From cf6be24564654b0527f36c86d33923e5592f2d80 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Fri, 4 Oct 2024 00:27:06 -0400 Subject: [PATCH 01/17] Update and rename anchore-syft.yml to sbom.yml Explore sbom options --- .github/workflows/anchore-syft.yml | 38 ---------------- .github/workflows/sbom.yml | 71 ++++++++++++++++++++++++++++++ 2 files changed, 71 insertions(+), 38 deletions(-) delete mode 100644 .github/workflows/anchore-syft.yml create mode 100644 .github/workflows/sbom.yml diff --git a/.github/workflows/anchore-syft.yml b/.github/workflows/anchore-syft.yml deleted file mode 100644 index 4b687532ec..0000000000 --- a/.github/workflows/anchore-syft.yml +++ /dev/null @@ -1,38 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This workflow checks out code, builds an image, performs a container image -# scan with Anchore's Syft tool, and uploads the results to the GitHub Dependency -# submission API. - -# For more information on the Anchore sbom-action usage -# and parameters, see https://github.com/anchore/sbom-action. For more -# information about the Anchore SBOM tool, Syft, see -# https://github.com/anchore/syft -name: Anchore Syft SBOM scan - -on: - push: - branches: [ "master" ] - -permissions: - contents: write - -jobs: - Anchore-Build-Scan: - permissions: - contents: write # required to upload to the Dependency submission API - runs-on: ubuntu-latest - steps: - - name: Checkout the code - uses: actions/checkout@v4 - - name: Build the Docker image - run: docker build . --file Dockerfile --tag localbuild/testimage:latest - - name: Scan the image and upload dependency results - uses: anchore/sbom-action@bb716408e75840bbb01e839347cd213767269d4a - with: - image: "localbuild/testimage:latest" - artifact-name: image.spdx.json - dependency-snapshot: true diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml new file mode 100644 index 0000000000..c6fc853371 --- /dev/null +++ b/.github/workflows/sbom.yml @@ -0,0 +1,71 @@ +name: SBOM Generator + +on: + push: + branches: [master] + pull_request: + branches: [master] + + workflow_dispatch: + +permissions: write-all + +jobs: + build: + runs-on: ubuntu-22.04 + steps: + - uses: actions/checkout@v4 + + # Github Advanced Security Github Action + - name: Run Github Advanced Security Github Action + uses: advanced-security/sbom-generator-action@v0.0.1 + id: sbom + env: + GITHUB_TOKEN: ${{ github.token }} + + - uses: actions/upload-artifact@v4 + with: + path: ${{steps.sbom.outputs.fileName }} + name: "Github SBOM Generator Action.spdx.json" + + - name: Convert it into CycloneDX format + run: docker run -t -v "${{steps.sbom.outputs.fileName }}":/tmp/sbom.spdx.json -v /tmp/ghas_action_sbom.cdx.json:/tmp/ghas_action_sbom.cdx.json cyclonedx/cyclonedx-cli:latest convert --input-file /tmp/sbom.spdx.json --output-file /tmp/ghas_action_sbom.cdx.json --input-format spdxjson --output-format json + + - uses: actions/upload-artifact@v4 + with: + path: /tmp/ghas_action_sbom.cdx.json + name: "Github SBOM Generator Action SPDX.cdx.json" + + # Github Advanced Security CLI + - name: Install Github CLI SBOM extension + run: gh ext install advanced-security/gh-sbom + + - name: Run Github Advanced Security CLI SPDX + run: gh sbom | jq '.' > /tmp/ghas_cli_sbom.spdx.json + + - uses: actions/upload-artifact@v4 + with: + path: /tmp/ghas_cli_sbom.spdx.json + name: "Github SBOM CLI.spdx.json" + + - name: Convert it into CycloneDX format + run: docker run -t -v /tmp/ghas_cli_sbom.spdx.json:/tmp/ghas_cli_sbom.spdx.json -v /tmp/ghas_cli_sbom_spdx.cdx.json:/tmp/ghas_cli_sbom_spdx.cdx.json cyclonedx/cyclonedx-cli:latest convert --input-file /tmp/ghas_cli_sbom.spdx.json --output-file /tmp/ghas_cli_sbom_spdx.cdx.json --input-format spdxjson --output-format json + + - uses: actions/upload-artifact@v4 + with: + path: /tmp/ghas_cli_sbom_spdx.cdx.json + name: "Github SBOM CLI SPDX.cdx.json" + + - name: Run Github Advanced Security CLI CDX + run: gh sbom -c -l | jq '.' > /tmp/ghas_cli_sbom.cdx.json + + - uses: actions/upload-artifact@v4 + with: + path: /tmp/ghas_cli_sbom.cdx.json + name: "Github SBOM CLI.cdx.json" + + # Anchore Syft Github Action + + - run: ls + + - run: tree From 27aa57916b7166b0700afa7eae5966ad1b4d4f93 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Fri, 4 Oct 2024 00:31:03 -0400 Subject: [PATCH 02/17] Continue on error --- .github/workflows/sbom.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index c6fc853371..3eb387e24a 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -12,6 +12,7 @@ permissions: write-all jobs: build: + continue-on-error: true runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 From 604d2b5b80cda1b457b4396de67cc42564f9ebdd Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Fri, 4 Oct 2024 00:38:07 -0400 Subject: [PATCH 03/17] Please just do all the steps --- .github/workflows/sbom.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 3eb387e24a..12656f7771 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -12,55 +12,65 @@ permissions: write-all jobs: build: - continue-on-error: true runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 # Github Advanced Security Github Action - name: Run Github Advanced Security Github Action + if: always() uses: advanced-security/sbom-generator-action@v0.0.1 id: sbom env: GITHUB_TOKEN: ${{ github.token }} - uses: actions/upload-artifact@v4 + if: always() with: path: ${{steps.sbom.outputs.fileName }} name: "Github SBOM Generator Action.spdx.json" - name: Convert it into CycloneDX format + if: always() run: docker run -t -v "${{steps.sbom.outputs.fileName }}":/tmp/sbom.spdx.json -v /tmp/ghas_action_sbom.cdx.json:/tmp/ghas_action_sbom.cdx.json cyclonedx/cyclonedx-cli:latest convert --input-file /tmp/sbom.spdx.json --output-file /tmp/ghas_action_sbom.cdx.json --input-format spdxjson --output-format json - uses: actions/upload-artifact@v4 + if: always() with: path: /tmp/ghas_action_sbom.cdx.json name: "Github SBOM Generator Action SPDX.cdx.json" # Github Advanced Security CLI - name: Install Github CLI SBOM extension + if: always() run: gh ext install advanced-security/gh-sbom - name: Run Github Advanced Security CLI SPDX + if: always() run: gh sbom | jq '.' > /tmp/ghas_cli_sbom.spdx.json - uses: actions/upload-artifact@v4 + if: always() with: path: /tmp/ghas_cli_sbom.spdx.json name: "Github SBOM CLI.spdx.json" - name: Convert it into CycloneDX format + if: always() run: docker run -t -v /tmp/ghas_cli_sbom.spdx.json:/tmp/ghas_cli_sbom.spdx.json -v /tmp/ghas_cli_sbom_spdx.cdx.json:/tmp/ghas_cli_sbom_spdx.cdx.json cyclonedx/cyclonedx-cli:latest convert --input-file /tmp/ghas_cli_sbom.spdx.json --output-file /tmp/ghas_cli_sbom_spdx.cdx.json --input-format spdxjson --output-format json - uses: actions/upload-artifact@v4 + if: always() with: path: /tmp/ghas_cli_sbom_spdx.cdx.json name: "Github SBOM CLI SPDX.cdx.json" - name: Run Github Advanced Security CLI CDX + if: always() run: gh sbom -c -l | jq '.' > /tmp/ghas_cli_sbom.cdx.json - uses: actions/upload-artifact@v4 + if: always() with: path: /tmp/ghas_cli_sbom.cdx.json name: "Github SBOM CLI.cdx.json" From 56a35a2ad520d1c84e68741bd661098997ba2a21 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Fri, 4 Oct 2024 00:40:46 -0400 Subject: [PATCH 04/17] GH CLI needs GITHUB_TOKEN envvar --- .github/workflows/sbom.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 12656f7771..bdfd2f9ec9 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -44,10 +44,14 @@ jobs: - name: Install Github CLI SBOM extension if: always() run: gh ext install advanced-security/gh-sbom + env: + GITHUB_TOKEN: ${{ github.token }} - name: Run Github Advanced Security CLI SPDX if: always() run: gh sbom | jq '.' > /tmp/ghas_cli_sbom.spdx.json + env: + GITHUB_TOKEN: ${{ github.token }} - uses: actions/upload-artifact@v4 if: always() @@ -68,6 +72,8 @@ jobs: - name: Run Github Advanced Security CLI CDX if: always() run: gh sbom -c -l | jq '.' > /tmp/ghas_cli_sbom.cdx.json + env: + GITHUB_TOKEN: ${{ github.token }} - uses: actions/upload-artifact@v4 if: always() From 9e3c859e9b66785dd6593f48ce07259c248890bc Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Fri, 4 Oct 2024 01:30:21 -0400 Subject: [PATCH 05/17] Let's see if it actually runs all of them this time --- .github/workflows/sbom.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index bdfd2f9ec9..cdfac2b780 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -16,7 +16,7 @@ jobs: steps: - uses: actions/checkout@v4 - # Github Advanced Security Github Action + # Github Advanced Security Github Action # TODO: remove, output was not high quality - name: Run Github Advanced Security Github Action if: always() uses: advanced-security/sbom-generator-action@v0.0.1 @@ -30,7 +30,7 @@ jobs: path: ${{steps.sbom.outputs.fileName }} name: "Github SBOM Generator Action.spdx.json" - - name: Convert it into CycloneDX format + - name: Convert it into CycloneDX format # TODO: remove, fails when trying to convert the previous output since it didn't follow spec if: always() run: docker run -t -v "${{steps.sbom.outputs.fileName }}":/tmp/sbom.spdx.json -v /tmp/ghas_action_sbom.cdx.json:/tmp/ghas_action_sbom.cdx.json cyclonedx/cyclonedx-cli:latest convert --input-file /tmp/sbom.spdx.json --output-file /tmp/ghas_action_sbom.cdx.json --input-format spdxjson --output-format json @@ -40,7 +40,7 @@ jobs: path: /tmp/ghas_action_sbom.cdx.json name: "Github SBOM Generator Action SPDX.cdx.json" - # Github Advanced Security CLI + # Github Advanced Security CLI # TODO: we can apparently run into issues with rate limits if we hit the gh api too much. once we get rid of all the spurious ones, it should probably be fine but if not we might need to restrict it to just run against master or even just release. - name: Install Github CLI SBOM extension if: always() run: gh ext install advanced-security/gh-sbom @@ -84,5 +84,7 @@ jobs: # Anchore Syft Github Action - run: ls + if: always() - run: tree + if: always() From 0e91daa90398a6721d7e9cd58e11b1dbde368a11 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Fri, 4 Oct 2024 02:09:01 -0400 Subject: [PATCH 06/17] Get rid of unnecessary gh sboms --- .github/workflows/sbom.yml | 46 -------------------------------------- 1 file changed, 46 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index cdfac2b780..51c4b9a9f2 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -16,30 +16,6 @@ jobs: steps: - uses: actions/checkout@v4 - # Github Advanced Security Github Action # TODO: remove, output was not high quality - - name: Run Github Advanced Security Github Action - if: always() - uses: advanced-security/sbom-generator-action@v0.0.1 - id: sbom - env: - GITHUB_TOKEN: ${{ github.token }} - - - uses: actions/upload-artifact@v4 - if: always() - with: - path: ${{steps.sbom.outputs.fileName }} - name: "Github SBOM Generator Action.spdx.json" - - - name: Convert it into CycloneDX format # TODO: remove, fails when trying to convert the previous output since it didn't follow spec - if: always() - run: docker run -t -v "${{steps.sbom.outputs.fileName }}":/tmp/sbom.spdx.json -v /tmp/ghas_action_sbom.cdx.json:/tmp/ghas_action_sbom.cdx.json cyclonedx/cyclonedx-cli:latest convert --input-file /tmp/sbom.spdx.json --output-file /tmp/ghas_action_sbom.cdx.json --input-format spdxjson --output-format json - - - uses: actions/upload-artifact@v4 - if: always() - with: - path: /tmp/ghas_action_sbom.cdx.json - name: "Github SBOM Generator Action SPDX.cdx.json" - # Github Advanced Security CLI # TODO: we can apparently run into issues with rate limits if we hit the gh api too much. once we get rid of all the spurious ones, it should probably be fine but if not we might need to restrict it to just run against master or even just release. - name: Install Github CLI SBOM extension if: always() @@ -47,28 +23,6 @@ jobs: env: GITHUB_TOKEN: ${{ github.token }} - - name: Run Github Advanced Security CLI SPDX - if: always() - run: gh sbom | jq '.' > /tmp/ghas_cli_sbom.spdx.json - env: - GITHUB_TOKEN: ${{ github.token }} - - - uses: actions/upload-artifact@v4 - if: always() - with: - path: /tmp/ghas_cli_sbom.spdx.json - name: "Github SBOM CLI.spdx.json" - - - name: Convert it into CycloneDX format - if: always() - run: docker run -t -v /tmp/ghas_cli_sbom.spdx.json:/tmp/ghas_cli_sbom.spdx.json -v /tmp/ghas_cli_sbom_spdx.cdx.json:/tmp/ghas_cli_sbom_spdx.cdx.json cyclonedx/cyclonedx-cli:latest convert --input-file /tmp/ghas_cli_sbom.spdx.json --output-file /tmp/ghas_cli_sbom_spdx.cdx.json --input-format spdxjson --output-format json - - - uses: actions/upload-artifact@v4 - if: always() - with: - path: /tmp/ghas_cli_sbom_spdx.cdx.json - name: "Github SBOM CLI SPDX.cdx.json" - - name: Run Github Advanced Security CLI CDX if: always() run: gh sbom -c -l | jq '.' > /tmp/ghas_cli_sbom.cdx.json From a32b544044332ac59e7b7408f9d1200c8a1a4dcc Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Fri, 4 Oct 2024 03:24:34 -0400 Subject: [PATCH 07/17] Now experimenting with Anchore Syft --- .github/workflows/sbom.yml | 62 +++++++++++++++++++++++++++----------- 1 file changed, 44 insertions(+), 18 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 51c4b9a9f2..f41e10836a 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -16,29 +16,55 @@ jobs: steps: - uses: actions/checkout@v4 - # Github Advanced Security CLI # TODO: we can apparently run into issues with rate limits if we hit the gh api too much. once we get rid of all the spurious ones, it should probably be fine but if not we might need to restrict it to just run against master or even just release. - - name: Install Github CLI SBOM extension + # Anchore Syft Github Action + - name: Build the Docker image if: always() - run: gh ext install advanced-security/gh-sbom - env: - GITHUB_TOKEN: ${{ github.token }} - - - name: Run Github Advanced Security CLI CDX + run: docker build -f Dockerfile -t mitre/heimdall2:throwaway . + + - name: Syft directory spdx if: always() - run: gh sbom -c -l | jq '.' > /tmp/ghas_cli_sbom.cdx.json - env: - GITHUB_TOKEN: ${{ github.token }} + uses: anchore/sbom-action@v0 + with: + artifact-name: syft_directory.spdx.json + output-file: /tmp/syft_directory.spdx.json + format: spdx-json - - uses: actions/upload-artifact@v4 + - name: Syft directory spdx converted if: always() - with: - path: /tmp/ghas_cli_sbom.cdx.json - name: "Github SBOM CLI.cdx.json" - - # Anchore Syft Github Action + run: docker run -t -v /tmp/syft_directory.spdx.json:/tmp/syft_directory.spdx.json -v /tmp/syft_directory_spdx.cdx.json:/tmp/syft_directory_spdx.cdx.json cyclonedx/cyclonedx-cli:latest convert --input-file /tmp/syft_directory.spdx.json --output-file /tmp/syft_directory_spdx.cdx.json --input-format spdxjson --output-format json + + - name: Syft directory cyclonedx + if: always() + uses: anchore/sbom-action@v0 + with: + artifact-name: syft_directory.cdx.json + output-file: /tmp/syft_directory.cdx.json + format: cyclonedx-json - - run: ls + - name: Syft image spdx + if: always() + uses: anchore/sbom-action@v0 + with: + image: "mitre/heimdall2:throwaway" + artifact-name: syft_image.spdx.json + output-file: /tmp/syft_image.spdx.json + format: spdx-json + + - name: Syft image spdx converted + if: always() + run: docker run -t -v /tmp/syft_image.spdx.json:/tmp/syft_image.spdx.json -v /tmp/syft_image_spdx.cdx.json:/tmp/syft_image_spdx.cdx.json cyclonedx/cyclonedx-cli:latest convert --input-file /tmp/syft_image.spdx.json --output-file /tmp/syft_image_spdx.cdx.json --input-format spdxjson --output-format json + + - name: Syft image cyclonedx if: always() + uses: anchore/sbom-action@v0 + with: + image: "mitre/heimdall2:throwaway" + artifact-name: syft_image.cdx.json + output-file: /tmp/syft_image.cdx.json + format: cyclonedx-json - - run: tree + - uses: actions/upload-artifact@v4 if: always() + with: + path: /tmp/syft* + name: "Syft SBOM experiments" From 0609f6f827a2c238ee73dbb4cdbff36e9060f438 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Fri, 4 Oct 2024 04:21:10 -0400 Subject: [PATCH 08/17] Just doing installed deps with directory --- .github/workflows/sbom.yml | 51 ++++++++++++-------------------------- 1 file changed, 16 insertions(+), 35 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index f41e10836a..c297649810 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -16,55 +16,36 @@ jobs: steps: - uses: actions/checkout@v4 - # Anchore Syft Github Action - - name: Build the Docker image - if: always() - run: docker build -f Dockerfile -t mitre/heimdall2:throwaway . - - - name: Syft directory spdx - if: always() - uses: anchore/sbom-action@v0 + - name: Setup Node.js + uses: actions/setup-node@v4 with: - artifact-name: syft_directory.spdx.json - output-file: /tmp/syft_directory.spdx.json - format: spdx-json + node-version: "18" + check-latest: true + cache: 'yarn' - - name: Syft directory spdx converted - if: always() - run: docker run -t -v /tmp/syft_directory.spdx.json:/tmp/syft_directory.spdx.json -v /tmp/syft_directory_spdx.cdx.json:/tmp/syft_directory_spdx.cdx.json cyclonedx/cyclonedx-cli:latest convert --input-file /tmp/syft_directory.spdx.json --output-file /tmp/syft_directory_spdx.cdx.json --input-format spdxjson --output-format json - - - name: Syft directory cyclonedx - if: always() - uses: anchore/sbom-action@v0 - with: - artifact-name: syft_directory.cdx.json - output-file: /tmp/syft_directory.cdx.json - format: cyclonedx-json + - name: Install project dependencies + run: yarn install --frozen-lockfile --production - - name: Syft image spdx + # Anchore Syft Github Action + + - name: Syft directory installed spdx if: always() uses: anchore/sbom-action@v0 with: - image: "mitre/heimdall2:throwaway" - artifact-name: syft_image.spdx.json - output-file: /tmp/syft_image.spdx.json + artifact-name: syft_directory_installed.spdx.json + output-file: /tmp/syft_directory_installed.spdx.json format: spdx-json - - name: Syft image spdx converted - if: always() - run: docker run -t -v /tmp/syft_image.spdx.json:/tmp/syft_image.spdx.json -v /tmp/syft_image_spdx.cdx.json:/tmp/syft_image_spdx.cdx.json cyclonedx/cyclonedx-cli:latest convert --input-file /tmp/syft_image.spdx.json --output-file /tmp/syft_image_spdx.cdx.json --input-format spdxjson --output-format json - - - name: Syft image cyclonedx + - name: Syft directory installed cyclonedx if: always() uses: anchore/sbom-action@v0 with: - image: "mitre/heimdall2:throwaway" - artifact-name: syft_image.cdx.json - output-file: /tmp/syft_image.cdx.json + artifact-name: syft_directory_installed.cdx.json + output-file: /tmp/syft_directory_installed.cdx.json format: cyclonedx-json - uses: actions/upload-artifact@v4 if: always() with: path: /tmp/syft* - name: "Syft SBOM experiments" + name: "Syft SBOM experiments - just directory - installed" From 890d5e1e711591ab42a8239093272d8a87e965d2 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Mon, 14 Oct 2024 01:24:39 -0400 Subject: [PATCH 09/17] microsoft sbom tool --- .github/workflows/sbom.yml | 41 ++++++++++++++++++++++---------------- 1 file changed, 24 insertions(+), 17 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index c297649810..2fab3c4687 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -23,29 +23,36 @@ jobs: check-latest: true cache: 'yarn' + - name: Install Microsoft SBOM Tool + run: | + curl -Lo /tmp/sbom-tool https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64 + chmod +x /tmp/sbom-tool + - name: Install project dependencies run: yarn install --frozen-lockfile --production - # Anchore Syft Github Action - - - name: Syft directory installed spdx + - name: sbomtool directory spdx if: always() - uses: anchore/sbom-action@v0 - with: - artifact-name: syft_directory_installed.spdx.json - output-file: /tmp/syft_directory_installed.spdx.json - format: spdx-json - - - name: Syft directory installed cyclonedx + run: /tmp/sbom-tool generate -b . -bc . -li true -pm true -m /tmp/sbomtool_directory.spdx.json -pn Heimdall2 -pv 2.10.19 -ps MITRE -nsb https://saf.mitre.org -V Verbose + + - name: sbomtool directory spdx converted if: always() - uses: anchore/sbom-action@v0 - with: - artifact-name: syft_directory_installed.cdx.json - output-file: /tmp/syft_directory_installed.cdx.json - format: cyclonedx-json + run: docker run -t -v /tmp/sbomtool_directory.spdx.json:/tmp/sbomtool_directory.spdx.json -v /tmp/sbomtool_directory.cdx.json:/tmp/sbomtool_directory.cdx.json cyclonedx/cyclonedx-cli:latest convert --input-file /tmp/sbomtool_directory.spdx.json --output-file /tmp/sbomtool_directory.cdx.json --input-format spdxjson --output-format json + + - name: Build the Docker image + if: always() + run: docker build -f Dockerfile -t mitre/heimdall2:throwaway . + + - name: sbomtool image spdx + if: always() + run: /tmp/sbom-tool generate -di mitre/heimdall2:throwaway -li true -pm true -m /tmp/sbomtool_image.spdx.json -pn Heimdall2 -pv 2.10.19 -ps MITRE -nsb https://saf.mitre.org -V Verbose + + - name: sbomtool image spdx converted + if: always() + run: docker run -t -v /tmp/sbomtool_image.spdx.json:/tmp/sbomtool_image.spdx.json -v /tmp/sbomtool_image.cdx.json:/tmp/sbomtool_image.cdx.json cyclonedx/cyclonedx-cli:latest convert --input-file /tmp/sbomtool_image.spdx.json --output-file /tmp/sbomtool_image.cdx.json --input-format spdxjson --output-format json - uses: actions/upload-artifact@v4 if: always() with: - path: /tmp/syft* - name: "Syft SBOM experiments - just directory - installed" + path: /tmp/sbomtool* + name: "MS SBOM Tool experiments" From b4372b08703550c9c8a088d077baa37f87921fee Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Mon, 14 Oct 2024 01:43:49 -0400 Subject: [PATCH 10/17] -m flag expects a directory not a file --- .github/workflows/sbom.yml | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 2fab3c4687..a58a58a901 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -31,13 +31,20 @@ jobs: - name: Install project dependencies run: yarn install --frozen-lockfile --production + - name: sbomtool expects a directory to exist to place results in + run: | + mkdir -p /tmp/sbomtool/directory + mkdir -p /tmp/sbomtool/image + - name: sbomtool directory spdx if: always() - run: /tmp/sbom-tool generate -b . -bc . -li true -pm true -m /tmp/sbomtool_directory.spdx.json -pn Heimdall2 -pv 2.10.19 -ps MITRE -nsb https://saf.mitre.org -V Verbose + run: /tmp/sbom-tool generate -b . -bc . -li true -pm true -m /tmp/sbomtool/directory -pn Heimdall2 -pv 2.10.19 -ps MITRE -nsb https://saf.mitre.org -V Verbose + + - run: tree /tmp/sbomtool - name: sbomtool directory spdx converted if: always() - run: docker run -t -v /tmp/sbomtool_directory.spdx.json:/tmp/sbomtool_directory.spdx.json -v /tmp/sbomtool_directory.cdx.json:/tmp/sbomtool_directory.cdx.json cyclonedx/cyclonedx-cli:latest convert --input-file /tmp/sbomtool_directory.spdx.json --output-file /tmp/sbomtool_directory.cdx.json --input-format spdxjson --output-format json + run: docker run -t -v /tmp/sbomtool/directory/*:/tmp/sbomtool_directory.spdx.json -v /tmp/sbomtool/directory.cdx.json:/tmp/sbomtool_directory.cdx.json cyclonedx/cyclonedx-cli:latest convert --input-file /tmp/sbomtool_directory.spdx.json --output-file /tmp/sbomtool_directory.cdx.json --input-format spdxjson --output-format json - name: Build the Docker image if: always() @@ -45,14 +52,14 @@ jobs: - name: sbomtool image spdx if: always() - run: /tmp/sbom-tool generate -di mitre/heimdall2:throwaway -li true -pm true -m /tmp/sbomtool_image.spdx.json -pn Heimdall2 -pv 2.10.19 -ps MITRE -nsb https://saf.mitre.org -V Verbose + run: /tmp/sbom-tool generate -di mitre/heimdall2:throwaway -li true -pm true -m /tmp/sbomtool/image -pn Heimdall2 -pv 2.10.19 -ps MITRE -nsb https://saf.mitre.org -V Verbose - name: sbomtool image spdx converted if: always() - run: docker run -t -v /tmp/sbomtool_image.spdx.json:/tmp/sbomtool_image.spdx.json -v /tmp/sbomtool_image.cdx.json:/tmp/sbomtool_image.cdx.json cyclonedx/cyclonedx-cli:latest convert --input-file /tmp/sbomtool_image.spdx.json --output-file /tmp/sbomtool_image.cdx.json --input-format spdxjson --output-format json + run: docker run -t -v /tmp/sbomtool/image/*:/tmp/sbomtool_image.spdx.json -v /tmp/sbomtool/image.cdx.json:/tmp/sbomtool_image.cdx.json cyclonedx/cyclonedx-cli:latest convert --input-file /tmp/sbomtool_image.spdx.json --output-file /tmp/sbomtool_image.cdx.json --input-format spdxjson --output-format json - uses: actions/upload-artifact@v4 if: always() with: - path: /tmp/sbomtool* + path: /tmp/sbomtool name: "MS SBOM Tool experiments" From a10bab858e6c9ec82ea13a2b18d1d9f5d5dee4ed Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Mon, 14 Oct 2024 01:55:21 -0400 Subject: [PATCH 11/17] Change path to the one actually generated by the tool and also look at permissions of generated file --- .github/workflows/sbom.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index a58a58a901..96a4ddb5e4 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -42,9 +42,11 @@ jobs: - run: tree /tmp/sbomtool + - run: ls -lah /tmp/sbomtool/directory/_manifest/spdx_2.2/manifest.spdx.json + - name: sbomtool directory spdx converted if: always() - run: docker run -t -v /tmp/sbomtool/directory/*:/tmp/sbomtool_directory.spdx.json -v /tmp/sbomtool/directory.cdx.json:/tmp/sbomtool_directory.cdx.json cyclonedx/cyclonedx-cli:latest convert --input-file /tmp/sbomtool_directory.spdx.json --output-file /tmp/sbomtool_directory.cdx.json --input-format spdxjson --output-format json + run: docker run -t -v /tmp/sbomtool/directory/_manifest/spdx_2.2/manifest.spdx.json:/tmp/sbomtool_directory.spdx.json -v /tmp/sbomtool/directory.cdx.json:/tmp/sbomtool_directory.cdx.json cyclonedx/cyclonedx-cli:latest convert --input-file /tmp/sbomtool_directory.spdx.json --output-file /tmp/sbomtool_directory.cdx.json --input-format spdxjson --output-format json - name: Build the Docker image if: always() @@ -56,7 +58,7 @@ jobs: - name: sbomtool image spdx converted if: always() - run: docker run -t -v /tmp/sbomtool/image/*:/tmp/sbomtool_image.spdx.json -v /tmp/sbomtool/image.cdx.json:/tmp/sbomtool_image.cdx.json cyclonedx/cyclonedx-cli:latest convert --input-file /tmp/sbomtool_image.spdx.json --output-file /tmp/sbomtool_image.cdx.json --input-format spdxjson --output-format json + run: docker run -t -v /tmp/sbomtool/image/_manifest/spdx_2.2/manifest.spdx.json:/tmp/sbomtool_image.spdx.json -v /tmp/sbomtool/image.cdx.json:/tmp/sbomtool_image.cdx.json cyclonedx/cyclonedx-cli:latest convert --input-file /tmp/sbomtool_image.spdx.json --output-file /tmp/sbomtool_image.cdx.json --input-format spdxjson --output-format json - uses: actions/upload-artifact@v4 if: always() From 89780793f65da6b2e5c84289c7a0bd5b480e4d97 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Mon, 14 Oct 2024 02:16:40 -0400 Subject: [PATCH 12/17] apply workaround to cyclonedx cli bug --- .github/workflows/sbom.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 96a4ddb5e4..78bad4a230 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -44,9 +44,13 @@ jobs: - run: ls -lah /tmp/sbomtool/directory/_manifest/spdx_2.2/manifest.spdx.json + - name: bug in cyclonedxcli spdx converter causes a valid field to throw an error, applying a workaround + if: always() + run: sed 's/PACKAGE-MANAGER/PACKAGE_MANAGER/g' /tmp/sbomtool/directory/_manifest/spdx_2.2/manifest.spdx.json > /tmp/sbomtool/directory/_manifest/spdx_2.2/manifest_fixed.spdx.json + - name: sbomtool directory spdx converted if: always() - run: docker run -t -v /tmp/sbomtool/directory/_manifest/spdx_2.2/manifest.spdx.json:/tmp/sbomtool_directory.spdx.json -v /tmp/sbomtool/directory.cdx.json:/tmp/sbomtool_directory.cdx.json cyclonedx/cyclonedx-cli:latest convert --input-file /tmp/sbomtool_directory.spdx.json --output-file /tmp/sbomtool_directory.cdx.json --input-format spdxjson --output-format json + run: docker run -t -v /tmp/sbomtool/directory/_manifest/spdx_2.2/manifest_fixed.spdx.json:/tmp/sbomtool_directory.spdx.json -v /tmp/sbomtool/directory.cdx.json:/tmp/sbomtool_directory.cdx.json cyclonedx/cyclonedx-cli:latest convert --input-file /tmp/sbomtool_directory.spdx.json --output-file /tmp/sbomtool_directory.cdx.json --input-format spdxjson --output-format json - name: Build the Docker image if: always() @@ -56,9 +60,13 @@ jobs: if: always() run: /tmp/sbom-tool generate -di mitre/heimdall2:throwaway -li true -pm true -m /tmp/sbomtool/image -pn Heimdall2 -pv 2.10.19 -ps MITRE -nsb https://saf.mitre.org -V Verbose + - name: bug in cyclonedxcli spdx converter causes a valid field to throw an error, applying a workaround + if: always() + run: sed 's/PACKAGE-MANAGER/PACKAGE_MANAGER/g' /tmp/sbomtool/image/_manifest/spdx_2.2/manifest.spdx.json > /tmp/sbomtool/image/_manifest/spdx_2.2/manifest_fixed.spdx.json + - name: sbomtool image spdx converted if: always() - run: docker run -t -v /tmp/sbomtool/image/_manifest/spdx_2.2/manifest.spdx.json:/tmp/sbomtool_image.spdx.json -v /tmp/sbomtool/image.cdx.json:/tmp/sbomtool_image.cdx.json cyclonedx/cyclonedx-cli:latest convert --input-file /tmp/sbomtool_image.spdx.json --output-file /tmp/sbomtool_image.cdx.json --input-format spdxjson --output-format json + run: docker run -t -v /tmp/sbomtool/image/_manifest/spdx_2.2/manifest_fixed.spdx.json:/tmp/sbomtool_image.spdx.json -v /tmp/sbomtool/image.cdx.json:/tmp/sbomtool_image.cdx.json cyclonedx/cyclonedx-cli:latest convert --input-file /tmp/sbomtool_image.spdx.json --output-file /tmp/sbomtool_image.cdx.json --input-format spdxjson --output-format json - uses: actions/upload-artifact@v4 if: always() From 3ea305600c5496e7a5d517e0c99aaf0144398b26 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Mon, 14 Oct 2024 02:28:49 -0400 Subject: [PATCH 13/17] let's see if we can resolve this permissions issue --- .github/workflows/sbom.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 78bad4a230..fbd3d6e331 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -40,14 +40,16 @@ jobs: if: always() run: /tmp/sbom-tool generate -b . -bc . -li true -pm true -m /tmp/sbomtool/directory -pn Heimdall2 -pv 2.10.19 -ps MITRE -nsb https://saf.mitre.org -V Verbose - - run: tree /tmp/sbomtool - - - run: ls -lah /tmp/sbomtool/directory/_manifest/spdx_2.2/manifest.spdx.json - - name: bug in cyclonedxcli spdx converter causes a valid field to throw an error, applying a workaround if: always() run: sed 's/PACKAGE-MANAGER/PACKAGE_MANAGER/g' /tmp/sbomtool/directory/_manifest/spdx_2.2/manifest.spdx.json > /tmp/sbomtool/directory/_manifest/spdx_2.2/manifest_fixed.spdx.json + - run: tree /tmp/sbomtool + + - run: ls -lah /tmp/sbomtool/directory/_manifest/spdx_2.2/manifest_fixed.spdx.json + + - run: chmod 755 /tmp/sbomtool/directory/_manifest/spdx_2.2/manifest_fixed.spdx.json + - name: sbomtool directory spdx converted if: always() run: docker run -t -v /tmp/sbomtool/directory/_manifest/spdx_2.2/manifest_fixed.spdx.json:/tmp/sbomtool_directory.spdx.json -v /tmp/sbomtool/directory.cdx.json:/tmp/sbomtool_directory.cdx.json cyclonedx/cyclonedx-cli:latest convert --input-file /tmp/sbomtool_directory.spdx.json --output-file /tmp/sbomtool_directory.cdx.json --input-format spdxjson --output-format json From 496a5ff357e7804db48fcb16015922a6fabf270c Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Mon, 14 Oct 2024 02:39:35 -0400 Subject: [PATCH 14/17] i think the cyclonedx cli image might be running a windows container? consequently permissions can get wonky between them so let's just give it everything. --- .github/workflows/sbom.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index fbd3d6e331..844956e0d5 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -48,7 +48,7 @@ jobs: - run: ls -lah /tmp/sbomtool/directory/_manifest/spdx_2.2/manifest_fixed.spdx.json - - run: chmod 755 /tmp/sbomtool/directory/_manifest/spdx_2.2/manifest_fixed.spdx.json + - run: chmod 777 /tmp/sbomtool/directory/_manifest/spdx_2.2/manifest_fixed.spdx.json - name: sbomtool directory spdx converted if: always() From a0a959f903a5f6ebefe1d297ae7e80e1a05b7670 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Mon, 14 Oct 2024 02:55:37 -0400 Subject: [PATCH 15/17] check permissions in container --- .github/workflows/sbom.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 844956e0d5..ce1391bdb6 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -45,11 +45,15 @@ jobs: run: sed 's/PACKAGE-MANAGER/PACKAGE_MANAGER/g' /tmp/sbomtool/directory/_manifest/spdx_2.2/manifest.spdx.json > /tmp/sbomtool/directory/_manifest/spdx_2.2/manifest_fixed.spdx.json - run: tree /tmp/sbomtool - - - run: ls -lah /tmp/sbomtool/directory/_manifest/spdx_2.2/manifest_fixed.spdx.json - run: chmod 777 /tmp/sbomtool/directory/_manifest/spdx_2.2/manifest_fixed.spdx.json + - run: ls -lah /tmp/sbomtool/directory/_manifest/spdx_2.2/manifest_fixed.spdx.json + + - name: sbomtool check permissions in container + if: always() + run: docker run -t -v /tmp/sbomtool/directory/_manifest/spdx_2.2/manifest_fixed.spdx.json:/tmp/sbomtool_directory.spdx.json -v /tmp/sbomtool/directory.cdx.json:/tmp/sbomtool_directory.cdx.json --entrypoint /bin/sh cyclonedx/cyclonedx-cli:latest -- tree /tmp && ls -lah /tmp/sbomtool_directory.spdx.json + - name: sbomtool directory spdx converted if: always() run: docker run -t -v /tmp/sbomtool/directory/_manifest/spdx_2.2/manifest_fixed.spdx.json:/tmp/sbomtool_directory.spdx.json -v /tmp/sbomtool/directory.cdx.json:/tmp/sbomtool_directory.cdx.json cyclonedx/cyclonedx-cli:latest convert --input-file /tmp/sbomtool_directory.spdx.json --output-file /tmp/sbomtool_directory.cdx.json --input-format spdxjson --output-format json From 03d7152ab8767aa40ae2ca9d23ca0a49d238d950 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Mon, 14 Oct 2024 02:59:33 -0400 Subject: [PATCH 16/17] no tree --- .github/workflows/sbom.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index ce1391bdb6..12d1ab7934 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -52,7 +52,7 @@ jobs: - name: sbomtool check permissions in container if: always() - run: docker run -t -v /tmp/sbomtool/directory/_manifest/spdx_2.2/manifest_fixed.spdx.json:/tmp/sbomtool_directory.spdx.json -v /tmp/sbomtool/directory.cdx.json:/tmp/sbomtool_directory.cdx.json --entrypoint /bin/sh cyclonedx/cyclonedx-cli:latest -- tree /tmp && ls -lah /tmp/sbomtool_directory.spdx.json + run: docker run -t -v /tmp/sbomtool/directory/_manifest/spdx_2.2/manifest_fixed.spdx.json:/tmp/sbomtool_directory.spdx.json -v /tmp/sbomtool/directory.cdx.json:/tmp/sbomtool_directory.cdx.json --entrypoint /bin/sh cyclonedx/cyclonedx-cli:latest -- ls -lah /tmp - name: sbomtool directory spdx converted if: always() From a3489dbb84dfeaa0bde93f286463d647fe214276 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Mon, 14 Oct 2024 03:10:12 -0400 Subject: [PATCH 17/17] use full path to ls instead of assuming any path is set to include the contents of /bin --- .github/workflows/sbom.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 12d1ab7934..8f22a966d7 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -52,7 +52,7 @@ jobs: - name: sbomtool check permissions in container if: always() - run: docker run -t -v /tmp/sbomtool/directory/_manifest/spdx_2.2/manifest_fixed.spdx.json:/tmp/sbomtool_directory.spdx.json -v /tmp/sbomtool/directory.cdx.json:/tmp/sbomtool_directory.cdx.json --entrypoint /bin/sh cyclonedx/cyclonedx-cli:latest -- ls -lah /tmp + run: docker run -t -v /tmp/sbomtool/directory/_manifest/spdx_2.2/manifest_fixed.spdx.json:/tmp/sbomtool_directory.spdx.json -v /tmp/sbomtool/directory.cdx.json:/tmp/sbomtool_directory.cdx.json --entrypoint /bin/bash cyclonedx/cyclonedx-cli:latest -- /bin/ls -lah /tmp - name: sbomtool directory spdx converted if: always()