Skip to content

test ci: add gh workflows to generate sbom #14

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

test ci: add gh workflows to generate sbom #14

Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
8818fa9
ci: add gh workflows to generate sbom
ahasunos Jan 2, 2025
e72a6fe
ci: update gh workflow
ahasunos Jan 29, 2025
5bce83e
ci: test few more things to verify if we are getting more info
ahasunos Jan 29, 2025
d6514a3
ci: make api call based on external refs
ahasunos Jan 29, 2025
67e4242
chore: add debug statements
ahasunos Jan 29, 2025
48d5fa2
chore: add debug statements
ahasunos Jan 29, 2025
b8ec0eb
chore: add debug statements
ahasunos Jan 29, 2025
5026483
chore: add debug statements
ahasunos Jan 29, 2025
db09e49
chore: add debug statements
ahasunos Jan 29, 2025
19beb3d
ci: do not skip
ahasunos Jan 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
114 changes: 114 additions & 0 deletions .github/workflows/sbom.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,114 @@
name: Download SBOM from Insights and Convert to CSV

# on:
# workflow_dispatch:


# # NOTE: We would probably want to run this workflow on every push to main and not on pull requests
# # on:
# # push:
# # branches:
# # - main

on:
pull_request:
branches:
- main

jobs:
convert-sbom:
runs-on: ubuntu-latest

steps:
- name: Checkout Code
uses: actions/checkout@v3

- name: Set Timestamp and Unique Filename
run: |
FILE_PREFIX=$(echo "${{ github.repository }}" | sed 's|/|-|g')-$(date +%Y%m%d%H%M%S)
echo "FILE_PREFIX=${FILE_PREFIX}" >> $GITHUB_ENV

- name: Download SBOM
run: |
curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/${{ github.repository }}/dependency-graph/sbom \
-o "${FILE_PREFIX}-sbom.json"

- name: Verify SBOM JSON File
run: |
ls -l "${FILE_PREFIX}-sbom.json"

- name: Preview SBOM JSON Content
run: |
head -n 20 "${FILE_PREFIX}-sbom.json"

- name: Convert SBOM to CSV using jq
run: |
echo "name,SPDXID,versionInfo,downloadLocation,externalRefs,license,source_code_url,vendor" > "${FILE_PREFIX}-sbom.csv"
jq -r '
.sbom.packages[] | [
.name,
.SPDXID,
.versionInfo,
.downloadLocation,
( .externalRefs[]? | .referenceLocator ),
"None", "None", "None"
] | @csv' "${FILE_PREFIX}-sbom.json" >> "${FILE_PREFIX}-sbom.csv"

- name: Preview SBOM CSV Content
run: |
head -n 20 "${FILE_PREFIX}-sbom.csv"

- name: Enrich SBOM CSV with RubyGems Data
run: |
TEMP_CSV="${FILE_PREFIX}-sbom-temp.csv"
echo "name,SPDXID,versionInfo,downloadLocation,externalRefs,license,source_code_url,vendor" > "$TEMP_CSV"
tail -n +2 "${FILE_PREFIX}-sbom.csv" | while IFS=, read -r name SPDXID versionInfo downloadLocation externalRefs license source_code_url vendor; do
# Debug each row
echo "Processing: $name, $SPDXID, $versionInfo, $downloadLocation, $externalRefs, $license, $source_code_url, $vendor"
if [[ "$externalRefs" == *"pkg:gem"* ]]; then
echo "Processing RubyGem: $name"
gem_name=$(echo "$name" | tr -d '"')
version=$(echo "$versionInfo" | tr -d '"')
# Check if the version contains a version constraint (e.g., ~>, >=, <=)
if [[ "$versionInfo" =~ [\~\>\<\=\ ] ]]; then
echo "Skipping call to rubygems.org for version constraint: $versionInfo"
else
# Proceed with making the call to rubygems.org
echo "Making call to rubygems.org for fixed version: $versionInfo"
# Your logic to call rubygems.org
api_url="https://rubygems.org/api/v2/rubygems/${gem_name}/versions/${version}.json"
response=$(curl -s "$api_url")
echo "Response: $response"
new_license=$(echo "$response" | jq -r '.licenses[0] // "None"')
echo "License: $new_license"
new_source_code_url=$(echo "$response" | jq -r '.source_code_uri // "None"')
new_vendor=$(echo "$response" | jq -r '.authors // "None"')
fi
else
new_license="None"
new_source_code_url="None"
new_vendor="None"
fi
echo "$name,$SPDXID,$versionInfo,$downloadLocation,$externalRefs,$new_license,$new_source_code_url,$new_vendor" >> "$TEMP_CSV"
done
mv "$TEMP_CSV" "${FILE_PREFIX}-sbom.csv"

- name: Verify SBOM CSV File
run: |
ls -l "${FILE_PREFIX}-sbom.csv"

- name: Upload SBOM JSON as Artifact
uses: actions/upload-artifact@v3
with:
name: sbom-json
path: ${{ env.FILE_PREFIX }}-sbom.json

- name: Upload SBOM CSV as Artifact
uses: actions/upload-artifact@v3
with:
name: sbom-csv
path: ${{ env.FILE_PREFIX }}-sbom.csv
Loading