feat: sbom dependency relationship transparency. ref: QSP-15728

Dynatrace · Feb 6, 2025 · 1dc59d2 · 1dc59d2
1 parent 574d513
commit 1dc59d2
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -237,7 +237,10 @@ jobs:
           image-ref: ${{ matrix.url }}/${{ secrets[matrix.repository] }}:${{ needs.prepare.outputs.version }}@${{ needs.manifest.outputs.digest }}
           format: 'cyclonedx'
           output: 'result.json'
-          skip-dirs: '/usr/share/dynatrace-operator/third_party_licenses'
+          skip-dirs:
+            - '/usr/share/dynatrace-operator/third_party_licenses'
+          skip-files:
+            - '/usr/local/bin/dynatrace-operator'
       - name: Upload sbom to ${{matrix.registry}}
         uses: ./.github/actions/upload-sbom
         with:

diff --git a/Dockerfile b/Dockerfile
@@ -14,6 +14,7 @@ RUN go mod download -x
 
 COPY pkg ./pkg
 COPY cmd ./cmd
+COPY .git /.git
 
 ARG GO_LINKER_ARGS
 ARG GO_BUILD_TAGS
@@ -26,6 +27,10 @@ RUN --mount=type=cache,target="/root/.cache/go-build" \
     go build -tags "${GO_BUILD_TAGS}" -trimpath -ldflags="${GO_LINKER_ARGS}" \
     -o ./build/_output/bin/dynatrace-operator ./cmd/
 
+# Generate binary SBOM - improved hierarchy resolution
+RUN go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@v1.9.0
+RUN cyclonedx-gomod app -licenses -assert-licenses -json -main ./cmd -output ./build/_output/bin/dynatrace-operator-bin-sbom.json
+
 # platform is required, otherwise the copy command will copy the wrong architecture files, don't trust GitHub Actions linting warnings
 FROM --platform=$TARGETPLATFORM registry.access.redhat.com/ubi9-micro:9.5-1738816380@sha256:7e85855f6925e03f91b5c51f07886ff1c18c6ec69b5fc65491428a899da914a2 AS base
 FROM --platform=$TARGETPLATFORM registry.access.redhat.com/ubi9:9.5-1738814488@sha256:be214e191bbe3f4d0f16a5a4f5642e1f32fccd6fae7d2b6c6acb066ba51fb507 AS dependency
@@ -47,6 +52,9 @@ FROM --platform=$TARGETPLATFORM base
 
 COPY --from=dependency /tmp/rootfs-dependency /
 
+# operator sbom
+COPY --from=operator-build /app/build/_output/bin/dynatrace-operator-bin-sbom.json /dynatrace-operator-bin-sbom.cdx.json
+
 # operator binary
 COPY --from=operator-build /app/build/_output/bin /usr/local/bin