Skip to content

SBOM

SBOM #2122

Workflow file for this run

name: SBOM
on:
pull_request:
types: [opened, synchronize, reopened, edited]
paths: ["versions.json", "**/pom.xml", ".github/workflows/sbom.yml", "scripts/generateAndCheckSBOM.js", "scripts/generator/templates/*.xml"]
release:
types: ["published"]
workflow_dispatch:
inputs:
useSnapshots:
description: 'Use snapthots for all vaadin products'
required: false
type: boolean
default: false
useBomber:
description: 'Use bomber'
required: false
type: boolean
default: true
useOSV:
description: 'Use osv-scanner'
required: false
type: boolean
default: true
useOWASP:
description: 'Use owasp:dependency-check-maven'
required: false
type: boolean
default: true
useFullOWASP:
description: 'Use full owasp:dependency-check'
required: false
type: boolean
default: false
version:
description: 'Use set Platform Version to:'
required: false
type: string
default: ''
forcePushReports:
description: 'Push the SBOM to release note'
required: false
type: boolean
default: false
jobs:
run:
runs-on: ubuntu-latest
steps:
- run: |
[ -z "${{secrets.TB_LICENSE}}" ] \
&& echo "🚫 **TB_LICENSE** is not defined, check that **${{github.repository}}** repo has a valid secret" \
| tee -a $GITHUB_STEP_SUMMARY && exit 1 || exit 0
name: Check secrets
- uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: actions/setup-node@v3
with:
node-version: '18'
- uses: actions/setup-java@v3
with:
java-version: '17'
distribution: 'temurin'
- uses: stCarolas/setup-maven@v4.5
with:
maven-version: '3.8.2'
- uses: actions/setup-go@v3
with:
go-version: 'stable'
- run: go install github.com/google/osv-scanner/cmd/osv-scanner@v1
- run: |
wget -q https://github.com/devops-kung-fu/bomber/releases/download/v0.4.7/bomber_0.4.7_linux_amd64.deb
sudo dpkg -i bomber_0.4.7_linux_amd64.deb
name: Install bomber-0.4.7
- run: |
# Install dependency-check-9.0.2
cd /tmp
wget -q https://github.com/jeremylong/DependencyCheck/releases/download/v9.0.2/dependency-check-9.0.2-release.zip
unzip dependency-check-9.0.2-release.zip
sudo ln -s /tmp/dependency-check/bin/dependency-check.sh /usr/bin/dependency-check
name: Install dependency-check-9.0.2
- run: |
mkdir -p ~/.vaadin/
echo '{"username":"'`echo ${{secrets.TB_LICENSE}} | cut -d / -f1`'","proKey":"'`echo ${{secrets.TB_LICENSE}} | cut -d / -f2`'"}' > ~/.vaadin/proKey
name: Install proKey
- run: |
[ false = "${{github.event.inputs.useBomber}}" ] && A="$A --disable-bomber"
[ false = "${{github.event.inputs.useOSV}}" ] && A="$A --disable-osv-scan"
[ false = "${{github.event.inputs.useOWASP}}" ] && A="$A --disable-owasp"
[ true = "${{github.event.inputs.useFullOWASP}}" ] && A="$A --enable-full-owasp"
[ true = "${{github.event.inputs.useSnapshots}}" ] && A="$A --useSnapshots"
V="${{ github.event.inputs.version || github.event.release.tag_name }}"
[ -n "$V" ] && A="$A --version $V"
cmd="scripts/generateAndCheckSBOM.js $A"
echo "Running: $cmd"
$cmd
name: Generate And Check SBOM
env:
OSSINDEX_USER: ${{secrets.OSSINDEX_USER}}
OSSINDEX_TOKEN: ${{secrets.OSSINDEX_TOKEN}}
NVD_API_KEY: ${{secrets.NVD_API_KEY}}
- if: ${{always() && env.DEPENDENCIES_REPORT && github.event.pull_request}}
uses: thollander/actions-comment-pull-request@v2
with:
message: "${{env.DEPENDENCIES_REPORT}}\n[[Click for more Details](${{github.server_url}}/${{github.repository}}/actions/runs/${{github.run_id}})]"
comment_tag: dependencies_report
- if: ${{always()}}
uses: actions/upload-artifact@v3.1.1
with:
name: files
path: |
**/target/bom-vaadin.json
**/target/*-report.json
**/target/tree-*.txt
**/target/dependencies.html
if-no-files-found: error
retention-days: 60
- if: ${{(success() || github.event.inputs.forcePushReports) && (github.event.inputs.version || github.event.release.tag_name)}}
uses: svenstaro/upload-release-action@v2
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
file: vaadin-platform-sbom/target/bom-vaadin.json
asset_name: "Software.Bill.Of.Materials.json"
tag: ${{ github.event.inputs.version || github.event.release.tag_name }}
overwrite: true
- if: ${{(success() || github.event.inputs.forcePushReports) && (github.event.inputs.version || github.event.release.tag_name)}}
uses: svenstaro/upload-release-action@v2
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
file: vaadin-platform-sbom/target/dependencies.html
asset_name: "Dependencies.Report.html"
tag: ${{ github.event.inputs.version || github.event.release.tag_name }}
overwrite: true