build(tools): software bill of materials generation

Added a script to generate all SBoMs. The short hand to call the script is by running $ yarn generate-sbom and then it saves all the different .spdx files under ./dist/sbom/* where the file names are derived from the relative path of the directory of the build definition. Fixes hyperledger-cacti#2081 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz · Jul 11, 2022 · da78302 · da78302
1 parent a69a957
commit da78302
Show file tree

Hide file tree

Showing 7 changed files with 466 additions and 0 deletions.
diff --git a/.devcontainer/README.md b/.devcontainer/README.md
@@ -4,6 +4,7 @@
   - [Windows](#windows)
   - [Linux](#linux)
 - [Usage](#usage)
+- [Build Image Locally](#build-image-locally)
 
 ## Summary
 
@@ -40,3 +41,9 @@ For more guidance please see [developing inside a container](https://code.visual
 You should see a pop up at the bottom right stating the container is starting. Once the container is ready you will see the repo opened, you should now be ready to start contributing to Hyperledger Cactus.
 
 Note - The first time you initiate the container it may take a while to complete. All other loads from then should be much faster.
+
+## Build Image Locally
+
+```sh
+DOCKER_BUILDKIT=1 docker build ./.devcontainer/ --file ./.devcontainer/Dockerfile --tag cdc
+```
diff --git a/.syft/README.md b/.syft/README.md
@@ -0,0 +1,38 @@
+# Syft Dockerfile for Scanning
+
+## Building the Image Locally
+
+```sh
+DOCKER_BUILDKIT=1 docker build ./.syft/ --file ./.syft/syft.Dockerfile --tag cs
+```
+
+## Exporting the Locally Built Image Into an Archive
+
+This is needed so that the syft scan can be performed on the image.
+
+```sh
+docker save cs > cs.tar
+```
+
+## Running Syft on The Locally Built Image's Tar Archive
+
+Exporting in JSON format:
+
+```sh
+docker run --rm --volume "$(pwd)/:/repository" anchore/syft packages --config=/repository/.syft/syft.config.yaml /repository/cs.tar -vv > syft-2.json
+```
+
+Exporting with the custom template that renders an Excel/OpenOffice Calc compatible CSV file
+
+```sh
+docker run --rm \
+    --volume "$(pwd)/:/repository" \
+    anchore/syft:v0.50.0 \
+    packages \
+    -vv \
+    /repository/cs.tar \
+    --config=/repository/.syft/syft.config.yaml \
+    -o template \
+    -t /repository/.syft/syft.report.csv.go.tmpl \
+    > syft-1.csv
+```
diff --git a/.syft/syft.Dockerfile b/.syft/syft.Dockerfile
@@ -0,0 +1,68 @@
+FROM ubuntu:20.04
+
+SHELL ["/bin/bash", "-c"]
+
+ARG APP=/usr/src/app/
+ENV APP_USER=appuser
+
+RUN groupadd --gid 1000 appuser \
+  && useradd --uid 1000 --gid appuser --shell /bin/bash --create-home ${APP_USER}
+
+RUN apt update && apt install -y curl git
+
+RUN export DEBIAN_FRONTEND=noninteractive \
+    && apt-get -y install --no-install-recommends openjdk-11-jdk
+
+# Install software properties
+RUN export DEBIAN_FRONTEND=noninteractive \
+    && apt-get install software-properties-common -y
+
+# Install pip3
+RUN apt-get update \
+    && apt-get install python3-pip -y
+
+# Install GVM (Go Version Manager) dependencies
+RUN apt-get update \
+    && apt-get -y install curl git mercurial make binutils bison gcc build-essential
+
+
+# Install Rust toolchain (rustup, rustc, cargo, etc.)
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --verbose --default-toolchain=1.57.0
+
+WORKDIR ${APP}
+
+COPY --chown=${APP_USER}:${APP_USER} ./ ./
+RUN chown -R $APP_USER:$APP_USER ${APP}
+
+USER $APP_USER
+
+# Install GVM  (Go Version Manager)
+# RUN ["/bin/bash", "-c", "bash < <(curl -s -S -L https://raw.githubusercontent.com/moovweb/gvm/1.0.22/binscripts/gvm-installer)"]
+# RUN source /home/${APP_USER}/.gvm/scripts/gvm
+
+# Install Go
+# RUN gvm install go1.16.5 -B
+# RUN gvm use go1.16.5 --default
+
+
+ENV TZ=Etc/UTC
+
+ENV NVM_DIR /home/${APP_USER}/.nvm
+ENV NODE_VERSION 16.3.0
+ENV NODE_PATH $NVM_DIR/v$NODE_VERSION/lib/node_modules
+ENV PATH      $NVM_DIR/versions/node/v$NODE_VERSION/bin:$PATH
+
+# Install nvm with node and npm
+RUN mkdir -p ${NVM_DIR}
+RUN curl https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash \
+  && source $NVM_DIR/nvm.sh \
+  && nvm install $NODE_VERSION \
+  && nvm alias default $NODE_VERSION \
+  && nvm use default \
+  && npm install -g npm@7.19.1
+
+RUN npm install -g yarn@1.22.17
+
+RUN yarn configure
+
+ENTRYPOINT ["/bin/bash"]
diff --git a/.syft/syft.config.yaml b/.syft/syft.config.yaml
@@ -0,0 +1,236 @@
+# the output format(s) of the SBOM report (options: table, text, json, spdx, ...)
+# same as -o, --output, and SYFT_OUTPUT env var
+# to specify multiple output files in differing formats, use a list:
+# output:
+#   - "json=<syft-json-output-file>"
+#   - "spdx-json=<spdx-json-output-file>"
+output: "template"
+
+# suppress all output (except for the SBOM report)
+# same as -q ; SYFT_QUIET env var
+quiet: false
+
+# same as --file; write output report to a file (default is to write to stdout)
+file: ""
+
+# enable/disable checking for application updates on startup
+# same as SYFT_CHECK_FOR_APP_UPDATE env var
+check-for-app-update: true
+
+# a list of globs to exclude from scanning. same as --exclude ; for example:
+# exclude:
+#   - "/etc/**"
+#   - "./out/**/*.json"
+exclude: []
+
+# os and/or architecture to use when referencing container images (e.g. "windows/armv6" or "arm64")
+# same as --platform; SYFT_PLATFORM env var
+platform: ""
+
+# set the list of package catalogers to use when generating the SBOM
+# default = empty (cataloger set determined automatically by the source type [image or file/directory])
+# catalogers:
+#   - ruby-gemfile
+#   - ruby-gemspec
+#   - python-index
+#   - python-package
+#   - javascript-lock
+#   - javascript-package
+#   - php-composer-installed
+#   - php-composer-lock
+#   - alpmdb
+#   - dpkgdb
+#   - rpmdb
+#   - java
+#   - apkdb
+#   - go-module-binary
+#   - go-mod-file
+#   - dartlang-lock
+#   - rust
+#   - dotnet-deps
+catalogers:
+  - rust
+  - ruby-gemfile
+  - ruby-gemspec
+  - python-index
+  - python-package
+  - javascript-lock
+  - javascript-package
+  - php-composer-installed
+  - php-composer-lock
+  - alpmdb
+  - dpkgdb
+  - rpmdb
+  - java
+  - apkdb
+  - go-module-binary
+  - go-mod-file
+  - dartlang-lock
+  - dotnet-deps
+
+# cataloging packages is exposed through the packages and power-user subcommands
+package:
+
+  # search within archives that do contain a file index to search against (zip)
+  # note: for now this only applies to the java package cataloger
+  # SYFT_PACKAGE_SEARCH_INDEXED_ARCHIVES env var
+  search-indexed-archives: true
+
+  # search within archives that do not contain a file index to search against (tar, tar.gz, tar.bz2, etc)
+  # note: enabling this may result in a performance impact since all discovered compressed tars will be decompressed
+  # note: for now this only applies to the java package cataloger
+  # SYFT_PACKAGE_SEARCH_UNINDEXED_ARCHIVES env var
+  search-unindexed-archives: false
+
+  cataloger:
+    # enable/disable cataloging of packages
+    # SYFT_PACKAGE_CATALOGER_ENABLED env var
+    enabled: true
+
+    # the search space to look for packages (options: all-layers, squashed)
+    # same as -s ; SYFT_PACKAGE_CATALOGER_SCOPE env var
+    scope: "squashed"
+
+# cataloging file classifications is exposed through the power-user subcommand
+file-classification:
+  cataloger:
+    # enable/disable cataloging of file classifications
+    # SYFT_FILE_CLASSIFICATION_CATALOGER_ENABLED env var
+    enabled: true
+
+    # the search space to look for file classifications (options: all-layers, squashed)
+    # SYFT_FILE_CLASSIFICATION_CATALOGER_SCOPE env var
+    scope: "squashed"
+
+# cataloging file contents is exposed through the power-user subcommand
+file-contents:
+  cataloger:
+    # enable/disable cataloging of secrets
+    # SYFT_FILE_CONTENTS_CATALOGER_ENABLED env var
+    enabled: true
+
+    # the search space to look for secrets (options: all-layers, squashed)
+    # SYFT_FILE_CONTENTS_CATALOGER_SCOPE env var
+    scope: "squashed"
+
+  # skip searching a file entirely if it is above the given size (default = 1MB; unit = bytes)
+  # SYFT_FILE_CONTENTS_SKIP_FILES_ABOVE_SIZE env var
+  skip-files-above-size: 1048576
+
+  # file globs for the cataloger to match on
+  # SYFT_FILE_CONTENTS_GLOBS env var
+  globs: []
+
+# cataloging file metadata is exposed through the power-user subcommand
+file-metadata:
+  cataloger:
+    # enable/disable cataloging of file metadata
+    # SYFT_FILE_METADATA_CATALOGER_ENABLED env var
+    enabled: true
+
+    # the search space to look for file metadata (options: all-layers, squashed)
+    # SYFT_FILE_METADATA_CATALOGER_SCOPE env var
+    scope: "squashed"
+
+  # the file digest algorithms to use when cataloging files (options: "sha256", "md5", "sha1")
+  # SYFT_FILE_METADATA_DIGESTS env var
+  digests: ["sha256"]
+
+# cataloging secrets is exposed through the power-user subcommand
+secrets:
+  cataloger:
+    # enable/disable cataloging of secrets
+    # SYFT_SECRETS_CATALOGER_ENABLED env var
+    enabled: true
+
+    # the search space to look for secrets (options: all-layers, squashed)
+    # SYFT_SECRETS_CATALOGER_SCOPE env var
+    scope: "squashed"
+
+  # show extracted secret values in the final JSON report
+  # SYFT_SECRETS_REVEAL_VALUES env var
+  reveal-values: false
+
+  # skip searching a file entirely if it is above the given size (default = 1MB; unit = bytes)
+  # SYFT_SECRETS_SKIP_FILES_ABOVE_SIZE env var
+  skip-files-above-size: 1048576
+
+  # name-regex pairs to consider when searching files for secrets. Note: the regex must match single line patterns
+  # but may also have OPTIONAL multiline capture groups. Regexes with a named capture group of "value" will
+  # use the entire regex to match, but the secret value will be assumed to be entirely contained within the
+  # "value" named capture group.
+  additional-patterns: {}
+
+  # names to exclude from the secrets search, valid values are: "aws-access-key", "aws-secret-key", "pem-private-key",
+  # "docker-config-auth", and "generic-api-key". Note: this does not consider any names introduced in the
+  # "secrets.additional-patterns" config option.
+  # SYFT_SECRETS_EXCLUDE_PATTERN_NAMES env var
+  exclude-pattern-names: []
+
+# options when pulling directly from a registry via the "registry:" scheme
+registry:
+  # skip TLS verification when communicating with the registry
+  # SYFT_REGISTRY_INSECURE_SKIP_TLS_VERIFY env var
+  insecure-skip-tls-verify: false
+  # use http instead of https when connecting to the registry
+  # SYFT_REGISTRY_INSECURE_USE_HTTP env var
+  insecure-use-http: false
+
+  # credentials for specific registries
+  auth:
+      # the URL to the registry (e.g. "docker.io", "localhost:5000", etc.)
+      # SYFT_REGISTRY_AUTH_AUTHORITY env var
+    - authority: ""
+      # SYFT_REGISTRY_AUTH_USERNAME env var
+      username: ""
+      # SYFT_REGISTRY_AUTH_PASSWORD env var
+      password: ""
+      # note: token and username/password are mutually exclusive
+      # SYFT_REGISTRY_AUTH_TOKEN env var
+      token: ""
+      # - ... # note, more credentials can be provided via config file only
+
+# generate an attested SBOM
+# attest:
+#   # path to the private key file to use for attestation
+#   # SYFT_ATTEST_KEY env var
+#   key: "cosign.key"
+
+#   # password to decrypt to given private key
+#   # SYFT_ATTEST_PASSWORD env var, additionally responds to COSIGN_PASSWORD
+#   password: ""
+
+log:
+  # use structured logging
+  # same as SYFT_LOG_STRUCTURED env var
+  structured: false
+
+  # the log level; note: detailed logging suppress the ETUI
+  # same as SYFT_LOG_LEVEL env var
+  level: "error"
+
+  # location to write the log file (default is not to have a log file)
+  # same as SYFT_LOG_FILE env var
+  # file: ""
+
+# uploading package SBOM is exposed through the packages subcommand
+# anchore:
+#   # (feature-preview) the Anchore Enterprise Host or URL to upload results to (supported on Enterprise 3.0+)
+#   # same as -H ; SYFT_ANCHORE_HOST env var
+#   host: ""
+
+#   # (feature-preview) the path after the host to the Anchore External API (supported on Enterprise 3.0+)
+#   # same as SYFT_ANCHORE_PATH env var
+#   path: ""
+
+#   # (feature-preview) the username to authenticate against Anchore Enterprise (supported on Enterprise 3.0+)
+#   # same as -u ; SYFT_ANCHORE_USERNAME env var
+#   username: ""
+
+#   # (feature-preview) the password to authenticate against Anchore Enterprise (supported on Enterprise 3.0+)
+#   # same as -p ; SYFT_ANCHORE_PASSWORD env var
+#   password: ""
+
+#   # (feature-preview) path to dockerfile to be uploaded with the syft results to Anchore Enterprise (supported on Enterprise 3.0+)
+#   # same as -d ; SYFT_ANCHORE_DOCKERFILE env var
+#   dockerfile: ""
diff --git a/.syft/syft.report.csv.go.tmpl b/.syft/syft.report.csv.go.tmpl
@@ -0,0 +1,4 @@
+"Package","Version Installed","Found by","Licenses","MetadataType"
+{{- range .Artifacts}}
+"{{.Name}}","{{.Version}}","{{.FoundBy}}","{{ .Licenses }}","{{ .MetadataType }}"
+{{- end}}
diff --git a/package.json b/package.json
@@ -24,6 +24,7 @@
     "tools:validate-bundle-names": "TS_NODE_PROJECT=./tools/tsconfig.json node --trace-deprecation --experimental-modules --abort-on-uncaught-exception --loader ts-node/esm --experimental-specifier-resolution=node ./tools/validate-bundle-names.js",
     "generate-api-server-config": "node ./tools/generate-api-server-config.js",
     "sync-ts-config": "TS_NODE_PROJECT=tools/tsconfig.json node --experimental-json-modules --loader ts-node/esm ./tools/sync-npm-deps-to-tsc-projects.ts",
+    "generate-sbom": "TS_NODE_PROJECT=tools/tsconfig.json node --experimental-json-modules --loader ts-node/esm ./tools/generate-sbom.ts",
     "start:api-server": "node ./packages/cactus-cmd-api-server/dist/lib/main/typescript/cmd/cactus-api.js --config-file=.config.json",
     "start:example-supply-chain": "yarn build:dev && cd ./examples/supply-chain-app/ && yarn --no-lockfile && yarn start",
     "start:example-carbon-accounting": "CONFIG_FILE=examples/cactus-example-carbon-accounting-backend/example-config.json node examples/cactus-example-carbon-accounting-backend/dist/lib/main/typescript/carbon-accounting-app-cli.js",