Proper path fix #97
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Phase 1 - Python | |
| on: [push] | |
| env: | |
| PARLAY_VERSION: 0.5.1 | |
| SBOMASM_VERSION: 0.1.5 | |
| SBOMQS_VERSION: 0.1.9 | |
| SEMVER: 0.1.0 | |
| TRIVY_VERSION: 0.54.1 | |
| SBOM_AUTHOR: "CISA Tiger Group for SBOM Generation Reference Implementations" | |
| SBOM_SUPPLIER: "CISA Tiger Group for SBOM Generation Reference Implementations" | |
| jobs: | |
| Generate_Container: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| # We're using native docker build here rather | |
| # than 'docker/build-push-action' to make the run | |
| # more pipeline agnostic. | |
| - name: Build Docker image | |
| working-directory: "phase_1/Python" | |
| run: | | |
| docker build -t phase-1-python . | |
| - name: Install Trivy | |
| run: | | |
| curl -L -o /tmp/trivy.tgz \ | |
| "https:/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" | |
| tar xvf /tmp/trivy.tgz -C /tmp | |
| chmod +x /tmp/trivy | |
| - name: Generate SBOM with Trivy | |
| working-directory: "phase_1/Python" | |
| run: | | |
| /tmp/trivy image \ | |
| --format cyclonedx \ | |
| --pkg-types os \ | |
| --output /tmp/container-sbom.cdx.json \ | |
| phase-1-python | |
| /tmp/trivy image \ | |
| --format spdx-json \ | |
| --pkg-types os \ | |
| --output /tmp/container-sbom.spdx.json \ | |
| phase-1-python | |
| - name: Upload CycloneDX SBOM | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: container-sbom-cyclonedx | |
| path: "/tmp/container-sbom.cdx.json" | |
| - name: Upload SPDX SBOM | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: container-sbom-spdx | |
| path: "/tmp/container-sbom.spdx.json" | |
| Generate_Application: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Trivy | |
| run: | | |
| curl -L -o /tmp/trivy.tgz \ | |
| "https:/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" | |
| tar xvf /tmp/trivy.tgz -C /tmp | |
| chmod +x /tmp/trivy | |
| - name: "CycloneDX: Generate SBOM" | |
| working-directory: "phase_1/Python" | |
| run: | | |
| /tmp/trivy fs \ | |
| --format cyclonedx \ | |
| --output /tmp/application-sbom.cdx.json \ | |
| requirements.txt | |
| - name: "SPDX: Generate SBOM" | |
| working-directory: "phase_1/Python" | |
| run: | | |
| /tmp/trivy fs \ | |
| --format spdx-json \ | |
| --output /tmp/application-sbom.spdx.json \ | |
| requirements.txt | |
| - name: Upload CycloneDX SBOM | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: application-sbom-cyclonedx | |
| path: "/tmp/application-sbom.cdx.json" | |
| - name: Upload SPDX SBOM | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: application-sbom-spdx | |
| path: "/tmp/application-sbom.spdx.json" | |
| Augment: | |
| runs-on: ubuntu-latest | |
| needs: [Generate_Container, Generate_Application] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Download all workflow run artifacts | |
| uses: actions/download-artifact@v4 | |
| - name: Install sbomasm | |
| run: | | |
| curl -L -o /tmp/sbomasm \ | |
| "https:/interlynk-io/sbomasm/releases/download/v${SBOMASM_VERSION}/sbomasm-linux-amd64" | |
| chmod +x /tmp/sbomasm | |
| - name: Augment Container CycloneDX - document | |
| run: | | |
| /tmp/sbomasm edit \ | |
| --subject Document \ | |
| --author "$SBOM_AUTHOR" \ | |
| --supplier "$SBOM_SUPPLIER" \ | |
| --repository 'https:/CISA-SBOM-Community/SBOM-Generation' \ | |
| --license 'Apache-2.0' \ | |
| container-sbom-cyclonedx/container-sbom.cdx.json > /tmp/augmented_container-sbom.cdx.tmp | |
| - name: Augment Container CycloneDX - component | |
| run: | | |
| /tmp/sbomasm edit \ | |
| --subject primary-component \ | |
| --name phase1-python-application \ | |
| --author "$SBOM_AUTHOR" \ | |
| --supplier "$SBOM_SUPPLIER" \ | |
| --version "$GITHUB_SHA" \ | |
| --repository 'https:/CISA-SBOM-Community/SBOM-Generation' \ | |
| --license 'Apache-2.0' \ | |
| /tmp/augmented_container-sbom.cdx.tmp > /tmp/augmented_container-sbom.cdx.json | |
| - name: Augment Application CycloneDX - document | |
| run: | | |
| /tmp/sbomasm edit \ | |
| --subject Document \ | |
| --name phase1-python-application \ | |
| --author "$SBOM_AUTHOR" \ | |
| --supplier "$SBOM_SUPPLIER" \ | |
| --repository 'https:/CISA-SBOM-Community/SBOM-Generation' \ | |
| --lifecycle source \ | |
| --license 'Apache-2.0' \ | |
| application-sbom-cyclonedx/application-sbom.cdx.json > /tmp/augmented_application-sbom.cdx.tmp | |
| - name: Augment Application CycloneDX - component | |
| run: | | |
| /tmp/sbomasm edit \ | |
| --subject primary-component \ | |
| --name phase1-python-application \ | |
| --author "$SBOM_AUTHOR" \ | |
| --supplier "$SBOM_SUPPLIER" \ | |
| --version "$GITHUB_SHA" \ | |
| --repository 'https:/CISA-SBOM-Community/SBOM-Generation' \ | |
| --license 'Apache-2.0' \ | |
| /tmp/augmented_application-sbom.cdx.tmp >/tmp/augmented_application-sbom.cdx.json | |
| - name: Augment Container SPDX - document | |
| run: | | |
| /tmp/sbomasm edit \ | |
| --append \ | |
| --subject Document \ | |
| --name phase1-python-application \ | |
| --author "$SBOM_AUTHOR" \ | |
| --supplier "$SBOM_SUPPLIER" \ | |
| --repository 'https:/CISA-SBOM-Community/SBOM-Generation' \ | |
| --lifecycle source \ | |
| --license 'Apache-2.0' \ | |
| container-sbom-spdx/container-sbom.spdx.json > /tmp/augmented_container-sbom.spdx.tmp | |
| - name: Augment Container SPDX - component | |
| run: | | |
| /tmp/sbomasm edit \ | |
| --subject primary-component \ | |
| --name phase1-python-application \ | |
| --author "$SBOM_AUTHOR" \ | |
| --supplier "$SBOM_SUPPLIER" \ | |
| --version "$GITHUB_SHA" \ | |
| --repository 'https:/CISA-SBOM-Community/SBOM-Generation' \ | |
| --license 'Apache-2.0' \ | |
| /tmp/augmented_container-sbom.spdx.tmp > /tmp/augmented_container-sbom.spdx.json | |
| - name: Augment Application SPDX - document | |
| run: | | |
| /tmp/sbomasm edit \ | |
| --append \ | |
| --subject Document \ | |
| --name phase1-python-application \ | |
| --author "$SBOM_AUTHOR" \ | |
| --supplier "$SBOM_SUPPLIER" \ | |
| --repository 'https:/CISA-SBOM-Community/SBOM-Generation' \ | |
| --lifecycle source \ | |
| --license 'Apache-2.0' \ | |
| application-sbom-spdx/application-sbom.spdx.json > /tmp/augmented_application-sbom.spdx.tmp | |
| - name: Augment Application SPDX - component | |
| run: | | |
| /tmp/sbomasm edit \ | |
| --subject primary-component \ | |
| --name phase1-python-application \ | |
| --author "$SBOM_AUTHOR" \ | |
| --supplier "$SBOM_SUPPLIER" \ | |
| --version "$GITHUB_SHA" \ | |
| --repository 'https:/CISA-SBOM-Community/SBOM-Generation' \ | |
| --license 'Apache-2.0' \ | |
| /tmp/augmented_application-sbom.spdx.tmp > /tmp/enriched_application-sbom.spdx.json | |
| - name: Upload Enriched SBOMs | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: enriched-sboms | |
| path: "/tmp/augmented_*.json" | |
| Enrich: | |
| runs-on: ubuntu-latest | |
| needs: [Augment] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Download all workflow run artifacts | |
| uses: actions/download-artifact@v4 | |
| Consolidate: | |
| runs-on: ubuntu-latest | |
| needs: [Augment] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Download all workflow run artifacts | |
| uses: actions/download-artifact@v4 | |
| # TODO: Add SPDX | |
| - name: Build top-level CDX SBOM | |
| run: | | |
| # Create destination folder | |
| #mkdir /tmp/output | |
| # Define metadata for parent template | |
| #export TOP_LEVEL_UUID=$(uuidgen) | |
| #export APPLICATION_SBOM_SHA256=$(sha256sum enriched-sboms/enriched_application-sbom.cdx.json | awk {'print $1'}) | |
| #export CONTAINER_SBOM_SHA256=$(sha256sum enriched-sboms/enriched_container-sbom.cdx.json | awk {'print $1'}) | |
| #export CREATION_TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%S%z") | |
| #export CONTAINER_BOM_REF=$(jq -r '.metadata.component["bom-ref"]' enriched-sboms/enriched_container-sbom.cdx.json) | |
| #export APPLICATION_BOM_REF=$(jq -r '.metadata.component["bom-ref"]' enriched-sboms/enriched_application-sbom.cdx.json) | |
| # We're using `envsubst` here to populate the metadata | |
| # template from environment variables | |
| #cat "phase_1/Python/sbom/top-level.cdx.json.tmpl" | jq | \ | |
| # envsubst > top-level-sbom.cdx.json.tmp | |
| # Set GITHUB_RUN_NUMBER as the version of the SBOM | |
| #jq '.version = (env.GITHUB_RUN_NUMBER | tonumber)' \ | |
| # top-level-sbom.cdx.json.tmp \ | |
| # > /tmp/output/top-level-sbom.cdx.json | |
| # Copy in enriched SBOMs | |
| #cp enriched-sboms/enriched_*-sbom.cdx.json /tmp/output/ | |
| - name: Upload Top Level SBOMs | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: top-level-sboms | |
| path: /tmp/output/ | |
| Validate: | |
| needs: Consolidate | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Download SBOMs | |
| uses: actions/download-artifact@v4 | |
| - name: Install sbomqs | |
| run: | | |
| curl -L -o /tmp/sbomqs \ | |
| "https:/interlynk-io/sbomqs/releases/download/v${SBOMQS_VERSION}/sbomqs-linux-amd64" | |
| chmod +x /tmp/sbomqs | |
| - name: "Display SBOM quality score through sbomqs" | |
| run: | | |
| echo \`\`\` >> ${GITHUB_STEP_SUMMARY} | |
| for SBOM in $(find . -iname *.json); do | |
| /tmp/sbomqs score "$SBOM" >> ${GITHUB_STEP_SUMMARY} | |
| done | |
| echo \`\`\` >> ${GITHUB_STEP_SUMMARY} |