkgjs/parseargs"
+      "@pkgjs/parseargs",
+      "fsevents"
     ]
   },
   "packageManager": "pnpm@9.11.0+sha512.0a203ffaed5a3f63242cd064c8fb5892366c103e328079318f78062f24ea8c9d50bc6a47aa3567cabefd824d170e78fa2745ed1f16b132e16436146b7688f19b"

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/utils/sbom.ts b/utils/sbom.ts
@@ -2,6 +2,7 @@ import { resolve } from "node:path";
 
 import { Enums, Factories, Models, Serialize, Spec } from "@cyclonedx/cyclonedx-library";
 import { PackageURL } from "packageurl-js";
+import { v7 as uuidv7 } from "uuid";
 
 import {
   argon2GitSubmodule,
@@ -13,11 +14,19 @@ import {
 
 const lFac = new Factories.LicenseFactory();
 
+const { SOURCE_DATE_EPOCH } = process.env;
+
+const sourceDateEpoch = SOURCE_DATE_EPOCH
+  ? new Date(Number(SOURCE_DATE_EPOCH) * 1000)
+  : new Date(0);
+
 const bom = new Models.Bom();
-bom.serialNumber = `urn:uuid:${crypto.randomUUID()}`;
+bom.serialNumber = `urn:uuid:${uuidv7({ msecs: sourceDateEpoch })}`;
 
 const purl = PackageURL.fromString(`pkg:npm/${packageJson.name}@${packageJson.version}`);
 
+bom.metadata.timestamp = sourceDateEpoch;
+
 bom.metadata.component = new Models.Component(
   Enums.ComponentType.Library,
   packageJson.name,