Adopts sbomasm

.github/workflows/phase_1_python.yml

@@ -3,9 +3,13 @@ name: Phase 1 - Python
 on: [push]
 
 env:
- TRIVY_VERSION: 0.54.1
+ PARLAY_VERSION: 0.5.1
+ SBOMASM_VERSION: 0.1.5
  SBOMQS_VERSION: 0.1.9
  SEMVER: 0.1.0
+ TRIVY_VERSION: 0.54.1
+ SBOM_AUTHOR: "CISA Tiger Group for SBOM Generation Reference Implementations"
+ SBOM_SUPPLIER: "CISA Tiger Group for SBOM Generation Reference Implementations"
 
 jobs:
  Generate_Container:
@@ -103,71 +107,105 @@ jobs:
  - name: Download all workflow run artifacts
  uses: actions/download-artifact@v4
 
- - name: Augment Container CycloneDX
+
+ - name: Install sbomasm
  run: |
- # We're using `envsubst` here to populate the metadata
- # template from environment variables
- export SBOM_NAME='phase1-python-container'
- cat "phase_1/Python/sbom/metadata.cdx.json.tmpl" | jq | \
- envsubst > metadata.cdx.json
- unset SBOM_NAME
+ curl -L -o /tmp/sbomasm \
+ "https:/interlynk-io/sbomasm/releases/download/v${SBOMASM_VERSION}/sbomasm-linux-amd64"
+ chmod +x /tmp/sbomasm
 
- # Merge together SBOM and metadata
- jq --slurp '.[0] * .[1]' \
- container-sbom-cyclonedx/container-sbom.cdx.json \
- metadata.cdx.json \
- > /tmp/enriched_container-sbom.cdx.json
+ - name: Augment Container CycloneDX
+ run: |
+ /tmp/sbomasm edit --append --subject Document \
+ --author ${SBOM_AUTHOR} \
+ --supplier ${SBOM_SUPPLIER} \
+ --repository 'https:/CISA-SBOM-Community/SBOM-Generation' \
+ --license 'Apache-2.0' \
+ container-sbom-cyclonedx/container-sbom.cdx.json > /tmp/augmented_container-sbom.cdx.tmp
+
+ /tmp/sbomasm edit --subject primary-component
+ --name phase1-python-application \
+ --author ${SBOM_AUTHOR} \
+ --supplier ${SBOM_SUPPLIER} \
+ --version ${GITHUB_SHA} \
+ --repository 'https:/CISA-SBOM-Community/SBOM-Generation' \
+ --license 'Apache-2.0' \
+ /tmp/augmented_container-sbom.cdx.tmp > /tmp/augmented_container-sbom.cdx.json
 
  - name: Augment Application CycloneDX
  run: |
- # We're using `envsubst` here to populate the metadata
- # template from environment variables
- export SBOM_NAME='phase1-python-application'
- cat "phase_1/Python/sbom/metadata.cdx.json.tmpl" | jq | \
- envsubst > metadata.cdx.json
- unset SBOM_NAME
-
- # Merge together SBOM and metadata
- jq --slurp '.[0] * .[1]' \
- application-sbom-cyclonedx/application-sbom.cdx.json \
- metadata.cdx.json \
- > /tmp/enriched_application-sbom.cdx.json
+ /tmp/sbomasm edit --append --subject Document \
+ --name phase1-python-application \
+ --author ${SBOM_AUTHOR} \
+ --supplier ${SBOM_SUPPLIER} \
+ --repository 'https:/CISA-SBOM-Community/SBOM-Generation' \
+ --lifecycle source \
+ --license 'Apache-2.0' \
+ application-sbom-cyclonedx/application-sbom.cdx.json > /tmp/augmented_application-sbom.cdx.tmp
+
+ /tmp/sbomasm edit --subject primary-component
+ --name phase1-python-application \
+ --author ${SBOM_AUTHOR} \
+ --supplier ${SBOM_SUPPLIER} \
+ --version ${GITHUB_SHA} \
+ --repository 'https:/CISA-SBOM-Community/SBOM-Generation' \
+ --license 'Apache-2.0' \
+ /tmp/augmented_application-sbom.cdx.tmp >/tmp/augmented_application-sbom.cdx.json
 
  - name: Augment Container SPDX
  run: |
- # We're using `envsubst` here to populate the metadata
- # template from environment variables
- export SBOM_NAME='phase1-python-container'
- cat "phase_1/Python/sbom/metadata.spdx.json.tmpl" | jq | \
- envsubst > metadata.spdx.json
- unset SBOM_NAME
-
- # Merge together SBOM and metadata
- jq --slurp '.[0] * .[1]' \
- container-sbom-spdx/container-sbom.spdx.json \
- metadata.cdx.json \
- > /tmp/enriched_container-sbom.spdx.json
+ /tmp/sbomasm edit --append --subject Document \
+ --name phase1-python-application \
+ --author ${SBOM_AUTHOR} \
+ --supplier ${SBOM_SUPPLIER} \
+ --repository 'https:/CISA-SBOM-Community/SBOM-Generation' \
+ --lifecycle source \
+ --license 'Apache-2.0' \
+ container-sbom-spdx/container-sbom.spdx.json > /tmp/augmented_container-sbom.spdx.tmp
+
+ /tmp/sbomasm edit --subject primary-component
+ --name phase1-python-application \
+ --author ${SBOM_AUTHOR} \
+ --supplier ${SBOM_SUPPLIER} \
+ --version ${GITHUB_SHA} \
+ --repository 'https:/CISA-SBOM-Community/SBOM-Generation' \
+ --license 'Apache-2.0' \
+ container-sbom-spdx/container-sbom.spdx.tmp > /tmp/augmented_container-sbom.spdx.json
 
  - name: Augment Application SPDX
  run: |
- # We're using `envsubst` here to populate the metadata
- # template from environment variables
- export SBOM_NAME='phase1-python-application'
- cat "phase_1/Python/sbom/metadata.cdx.json.tmpl" | jq | \
- envsubst > metadata.cdx.json
- unset SBOM_NAME
-
- # Merge together SBOM and metadata
- jq --slurp '.[0] * .[1]' \
- application-sbom-spdx/application-sbom.spdx.json \
- metadata.cdx.json \
- > /tmp/enriched_application-sbom.spdx.json
+ /tmp/sbomasm edit --append --subject Document \
+ --name phase1-python-application \
+ --author ${SBOM_AUTHOR} \
+ --supplier ${SBOM_SUPPLIER} \
+ --repository 'https:/CISA-SBOM-Community/SBOM-Generation' \
+ --lifecycle source \
+ --license 'Apache-2.0' \
+ application-sbom-spdx/application-sbom.spdx.json > /tmp/augmented_application-sbom.spdx.tmp
+
+ /tmp/sbomasm edit --subject primary-component
+ --name phase1-python-application \
+ --author ${SBOM_AUTHOR} \
+ --supplier ${SBOM_SUPPLIER} \
+ --version ${GITHUB_SHA} \
+ --repository 'https:/CISA-SBOM-Community/SBOM-Generation' \
+ --license 'Apache-2.0' \
+ /tmp/augmented_application-sbom.spdx.tmp > /tmp/enriched_application-sbom.spdx.json
 
  - name: Upload Enriched SBOMs
  uses: actions/upload-artifact@v4
  with:
  name: enriched-sboms
- path: "/tmp/enriched_*.json"
+ path: "/tmp/augmented_*.json"
+
+ Enrich:
+ runs-on: ubuntu-latest
+ needs: [Augment]
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Download all workflow run artifacts
+ uses: actions/download-artifact@v4
 
  Consolidate:
  runs-on: ubuntu-latest