-
Notifications
You must be signed in to change notification settings - Fork 80
136 lines (135 loc) · 5.57 KB
/
sbom.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
name: SBOM
on:
push:
branches: ["master", "24.0", "23.3"]
pull_request:
types: [opened, synchronize, reopened, edited]
paths: ["versions.json", "**/pom.xml", ".github/workflows/sbom.yml", "scripts/generateAndCheckSBOM.js", "scripts/generator/templates/*.xml"]
release:
types: ["published"]
workflow_dispatch:
inputs:
useSnapshots:
description: 'Use snapthots for all vaadin products'
required: false
type: boolean
default: false
useBomber:
description: 'Use bomber'
required: false
type: boolean
default: true
useOSV:
description: 'Use osv-scanner'
required: false
type: boolean
default: true
useOWASP:
description: 'Use owasp:dependency-check-maven'
required: false
type: boolean
default: true
useFullOWASP:
description: 'Use full owasp:dependency-check'
required: false
type: boolean
default: false
version:
description: 'Use set Platform Version to:'
required: false
type: string
default: ''
forcePushReports:
description: 'Push the SBOM to release note'
required: false
type: boolean
default: false
jobs:
run:
runs-on: ubuntu-latest
steps:
- run: |
[ -z "${{secrets.TB_LICENSE}}" ] \
&& echo "🚫 **TB_LICENSE** is not defined, check that **${{github.repository}}** repo has a valid secret" \
| tee -a $GITHUB_STEP_SUMMARY && exit 1 || exit 0
name: Check secrets
- uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: actions/setup-node@v3
with:
node-version: '18'
- uses: actions/setup-java@v3
with:
java-version: '17'
distribution: 'temurin'
- uses: stCarolas/setup-maven@v4.5
with:
maven-version: '3.8.2'
- uses: actions/setup-go@v3
with:
go-version: 'stable'
- run: go install github.com/google/osv-scanner/cmd/osv-scanner@v1
- run: |
wget -q https://github.com/devops-kung-fu/bomber/releases/download/v0.4.4/bomber_0.4.4_linux_amd64.deb
sudo dpkg -i bomber_0.4.4_linux_amd64.deb
name: Install bomber-0.4.4
- run: |
# Install dependency-check-8.2.1
cd /tmp
wget -q https://github.com/jeremylong/DependencyCheck/releases/download/v8.2.1/dependency-check-8.2.1-release.zip
unzip dependency-check-8.2.1-release.zip
sudo ln -s /tmp/dependency-check/bin/dependency-check.sh /usr/bin/dependency-check
name: Install dependency-check-8.2.1
- run: |
mkdir -p ~/.vaadin/
echo '{"username":"'`echo ${{secrets.TB_LICENSE}} | cut -d / -f1`'","proKey":"'`echo ${{secrets.TB_LICENSE}} | cut -d / -f2`'"}' > ~/.vaadin/proKey
name: Install proKey
- run: |
## TODO: do not disable bomber by default (https://github.com/devops-kung-fu/bomber/issues/174)
[ -z "${{github.event.inputs.useBomber}}" -o false = "${{github.event.inputs.useBomber}}" ] && A="$A --disable-bomber"
[ false = "${{github.event.inputs.useOSV}}" ] && A="$A --disable-osv-scan"
[ false = "${{github.event.inputs.useOWASP}}" ] && A="$A --disable-owasp"
[ true = "${{github.event.inputs.useFullOWASP}}" ] && A="$A --enable-full-owasp"
[ true = "${{github.event.inputs.useSnapshots}}" ] && A="$A --useSnapshots"
V="${{ github.event.inputs.version || github.event.release.tag_name }}"
[ -n "$V" ] && A="--version $V"
cmd="scripts/generateAndCheckSBOM.js $A"
echo "Running: $cmd"
$cmd
name: Generate And Check SBOM
env:
OSSINDEX_USER: ${{secrets.OSSINDEX_USER}}
OSSINDEX_TOKEN: ${{secrets.OSSINDEX_TOKEN}}
- if: ${{always() && env.DEPENDENCIES_REPORT && github.event.pull_request}}
uses: thollander/actions-comment-pull-request@v2
with:
message: "${{env.DEPENDENCIES_REPORT}}\n[[Click for more Details](${{github.server_url}}/${{github.repository}}/actions/runs/${{github.run_id}})]"
comment_tag: dependencies_report
- if: ${{always()}}
uses: actions/upload-artifact@v3.1.1
with:
name: files
path: |
**/target/bom-vaadin.json
**/target/*-report.json
**/target/tree-*.txt
**/target/dependencies.html
if-no-files-found: error
retention-days: 60
- if: ${{(success() || github.event.inputs.forcePushReports) && (github.event.inputs.version || github.event.release.tag_name)}}
uses: svenstaro/upload-release-action@v2
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
file: vaadin-platform-sbom/target/bom-vaadin.json
asset_name: "Software.Bill.Of.Materials.json"
tag: ${{ github.event.inputs.version || github.event.release.tag_name }}
overwrite: true
- if: ${{(success() || github.event.inputs.forcePushReports) && (github.event.inputs.version || github.event.release.tag_name)}}
uses: svenstaro/upload-release-action@v2
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
file: vaadin-platform-sbom/target/dependencies.html
asset_name: "Dependencies.Report.html"
tag: ${{ github.event.inputs.version || github.event.release.tag_name }}
overwrite: true