feat: sbom dependency relationship transparency. ref: QSP-15724

Dynatrace · Feb 12, 2025 · bee9cdd · bee9cdd
1 parent 574d513
commit bee9cdd
Show file tree

Hide file tree

Showing 8 changed files with 24 additions and 0 deletions.
diff --git a/.github/actions/build-image/action.yaml b/.github/actions/build-image/action.yaml
@@ -30,6 +30,10 @@ runs:
       shell: bash
       run: |
         hack/build/ci/third-party-licenses.sh
+    - name: Create empty SBOM file
+      shell: bash
+      run: |
+        touch dynatrace-operator-bin-sbom.cdx.json
     - name: Build target
       uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
       with:

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -44,6 +44,10 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Prepare SBOM
+        id: sbom
+        run: |
+          make release/gen-sbom
       - name: Build image
         uses: ./.github/actions/build-image
         with:
@@ -238,6 +242,7 @@ jobs:
           format: 'cyclonedx'
           output: 'result.json'
           skip-dirs: '/usr/share/dynatrace-operator/third_party_licenses'
+          skip-files: '/usr/local/bin/dynatrace-operator'
       - name: Upload sbom to ${{matrix.registry}}
         uses: ./.github/actions/upload-sbom
         with:

diff --git a/.gitignore b/.gitignore
@@ -106,3 +106,4 @@ test/testdata/secrets/*
 local/
 
 permissions.md
+dynatrace-operator-bin-sbom.cdx.json
diff --git a/Dockerfile b/Dockerfile
@@ -57,6 +57,8 @@ COPY --from=registry.k8s.io/sig-storage/livenessprobe:v2.15.0@sha256:2c5f9dc4ea5
 COPY ./third_party_licenses /usr/share/dynatrace-operator/third_party_licenses
 COPY LICENSE /licenses/
 
+COPY ./dynatrace-operator-bin-sbom.cdx.json ./dynatrace-operator-bin-sbom.cdx.json
+
 # custom scripts
 COPY hack/build/bin /usr/local/bin
 

diff --git a/Makefile b/Makefile
@@ -52,6 +52,7 @@ SHELL ?= bash
 -include hack/make/helm/*.mk
 -include hack/make/manifests/*.mk
 -include hack/make/tests/*.mk
+-include hack/make/release/*.mk
 
 ## Builds the operator image and pushes it to quay with a snapshot tag
 build: images/build/push

diff --git a/hack/build/build_image.sh b/hack/build/build_image.sh
@@ -21,6 +21,7 @@ out_image="${image}:${tag}"
 
 # directory required by docker copy command
 mkdir -p third_party_licenses
+touch dynatrace-operator-bin-sbom.cdx.json
 
 if ! command -v docker 2>/dev/null; then
   CONTAINER_CMD=podman
@@ -41,3 +42,4 @@ ${CONTAINER_CMD} build "${OPERATOR_BUILD_PLATFORM}" . -f ./Dockerfile -t "${out_
   --label "quay.expires-after=14d"
 
 rm -rf third_party_licenses
+rm dynatrace-operator-bin-sbom.cdx.json
diff --git a/hack/make/prerequisites.mk b/hack/make/prerequisites.mk
@@ -16,6 +16,8 @@ markdownlint_cli_version=v0.44.0
 helmunittest_version=v0.7.2
 # renovate depName=github.com/princjef/gomarkdoc
 gomarkdoc_version=v1.1.0
+# renovate depName=github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod
+cyclonedx_gomod_version=v1.9.0
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
@@ -81,3 +83,7 @@ prerequisites/gomarkdoc:
 ## Install python dependencies
 prerequisites/python:
 	python3 -m venv local/.venv && source local/.venv/bin/activate && pip3 install -r hack/requirements.txt
+
+## Install 'cyclonedx-gomod' if it is missing
+prerequisites/cyclonedx-gomod:
+	go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@$(cyclonedx_gomod_version)
diff --git a/hack/make/release/release.mk b/hack/make/release/release.mk
@@ -0,0 +1,3 @@
+## Generates SBOM of binary
+release/gen-sbom: prerequisites/cyclonedx-gomod
+	cyclonedx-gomod app -licenses -assert-licenses -json -main cmd/ -output dynatrace-operator-bin-sbom.cdx.json
Original file line number	Diff line number	Diff line change
Expand Up		@@ -106,3 +106,4 @@ test/testdata/secrets/*
		local/

		permissions.md
		dynatrace-operator-bin-sbom.cdx.json