From fa3b9b6b41af660ad17fa37a9db63a868bc4699c Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Mon, 4 Nov 2024 15:00:00 +0100 Subject: [PATCH 01/30] [WIP] workflows: add SBOM generation step --- .github/workflows/sbom.yaml | 59 +++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 .github/workflows/sbom.yaml diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml new file mode 100644 index 0000000000000..4eec9fa673142 --- /dev/null +++ b/.github/workflows/sbom.yaml @@ -0,0 +1,59 @@ +name: SBOM generation + +# SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors +# SPDX-FileCopyrightText: 2024 STRATO AG +# SPDX-License-Identifier: AGPL-3.0-or-later + +on: + push: + branches: + # Enable once approved + # - ionos-dev + - tl/sbom-generation + +jobs: + generate-sbom: + runs-on: ubuntu-latest + + permissions: + contents: read + + name: generate-sbom + steps: + - name: Checkout server + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + with: + # Submodules are checked independently + submodules: false + + # SBOM for composer (generate) + + - name: Generate SBOM (composer) + # Output filename can not be configured, is bom.xml + # https://github.com/CycloneDX/gh-php-composer-generate-sbom + uses: CycloneDX/gh-php-composer-generate-sbom@v1 + + - name: Rename composer bom.xml to bom.composer.xml + run: | + mv bom.xml bom.composer.xml + + # SBOM for NPM (install and generate) + + - name: Set up node with version from package.json's engines + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 + with: + node-version-file: "package.json" + + - name: Build Nextcloud + env: + FONTAWESOME_PACKAGE_TOKEN: ${{ secrets.FONTAWESOME_PACKAGE_TOKEN }} + run: | + npm ci + + - name: Generate SBOM (npm) + # https://github.com/CycloneDX/gh-node-module-generatebom + uses: CycloneDX/gh-node-module-generatebom@v1 + with: + output: './bom.npm.xml' + + # TODO: merge BOMs, upload BOMs From 9d4a383db9726151846df26c10601e081b98771b Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Mon, 4 Nov 2024 15:30:22 +0100 Subject: [PATCH 02/30] [WIP] sbom: merge SBOMs --- .github/workflows/sbom.yaml | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 4eec9fa673142..6c0de98d1b11a 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -56,4 +56,26 @@ jobs: with: output: './bom.npm.xml' - # TODO: merge BOMs, upload BOMs + merge-sboms: + needs: generate-sbom + runs-on: ubuntu-latest + + # https://docs.github.com/en/actions/writing-workflows/choosing-where-your-workflow-runs/running-jobs-in-a-container + container: + image: cyclonedx/cyclonedx-cli:0.27.1 + steps: + - name: Merge SBOMs + # https://github.com/CycloneDX/cyclonedx-cli#merge-command + run: | + cyclonedx merge --input-files bom.composer.xml bom.npm.xml --output-file bom.xml + + upload-sboms: + needs: merge-sboms + runs-on: ubuntu-latest + + steps: + - name: Dump merged SBOM + run: | + cat bom.xml + + # TODO: upload BOMs From 9bef662e918b6060ded2d9df740b254f2728f843 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Mon, 4 Nov 2024 16:42:01 +0100 Subject: [PATCH 03/30] [WIP] workflow: pass bom.xmls between jobs --- .github/workflows/sbom.yaml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 6c0de98d1b11a..c34d84a65ad21 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -56,6 +56,14 @@ jobs: with: output: './bom.npm.xml' + # Pass BOMs to next Job + # https://github.com/actions/upload-artifact + - name: Store partial BOMs + uses: actions/upload-artifact@v4 + with: + name: bom-partials + path: bom.*.xml + merge-sboms: needs: generate-sbom runs-on: ubuntu-latest @@ -63,12 +71,26 @@ jobs: # https://docs.github.com/en/actions/writing-workflows/choosing-where-your-workflow-runs/running-jobs-in-a-container container: image: cyclonedx/cyclonedx-cli:0.27.1 + steps: + - name: Download partial BOMs + uses: actions/download-artifact@v4 + with: + name: bom-partials + - name: Merge SBOMs # https://github.com/CycloneDX/cyclonedx-cli#merge-command run: | cyclonedx merge --input-files bom.composer.xml bom.npm.xml --output-file bom.xml + # Pass merged BOM to next Job + # https://github.com/actions/upload-artifact + - name: Store merged BOM + uses: actions/upload-artifact@v4 + with: + name: final-bom + path: bom.xml + upload-sboms: needs: merge-sboms runs-on: ubuntu-latest From f7d8d2a245b77a083a9de5d89e494301fb98890e Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Mon, 4 Nov 2024 16:56:08 +0100 Subject: [PATCH 04/30] [WIP] workflow: set SBOM out version to 1.3 Upload to DT failed with schema validation error and no details, maybe the version is to recent. --- .github/workflows/sbom.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index c34d84a65ad21..c8d552019cddc 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -80,8 +80,9 @@ jobs: - name: Merge SBOMs # https://github.com/CycloneDX/cyclonedx-cli#merge-command + # Using v1_3 because with the default (1.6) the upload failed at the DT web interface run: | - cyclonedx merge --input-files bom.composer.xml bom.npm.xml --output-file bom.xml + cyclonedx merge --input-files bom.composer.xml bom.npm.xml --output-file bom.xml --output-version v1_3 # Pass merged BOM to next Job # https://github.com/actions/upload-artifact From 0a7fe1528c53fdd8954f803e89439540e04970a0 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Fri, 31 Jan 2025 16:43:01 +0100 Subject: [PATCH 05/30] Revert "[WIP] workflow: set SBOM out version to 1.3" Problem figured out: the merged SBOM contains a "component" node with a "bom-ref" attribute and a "purl" node, both contain values including the current Git branch name, which happens to contain a slash in my case, which, apparently, is not allowed. This reverts commit 2e39012109351fbed4ac0879c760baea0f27a50e. --- .github/workflows/sbom.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index c8d552019cddc..c34d84a65ad21 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -80,9 +80,8 @@ jobs: - name: Merge SBOMs # https://github.com/CycloneDX/cyclonedx-cli#merge-command - # Using v1_3 because with the default (1.6) the upload failed at the DT web interface run: | - cyclonedx merge --input-files bom.composer.xml bom.npm.xml --output-file bom.xml --output-version v1_3 + cyclonedx merge --input-files bom.composer.xml bom.npm.xml --output-file bom.xml # Pass merged BOM to next Job # https://github.com/actions/upload-artifact From d6943b5d873410d93c26cb4d3b3752f2259fa034 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Fri, 31 Jan 2025 16:57:29 +0100 Subject: [PATCH 06/30] [WIP] workflow: fix merged SBOM --- .github/workflows/sbom.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index c34d84a65ad21..f98da9482f69d 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -80,8 +80,13 @@ jobs: - name: Merge SBOMs # https://github.com/CycloneDX/cyclonedx-cli#merge-command + # + # The generated SBOM is fixed with sed to remove potentially bad characters + # Slashes are not allowed after the @ in the meta/component's bom-ref + # attribute and purl node. run: | cyclonedx merge --input-files bom.composer.xml bom.npm.xml --output-file bom.xml + sed -i -r 's;(pkg:composer/__root__)@[^"<]+;\1@merged-sbom;' bom.xml # Pass merged BOM to next Job # https://github.com/actions/upload-artifact From d58f375c04c2fc044d364fe2912473ed0c058814 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Mon, 4 Nov 2024 16:56:08 +0100 Subject: [PATCH 07/30] [WIP] workflow: set SBOM out version to 1.3 Upload to DT failed with schema validation error and no details, maybe the version is to recent. --- .github/workflows/sbom.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index f98da9482f69d..602ec624afe2c 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -80,12 +80,13 @@ jobs: - name: Merge SBOMs # https://github.com/CycloneDX/cyclonedx-cli#merge-command + # Using v1_3 because with the default (1.6) the upload failed at the DT web interface # # The generated SBOM is fixed with sed to remove potentially bad characters # Slashes are not allowed after the @ in the meta/component's bom-ref # attribute and purl node. run: | - cyclonedx merge --input-files bom.composer.xml bom.npm.xml --output-file bom.xml + cyclonedx merge --input-files bom.composer.xml bom.npm.xml --output-file bom.xml --output-version v1_3 sed -i -r 's;(pkg:composer/__root__)@[^"<]+;\1@merged-sbom;' bom.xml # Pass merged BOM to next Job From 167a5c683808932b62f8b942ac38aea99c104478 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Fri, 31 Jan 2025 17:44:23 +0100 Subject: [PATCH 08/30] [WIP] Use @yclonedx/cyclonedx-npm via npx, not an action The action was declared to be deprecated [1], [2] was mentioned as alternative. [1]: https://github.com/CycloneDX/gh-node-module-generatebom?tab=readme-ov-file [2]: https://www.npmjs.com/package/%40cyclonedx/cyclonedx-npm --- .github/workflows/sbom.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 602ec624afe2c..b78a93d61da6f 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -51,10 +51,8 @@ jobs: npm ci - name: Generate SBOM (npm) - # https://github.com/CycloneDX/gh-node-module-generatebom - uses: CycloneDX/gh-node-module-generatebom@v1 - with: - output: './bom.npm.xml' + run: | + npx @cyclonedx/cyclonedx-npm --output-format XML --output-file './bom.npm.xml' # Pass BOMs to next Job # https://github.com/actions/upload-artifact From 34a79b70fba0d813be874d87b49d64c72368a80c Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Fri, 7 Feb 2025 14:27:22 +0100 Subject: [PATCH 09/30] [WIP] Add --ignore-npm-errors to @cyclonedx/cyclonedx-npm See the comment. --- .github/workflows/sbom.yaml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index b78a93d61da6f..8ceb5dc1b93f4 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -51,8 +51,14 @@ jobs: npm ci - name: Generate SBOM (npm) + # Switch --ignore-npm-errors is used to not fail on inconsistencies + # found by npm ls, which complains about (mostly) "extraneous" packages + # found in node_modules, which are apparently related to us using npm + # overrides in package.json and presumably npm ls not being capable + # of analyzing this correctly. + # run: | - npx @cyclonedx/cyclonedx-npm --output-format XML --output-file './bom.npm.xml' + npx @cyclonedx/cyclonedx-npm --ignore-npm-errors --output-format XML --output-file './bom.npm.xml' # Pass BOMs to next Job # https://github.com/actions/upload-artifact From edb2b31277408a5598eac2037901ac5f74b04bbd Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Fri, 7 Feb 2025 14:54:33 +0100 Subject: [PATCH 10/30] [WIP] Fix fetch of stored artifact --- .github/workflows/sbom.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 8ceb5dc1b93f4..8732b5ca5321e 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -104,8 +104,12 @@ jobs: upload-sboms: needs: merge-sboms runs-on: ubuntu-latest - steps: + - name: Download partial BOMs + uses: actions/download-artifact@v4 + with: + name: final-bom + - name: Dump merged SBOM run: | cat bom.xml From e6389fa0f5ec43d4f92369f479b53d3958f48b10 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Fri, 7 Feb 2025 15:21:43 +0100 Subject: [PATCH 11/30] [WIP] Change merged SBOM fix to replace _branch name_ by dummy string --- .github/workflows/sbom.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 8732b5ca5321e..b127c1f7d9b86 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -83,6 +83,8 @@ jobs: name: bom-partials - name: Merge SBOMs + env: + BRANCH_NAME: ${{ github.head_ref || github.ref_name }} # https://github.com/CycloneDX/cyclonedx-cli#merge-command # Using v1_3 because with the default (1.6) the upload failed at the DT web interface # @@ -91,7 +93,7 @@ jobs: # attribute and purl node. run: | cyclonedx merge --input-files bom.composer.xml bom.npm.xml --output-file bom.xml --output-version v1_3 - sed -i -r 's;(pkg:composer/__root__)@[^"<]+;\1@merged-sbom;' bom.xml + sed -i -r "s;${BRANCH_NAME};merged-sbom;" bom.xml # Pass merged BOM to next Job # https://github.com/actions/upload-artifact From c06aab2c3c5d6aa7b8ae22f6839d3ef530582a6d Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Fri, 7 Feb 2025 16:25:56 +0100 Subject: [PATCH 12/30] [WIP] Change merged BOM patching - it failed once again --- .github/workflows/sbom.yaml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index b127c1f7d9b86..196be4f0686c8 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -83,17 +83,14 @@ jobs: name: bom-partials - name: Merge SBOMs - env: - BRANCH_NAME: ${{ github.head_ref || github.ref_name }} # https://github.com/CycloneDX/cyclonedx-cli#merge-command # Using v1_3 because with the default (1.6) the upload failed at the DT web interface # - # The generated SBOM is fixed with sed to remove potentially bad characters - # Slashes are not allowed after the @ in the meta/component's bom-ref - # attribute and purl node. + # The generated SBOM is fixed with awk to remove XML schema violating + # elements or values that prevent upload to Dependency Track. run: | cyclonedx merge --input-files bom.composer.xml bom.npm.xml --output-file bom.xml --output-version v1_3 - sed -i -r "s;${BRANCH_NAME};merged-sbom;" bom.xml + awk '/^ / { ignore=1 } /^ <\/metadata>/ { ignore=0; next; } { if (!ignore) print }' bom.xml >bom.patched.xml # Pass merged BOM to next Job # https://github.com/actions/upload-artifact From 7c68575253f264810efcc4cda3bfcb42b77c31f6 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Fri, 7 Feb 2025 16:37:22 +0100 Subject: [PATCH 13/30] [WIP] Rename build step descriptions --- .github/workflows/sbom.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 196be4f0686c8..be49d492fe5bb 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -28,7 +28,7 @@ jobs: # SBOM for composer (generate) - - name: Generate SBOM (composer) + - name: Generate SBOM (Nextcloud - composer) # Output filename can not be configured, is bom.xml # https://github.com/CycloneDX/gh-php-composer-generate-sbom uses: CycloneDX/gh-php-composer-generate-sbom@v1 @@ -50,7 +50,7 @@ jobs: run: | npm ci - - name: Generate SBOM (npm) + - name: Generate SBOM (Nextcloud - npm) # Switch --ignore-npm-errors is used to not fail on inconsistencies # found by npm ls, which complains about (mostly) "extraneous" packages # found in node_modules, which are apparently related to us using npm From d7e51ebf29f4ef97e51c945e2809addbd0d848d1 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Fri, 7 Feb 2025 16:59:14 +0100 Subject: [PATCH 14/30] [WIP] Use run composer instead of deprecated action The action is marked "deprecated" [1] [1]: https://github.com/CycloneDX/gh-php-composer-generate-sbom --- .github/workflows/sbom.yaml | 26 ++++++++++++-------------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index be49d492fe5bb..35b05ec27797b 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -29,13 +29,10 @@ jobs: # SBOM for composer (generate) - name: Generate SBOM (Nextcloud - composer) - # Output filename can not be configured, is bom.xml - # https://github.com/CycloneDX/gh-php-composer-generate-sbom - uses: CycloneDX/gh-php-composer-generate-sbom@v1 - - - name: Rename composer bom.xml to bom.composer.xml + # https://packagist.org/packages/cyclonedx/cyclonedx-php-composer run: | - mv bom.xml bom.composer.xml + composer global require cyclonedx/cyclonedx-php-composer + composer CycloneDX:make-sbom --output-file=bom.nextcloud.composer.xml # SBOM for NPM (install and generate) @@ -58,7 +55,7 @@ jobs: # of analyzing this correctly. # run: | - npx @cyclonedx/cyclonedx-npm --ignore-npm-errors --output-format XML --output-file './bom.npm.xml' + npx @cyclonedx/cyclonedx-npm --ignore-npm-errors --output-format XML --output-file './bom.nextcloud.npm.xml' # Pass BOMs to next Job # https://github.com/actions/upload-artifact @@ -89,16 +86,17 @@ jobs: # The generated SBOM is fixed with awk to remove XML schema violating # elements or values that prevent upload to Dependency Track. run: | - cyclonedx merge --input-files bom.composer.xml bom.npm.xml --output-file bom.xml --output-version v1_3 - awk '/^ / { ignore=1 } /^ <\/metadata>/ { ignore=0; next; } { if (!ignore) print }' bom.xml >bom.patched.xml + echo "Merge BOMs for: Nextcloud" + cyclonedx merge --input-files bom.nextcloud.composer.xml bom.nextcloud.npm.xml --output-file bom.xml --output-version v1_3 + awk '/^ / { ignore=1 } /^ <\/metadata>/ { ignore=0; next; } { if (!ignore) print }' bom.xml >bom.nextcloud.xml # Pass merged BOM to next Job # https://github.com/actions/upload-artifact - name: Store merged BOM uses: actions/upload-artifact@v4 with: - name: final-bom - path: bom.xml + name: final-boms + path: bom.*.xml upload-sboms: needs: merge-sboms @@ -107,10 +105,10 @@ jobs: - name: Download partial BOMs uses: actions/download-artifact@v4 with: - name: final-bom + name: final-boms - - name: Dump merged SBOM + - name: Dump merged SBOMs run: | - cat bom.xml + cat bom.*.xml # TODO: upload BOMs From 2df44f3346fdd0cadbc84feb3e62eaf2e81e73dc Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Fri, 7 Feb 2025 17:02:10 +0100 Subject: [PATCH 15/30] [WIP] Add SBOM generation for one app --- .github/workflows/sbom.yaml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 35b05ec27797b..5bb969ce0ba79 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -26,6 +26,10 @@ jobs: # Submodules are checked independently submodules: false + # + # Nextcloud + # + # SBOM for composer (generate) - name: Generate SBOM (Nextcloud - composer) @@ -57,6 +61,23 @@ jobs: run: | npx @cyclonedx/cyclonedx-npm --ignore-npm-errors --output-format XML --output-file './bom.nextcloud.npm.xml' + + + # + # Custom App: googleanalytics + # + + # SBOM for composer (generate) + + - name: Generate SBOM (Custom App googleanalytics - composer) + working-directory: ./apps-custom/googleanalytics + # https://packagist.org/packages/cyclonedx/cyclonedx-php-composer + run: | + composer global require cyclonedx/cyclonedx-php-composer + composer CycloneDX:make-sbom --output-file=bom.app-googleanalytics.xml + + + # Pass BOMs to next Job # https://github.com/actions/upload-artifact - name: Store partial BOMs @@ -90,6 +111,8 @@ jobs: cyclonedx merge --input-files bom.nextcloud.composer.xml bom.nextcloud.npm.xml --output-file bom.xml --output-version v1_3 awk '/^ / { ignore=1 } /^ <\/metadata>/ { ignore=0; next; } { if (!ignore) print }' bom.xml >bom.nextcloud.xml + # TODO use for loop where needed for apps + # Pass merged BOM to next Job # https://github.com/actions/upload-artifact - name: Store merged BOM From 82a092fc72b407a8655e18b16e9748ca665844a3 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Fri, 7 Feb 2025 17:21:17 +0100 Subject: [PATCH 16/30] [WIP] Enable install of cyclonedx/cyclonedx-php-composer; split install and run --- .github/workflows/sbom.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 5bb969ce0ba79..b5fb3e48eebd9 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -26,6 +26,12 @@ jobs: # Submodules are checked independently submodules: false + - name: Install CycloneDX + # https://packagist.org/packages/cyclonedx/cyclonedx-php-composer + run: | + composer global config --no-plugins allow-plugins.cyclonedx/cyclonedx-php-composer true + composer global require cyclonedx/cyclonedx-php-composer + # # Nextcloud # @@ -35,7 +41,6 @@ jobs: - name: Generate SBOM (Nextcloud - composer) # https://packagist.org/packages/cyclonedx/cyclonedx-php-composer run: | - composer global require cyclonedx/cyclonedx-php-composer composer CycloneDX:make-sbom --output-file=bom.nextcloud.composer.xml # SBOM for NPM (install and generate) @@ -73,7 +78,6 @@ jobs: working-directory: ./apps-custom/googleanalytics # https://packagist.org/packages/cyclonedx/cyclonedx-php-composer run: | - composer global require cyclonedx/cyclonedx-php-composer composer CycloneDX:make-sbom --output-file=bom.app-googleanalytics.xml From a252790b65bc4c0e98ed261d25d1d5a013855b28 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Fri, 7 Feb 2025 17:26:31 +0100 Subject: [PATCH 17/30] [WIP] Checkout submodules too --- .github/workflows/sbom.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index b5fb3e48eebd9..c651d803f7085 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -23,8 +23,7 @@ jobs: - name: Checkout server uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 with: - # Submodules are checked independently - submodules: false + submodules: true - name: Install CycloneDX # https://packagist.org/packages/cyclonedx/cyclonedx-php-composer From 167499f3914a1f664b2b1a2fa9c190e905f8d849 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Fri, 7 Feb 2025 17:37:06 +0100 Subject: [PATCH 18/30] [WIP] Specify store paths explicitly * The bom.app-googleanalytics.xml was not packaged for whatever reason. * Partials were packaged while actually not needed (just good for debugging) * Make it explicit --- .github/workflows/sbom.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index c651d803f7085..6dd7c263fdd8d 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -49,7 +49,7 @@ jobs: with: node-version-file: "package.json" - - name: Build Nextcloud + - name: Nextcloud: install npm dependencies env: FONTAWESOME_PACKAGE_TOKEN: ${{ secrets.FONTAWESOME_PACKAGE_TOKEN }} run: | @@ -122,7 +122,9 @@ jobs: uses: actions/upload-artifact@v4 with: name: final-boms - path: bom.*.xml + path: | + bom.nextcloud.xml + bom.app-googleanalytics.xml upload-sboms: needs: merge-sboms From 561bc4dc228929c1e28a007490a9895d2aa3b559 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Fri, 7 Feb 2025 17:38:50 +0100 Subject: [PATCH 19/30] [WIP] Debug ls --- .github/workflows/sbom.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 6dd7c263fdd8d..ad8f5c0199ed6 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -116,6 +116,10 @@ jobs: # TODO use for loop where needed for apps + - name: Show BOMs + run: | + ls -l bom.*.xml + # Pass merged BOM to next Job # https://github.com/actions/upload-artifact - name: Store merged BOM From a01ba1c620d19b9e010f2f29acddc2993082568e Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Fri, 7 Feb 2025 17:40:29 +0100 Subject: [PATCH 20/30] [WIP] Quote string --- .github/workflows/sbom.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index ad8f5c0199ed6..944e5152f4d41 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -49,7 +49,7 @@ jobs: with: node-version-file: "package.json" - - name: Nextcloud: install npm dependencies + - name: "Nextcloud: install npm dependencies" env: FONTAWESOME_PACKAGE_TOKEN: ${{ secrets.FONTAWESOME_PACKAGE_TOKEN }} run: | From e078645472463b88f6400391e2976e6fe111f926 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Fri, 7 Feb 2025 17:45:20 +0100 Subject: [PATCH 21/30] [WIP] Fix app BOM XML location, make store paths explicit --- .github/workflows/sbom.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 944e5152f4d41..c79b64d5dae68 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -77,7 +77,7 @@ jobs: working-directory: ./apps-custom/googleanalytics # https://packagist.org/packages/cyclonedx/cyclonedx-php-composer run: | - composer CycloneDX:make-sbom --output-file=bom.app-googleanalytics.xml + composer CycloneDX:make-sbom --output-file=../../bom.app-googleanalytics.xml @@ -87,7 +87,9 @@ jobs: uses: actions/upload-artifact@v4 with: name: bom-partials - path: bom.*.xml + path: | + bom.nextcloud.*.xml + bom.app-googleanalytics.xml merge-sboms: needs: generate-sbom From 770467ed7e107a159fe5415949fbcef533c07499 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Fri, 7 Feb 2025 17:54:03 +0100 Subject: [PATCH 22/30] [WIP] Move SBOM merge to function --- .github/workflows/sbom.yaml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index c79b64d5dae68..60ea86cbeea21 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -49,7 +49,7 @@ jobs: with: node-version-file: "package.json" - - name: "Nextcloud: install npm dependencies" + - name: "Install dependencies (Nextcloud - npm)" env: FONTAWESOME_PACKAGE_TOKEN: ${{ secrets.FONTAWESOME_PACKAGE_TOKEN }} run: | @@ -113,10 +113,12 @@ jobs: # elements or values that prevent upload to Dependency Track. run: | echo "Merge BOMs for: Nextcloud" - cyclonedx merge --input-files bom.nextcloud.composer.xml bom.nextcloud.npm.xml --output-file bom.xml --output-version v1_3 - awk '/^ / { ignore=1 } /^ <\/metadata>/ { ignore=0; next; } { if (!ignore) print }' bom.xml >bom.nextcloud.xml + function merge_bom() { + cyclonedx merge --input-files bom.${1}.composer.xml bom.${1}.npm.xml --output-file bom.xml --output-version v1_3 ; + awk '/^ / { ignore=1 } /^ <\/metadata>/ { ignore=0; next; } { if (!ignore) print }' bom.xml >bom.${1}.xml ; + } - # TODO use for loop where needed for apps + merge_bom "nextcloud" - name: Show BOMs run: | From af4b9a99f446155ea05e329abbe9555d84b9f617 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Mon, 2 Jun 2025 16:42:57 +0200 Subject: [PATCH 23/30] [WIP] Fix function definition sh does not know about function keyword. --- .github/workflows/sbom.yaml | 19 +------------------ 1 file changed, 1 insertion(+), 18 deletions(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 60ea86cbeea21..406973e961ffd 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -66,21 +66,6 @@ jobs: npx @cyclonedx/cyclonedx-npm --ignore-npm-errors --output-format XML --output-file './bom.nextcloud.npm.xml' - - # - # Custom App: googleanalytics - # - - # SBOM for composer (generate) - - - name: Generate SBOM (Custom App googleanalytics - composer) - working-directory: ./apps-custom/googleanalytics - # https://packagist.org/packages/cyclonedx/cyclonedx-php-composer - run: | - composer CycloneDX:make-sbom --output-file=../../bom.app-googleanalytics.xml - - - # Pass BOMs to next Job # https://github.com/actions/upload-artifact - name: Store partial BOMs @@ -89,7 +74,6 @@ jobs: name: bom-partials path: | bom.nextcloud.*.xml - bom.app-googleanalytics.xml merge-sboms: needs: generate-sbom @@ -113,7 +97,7 @@ jobs: # elements or values that prevent upload to Dependency Track. run: | echo "Merge BOMs for: Nextcloud" - function merge_bom() { + merge_bom() { cyclonedx merge --input-files bom.${1}.composer.xml bom.${1}.npm.xml --output-file bom.xml --output-version v1_3 ; awk '/^ / { ignore=1 } /^ <\/metadata>/ { ignore=0; next; } { if (!ignore) print }' bom.xml >bom.${1}.xml ; } @@ -132,7 +116,6 @@ jobs: name: final-boms path: | bom.nextcloud.xml - bom.app-googleanalytics.xml upload-sboms: needs: merge-sboms From 57f38416704d226db8be0f0e7fb211abdf538ab6 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Mon, 2 Jun 2025 16:51:53 +0200 Subject: [PATCH 24/30] [WIP] Upload SBOM --- .github/workflows/sbom.yaml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 406973e961ffd..2eca23be082c6 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -130,4 +130,16 @@ jobs: run: | cat bom.*.xml - # TODO: upload BOMs + upload_bom() { + echo "Upload Nextcloud SBOM ${1} for object ${2} ..." + + curl \ + -D- \ + -X POST ${DEPENDENCY_TRACK_BASE_URL}/api/v1/bom \ + -H "Content-Type: multipart/form-data" \ + -H "X-API-Key: ${DEPENDENCY_TRACK_API_KEY}" \ + -F "project=${2}" \ + -F "bom=@${1}" + } + + upload_bom "bom.nextcloud.xml" "${DT_OBJECT_NEXTCLOUD}" From 57032aadc1cdef21c47e9653ed2c3b9949dfee3b Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Mon, 2 Jun 2025 17:07:28 +0200 Subject: [PATCH 25/30] [WIP] sbom upload: never cat, change Job description --- .github/workflows/sbom.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 2eca23be082c6..209e06b431045 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -126,9 +126,9 @@ jobs: with: name: final-boms - - name: Dump merged SBOMs + - name: Upload SBOMs run: | - cat bom.*.xml + wc --total=never -l bom.*.xml upload_bom() { echo "Upload Nextcloud SBOM ${1} for object ${2} ..." From c4035c2ae47f296d743fe7116ac500e4d86aea53 Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Mon, 2 Jun 2025 17:19:55 +0200 Subject: [PATCH 26/30] [WIP] sbom upload: print URL --- .github/workflows/sbom.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 209e06b431045..3272bf5be2a4f 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -130,12 +130,14 @@ jobs: run: | wc --total=never -l bom.*.xml + echo "Upload to: ${DEPENDENCY_TRACK_BASE_URL}/api/v1/bom" + upload_bom() { echo "Upload Nextcloud SBOM ${1} for object ${2} ..." curl \ -D- \ - -X POST ${DEPENDENCY_TRACK_BASE_URL}/api/v1/bom \ + -X POST "${DEPENDENCY_TRACK_BASE_URL}/api/v1/bom" \ -H "Content-Type: multipart/form-data" \ -H "X-API-Key: ${DEPENDENCY_TRACK_API_KEY}" \ -F "project=${2}" \ From 801e560c4cf1f1d3dc6d196284eb9de3b573d8ff Mon Sep 17 00:00:00 2001 From: Thomas Lehmann Date: Mon, 2 Jun 2025 17:31:40 +0200 Subject: [PATCH 27/30] [WIP] Use GitHub expressions, not env vars D'oh --- .github/workflows/sbom.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 3272bf5be2a4f..715b0650d9a37 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -130,18 +130,18 @@ jobs: run: | wc --total=never -l bom.*.xml - echo "Upload to: ${DEPENDENCY_TRACK_BASE_URL}/api/v1/bom" + echo "Upload to: ${{ vars.DEPENDENCY_TRACK_BASE_URL }}/api/v1/bom" upload_bom() { echo "Upload Nextcloud SBOM ${1} for object ${2} ..." curl \ -D- \ - -X POST "${DEPENDENCY_TRACK_BASE_URL}/api/v1/bom" \ + -X POST "${{ vars.DEPENDENCY_TRACK_BASE_URL }}/api/v1/bom" \ -H "Content-Type: multipart/form-data" \ - -H "X-API-Key: ${DEPENDENCY_TRACK_API_KEY}" \ + -H "X-API-Key: ${{ secrets.DEPENDENCY_TRACK_API_KEY }}" \ -F "project=${2}" \ -F "bom=@${1}" } - upload_bom "bom.nextcloud.xml" "${DT_OBJECT_NEXTCLOUD}" + upload_bom "bom.nextcloud.xml" "${{ vars.DT_OBJECT_NEXTCLOUD }}" From be6485452843d67139f34b45999a8617f9e4d52a Mon Sep 17 00:00:00 2001 From: "Misha M.-Kupriyanov" Date: Fri, 13 Jun 2025 09:49:05 +0200 Subject: [PATCH 28/30] DROP: add mk/tl/sbom-generation to sbom.yaml Signed-off-by: Misha M.-Kupriyanov --- .github/workflows/sbom.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 715b0650d9a37..194da185f8eb7 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -10,6 +10,7 @@ on: # Enable once approved # - ionos-dev - tl/sbom-generation + - mk/tl/sbom-generation jobs: generate-sbom: From bfb99e86185a25f415388d61c4e2a65db4e3ffa4 Mon Sep 17 00:00:00 2001 From: "Misha M.-Kupriyanov" Date: Fri, 13 Jun 2025 13:58:09 +0200 Subject: [PATCH 29/30] fix: change sbom upload runner to self-hosted Signed-off-by: Misha M.-Kupriyanov --- .github/workflows/sbom.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 194da185f8eb7..509861e0cdcad 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -120,7 +120,7 @@ jobs: upload-sboms: needs: merge-sboms - runs-on: ubuntu-latest + runs-on: self-hosted steps: - name: Download partial BOMs uses: actions/download-artifact@v4 From 0c67ef321009d3a304a0ae075359c3eaa28a9458 Mon Sep 17 00:00:00 2001 From: "Misha M.-Kupriyanov" Date: Fri, 13 Jun 2025 14:35:45 +0200 Subject: [PATCH 30/30] fix: correct word count command for SBOM upload Signed-off-by: Misha M.-Kupriyanov --- .github/workflows/sbom.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 509861e0cdcad..645c7be0c1e9c 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -129,7 +129,7 @@ jobs: - name: Upload SBOMs run: | - wc --total=never -l bom.*.xml + wc -l bom.*.xml echo "Upload to: ${{ vars.DEPENDENCY_TRACK_BASE_URL }}/api/v1/bom"