diff --git a/.github/actions/build-image/action.yaml b/.github/actions/build-image/action.yaml index f0a833b597..e9f443bea1 100644 --- a/.github/actions/build-image/action.yaml +++ b/.github/actions/build-image/action.yaml @@ -30,6 +30,10 @@ runs: shell: bash run: | hack/build/ci/third-party-licenses.sh + - name: Create empty SBOM file + shell: bash + run: | + touch dynatrace-operator-bin-sbom.cdx.json - name: Build target uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0 with: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 6965481544..d56feb61dd 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -44,6 +44,10 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Prepare SBOM + id: sbom + run: | + make release/gen-sbom - name: Build image uses: ./.github/actions/build-image with: @@ -238,6 +242,7 @@ jobs: format: 'cyclonedx' output: 'result.json' skip-dirs: '/usr/share/dynatrace-operator/third_party_licenses' + skip-files: '/usr/local/bin/dynatrace-operator' - name: Upload sbom to ${{matrix.registry}} uses: ./.github/actions/upload-sbom with: diff --git a/.gitignore b/.gitignore index 603b886772..9be34577e4 100644 --- a/.gitignore +++ b/.gitignore @@ -106,3 +106,4 @@ test/testdata/secrets/* local/ permissions.md +dynatrace-operator-bin-sbom.cdx.json diff --git a/Dockerfile b/Dockerfile index 96f8a68cc4..23081c8072 100644 --- a/Dockerfile +++ b/Dockerfile @@ -57,6 +57,8 @@ COPY --from=registry.k8s.io/sig-storage/livenessprobe:v2.15.0@sha256:2c5f9dc4ea5 COPY ./third_party_licenses /usr/share/dynatrace-operator/third_party_licenses COPY LICENSE /licenses/ +COPY ./dynatrace-operator-bin-sbom.cdx.json ./dynatrace-operator-bin-sbom.cdx.json + # custom scripts COPY hack/build/bin /usr/local/bin diff --git a/Makefile b/Makefile index 640f2c6efc..4ac1a8744e 100644 --- a/Makefile +++ b/Makefile @@ -52,6 +52,7 @@ SHELL ?= bash -include hack/make/helm/*.mk -include hack/make/manifests/*.mk -include hack/make/tests/*.mk +-include hack/make/release/*.mk ## Builds the operator image and pushes it to quay with a snapshot tag build: images/build/push diff --git a/hack/build/build_image.sh b/hack/build/build_image.sh index 71dfcdf5e8..fdfe2091d4 100755 --- a/hack/build/build_image.sh +++ b/hack/build/build_image.sh @@ -21,6 +21,7 @@ out_image="${image}:${tag}" # directory required by docker copy command mkdir -p third_party_licenses +touch dynatrace-operator-bin-sbom.cdx.json if ! command -v docker 2>/dev/null; then CONTAINER_CMD=podman @@ -41,3 +42,4 @@ ${CONTAINER_CMD} build "${OPERATOR_BUILD_PLATFORM}" . -f ./Dockerfile -t "${out_ --label "quay.expires-after=14d" rm -rf third_party_licenses +rm dynatrace-operator-bin-sbom.cdx.json diff --git a/hack/make/prerequisites.mk b/hack/make/prerequisites.mk index e2613ec20b..557634666a 100644 --- a/hack/make/prerequisites.mk +++ b/hack/make/prerequisites.mk @@ -16,6 +16,8 @@ markdownlint_cli_version=v0.44.0 helmunittest_version=v0.7.2 # renovate depName=github.com/princjef/gomarkdoc gomarkdoc_version=v1.1.0 +# renovate depName=github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod +cyclonedx_gomod_version=v1.9.0 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) ifeq (,$(shell go env GOBIN)) @@ -81,3 +83,7 @@ prerequisites/gomarkdoc: ## Install python dependencies prerequisites/python: python3 -m venv local/.venv && source local/.venv/bin/activate && pip3 install -r hack/requirements.txt + +## Install 'cyclonedx-gomod' if it is missing +prerequisites/cyclonedx-gomod: + go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@$(cyclonedx_gomod_version) diff --git a/hack/make/release/release.mk b/hack/make/release/release.mk new file mode 100644 index 0000000000..5e6abf3a6c --- /dev/null +++ b/hack/make/release/release.mk @@ -0,0 +1,3 @@ +## Generates SBOM of binary +release/gen-sbom: prerequisites/cyclonedx-gomod + cyclonedx-gomod app -licenses -assert-licenses -json -main cmd/ -output dynatrace-operator-bin-sbom.cdx.json