BUILD-6082: Implement sbom generation

.cirrus.yaml

@@ -11,11 +11,10 @@ env:
   USERPROFILE: C:\sonar-ci
   PATH: C:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools\MSBuild\Current\Bin;C:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools\Common7\IDE\CommonExtensions\Microsoft\TestWindow;C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool;C:\Program Files\DigiCert\DigiCert One Signing Manager Tools;C:\sonar-ci\.dotnet\tools;${PATH}
   CIRRUS_WORKING_DIR: C:\sonar-ci
-  CIRRUS_CLONE_DEPTH: 50
 
 ec2_instance_definition: &INSTANCE_DEFINITION
   region: eu-central-1
-  type: t3a.xlarge
+  type: c6i.xlarge
   image: base-windows-dotnet-v20240523071308
   platform: windows
 
@@ -41,6 +40,8 @@ build_task:
     SONARSOURCE_SNK_FILE: ${TMP_DIR}\SonarSource.snk
     SONARSOURCE_SNK: VAULT[development/team/languages/kv/data/strong_named_key data.SonarSourceSecret_snk]
     SONAR_TOKEN: VAULT[development/kv/data/sonarcloud data.token]
+    SIGN_KEY: VAULT[development/kv/data/sign data.key]
+    SIGN_PASSPHRASE: VAULT[development/kv/data/sign data.passphrase]
   clone_script: |
     git config --global core.autocrlf true
     git init
@@ -50,7 +51,7 @@ build_task:
 
   calculate_version_script: *CALCULATE_VERSION_SCRIPT_DEFINITION
   prepare_signing_script: |
-    if [[ "${CIRRUS_BRANCH}" == "${CIRRUS_DEFAULT_BRANCH}" || "${CIRRUS_BRANCH}" =~ "branch-.*"  || "${CIRRUS_BRANCH}" =~ "sign-.*" ]]; then
+    if [[ "${CIRRUS_BRANCH}" == "${CIRRUS_DEFAULT_BRANCH}" ]] || echo "${CIRRUS_BRANCH}" | grep -qE "^branch-.*" || echo "${CIRRUS_BRANCH}" | grep -qE "^sign-.*"; then
       mkdir -p "${TMP_DIR}"
       echo "${SONARSOURCE_SNK}" | base64 -d > "${SONARSOURCE_SNK_FILE}"
       echo "${SM_CLIENT_CERT_FILE_BASE64}" | base64 -d > "${SM_CLIENT_CERT_FILE}"
@@ -74,14 +75,27 @@ build_task:
     msbuild.exe "${SOLUTION_PATH}" -p:VsVersion=17.0 -p:VsTargetVersion=2022 -p:SignArtifacts=${SHOULD_SIGN} -p:AssemblyOriginatorKeyFile=${SONARSOURCE_SNK_FILE} -p:DeployExtension=false -p:Sha1=${CIRRUS_CHANGE_IN_REPO} -p:BuildNumber=${CI_BUILD_NUMBER} -p:Configuration=Release
   sign_artifact_script: |
     if [[ "${SHOULD_SIGN}" == "true" ]]; then
-        nuget sign "binaries/SonarLint.VSIX-${SONAR_PROJECT_VERSION}.${CIRRUS_BUILD_ID}-2022.vsix" -HashAlgorithm SHA256 -CertificateFingerprint ${SM_CERT_FP} -Timestamper http://timestamp.digicert.com -TimestampHashAlgorithm SHA256
+        nuget sign "binaries/SonarLint.VSIX-${SONAR_PROJECT_VERSION}.${CI_BUILD_NUMBER}-2022.vsix" -HashAlgorithm SHA256 -CertificateFingerprint ${SM_CERT_FP} -Timestamper http://timestamp.digicert.com -TimestampHashAlgorithm SHA256
     else
         echo "Artifact not signed"
     fi
   tests_script: |
     vstest.console.exe --EnableCodeCoverage --Logger:trx --ResultsDirectory:"TestResults" src/**/bin/**/Sonar*.*Tests.dll
   sonarcloud_analysis_script:
     - dotnet sonarscanner end -d:sonar.token=${SONAR_TOKEN}
+  sbom_generation_script: |
+    if [[ "${SHOULD_SIGN}" == "true" ]]; then
+      sbomname="SonarLint.visualstudio.sbom-$SONAR_PROJECT_VERSION.$CI_BUILD_NUMBER-2022.json"
+      gpg --batch --passphrase "$SIGN_PASSPHRASE" --allow-secret-key-import --import <(echo "$SIGN_KEY")
+      gpg --list-secret-keys
+      dotnet tool install --global CycloneDX
+      dotnet CycloneDX SonarLint.VisualStudio.Integration.sln -t -j -o binaries
+      cd binaries
+      mv bom.json $sbomname
+      gpg --pinentry-mode loopback --passphrase "$SIGN_PASSPHRASE" --armor --detach-sig --default-key infra@sonarsource.com "$sbomname"
+      echo "signed $sbomname"
+      ls -al
+    fi
 
 dogfood_task:
   depends_on: