feat: As a developer I want a pipeline to create a SBOM and analyse i…

…t with through the CSAF

.github/workflows/c4po-ci.yml

@@ -11,7 +11,8 @@ name: "Security C4PO CI"
 
 on:
   pull_request:
-    branches: [ "main" ]
+    # ToDo: Change back to main
+    branches: [ "test" ]
 
 
 env:

.github/workflows/c4po-sbom.yml

@@ -0,0 +1,179 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# GitHub recommends pinning actions to a commit SHA.
+# To get a newer version, you will need to update the SHA.
+# You can also reference a tag or branch, but the action may change without warning.
+
+name: "Supply Chain Security C4PO SBOM Demo"
+
+on:
+  pull_request:
+    branches: [ "main" ]
+
+
+env:
+  ANGULAR_PATH: security-c4po-angular
+  API_PATH: security-c4po-api
+  REPORTING_PATH: security-c4po-reporting
+  CFG_PATH: security-c4po-cfg
+
+  ANGULAR_CLI_VERSION: 13
+
+
+jobs:
+
+  angular_job:
+    name: "Angular SBOM Job"
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: "Check out code"
+        uses: actions/checkout@v3
+
+      - name: "Use Node.js 14.x"
+        uses: actions/setup-node@v1
+        with:
+          node-version: '14.x'
+          cache: 'npm'
+
+      - name: "Install NPM dependencies"
+        run: |
+          cd $ANGULAR_PATH
+          npm ci
+
+      - name: "Build assets"
+        run: |
+          cd $ANGULAR_PATH
+          npm run build --if-present
+
+      - name: "Run tests"
+        run: |
+          cd $ANGULAR_PATH
+          npm test
+
+      # Step to install OWASP Dependency-Check
+      - name: Install Dependency-Check
+        run: |
+          wget https://github.com/jeremylong/DependencyCheck/releases/download/v7.3.0/dependency-check-7.3.0-release.zip
+          unzip dependency-check-7.3.0-release.zip
+
+      - name: "Generate SBOM"
+        id: sbom
+        uses: anchore/sbom-action@v0
+        with:
+          format: cyclonedx-json
+          output-file: "${{ github.event.repository.name }}-angular-sbom.cyclonedx.json"
+
+      # Step to run SBOM analysis using Dependency-Check
+      #- name: "Run Dependency-Check SBOM Analysis"
+      #  run: |
+      #    ./dependency-check/bin/dependency-check.sh --scan '${{ github.event.repository.name }}-angular-sbom.cyclonedx.json' --out reports/ --format HTML
+
+      # Optionally, display the analysis report in the GitHub Actions log
+      #- name: "Display Analysis Report"
+      #  run: |
+      #    cat reports/dependency-check-report.html
+
+      # Optionally, upload the analysis report as an artifact
+      #- name: "Upload Analysis Report"
+      #  uses: actions/upload-artifact@v3
+      #  with:
+      #    name: c4po-angular-analysis-report
+      #    path: reports/dependency-check-report.html
+
+      # Working version to generate & analyse SBOMs
+      # Might be not good for company data
+      - name: Generate SBOM
+        id: sbom_generation
+        uses: codenotary/sbom.sh-create@main
+        with:
+          scan_type: 'grypefs'
+          target: './security-c4po-angular' # . -> Assuming you want to scan the entire repository
+
+      - name: Output SBOM URL
+        run: echo "The SBOM can be found at $SBOM_SHARE_URL"
+
+  reporting_job:
+          name: "Reporting SBOM Job"
+
+          runs-on: ubuntu-latest
+
+          steps:
+            - name: "Check out code"
+              uses: actions/checkout@v3
+
+            - name: "Set up JDK 11"
+              uses: actions/setup-java@v3
+              with:
+                java-version: '11'
+                distribution: 'temurin'
+
+            - name: "Setup Gradle"
+              uses: gradle/gradle-build-action@v2
+              with:
+                gradle-version: 6.5
+
+            - name: "Execute Gradle build"
+              run: |
+                cd $REPORTING_PATH
+                ./gradlew clean build
+     
+             # Step to install OWASP Dependency-Check
+            - name: Install Dependency-Check
+              run: |
+                 wget https://github.com/jeremylong/DependencyCheck/releases/download/v7.3.0/dependency-check-7.3.0-release.zip
+                 unzip dependency-check-7.3.0-release.zip
+     
+            - name: "Generate SBOM"
+              id: sbom
+              uses: anchore/sbom-action@v0
+              with:
+                 format: cyclonedx-json
+                 output-file: "${{ github.event.repository.name }}-reporting-sbom.cyclonedx.json"
+
+            # Step to run SBOM analysis using Dependency-Check
+            - name: "Run Dependency-Check SBOM Analysis"
+              run: |
+                 ./dependency-check/bin/dependency-check.sh --scan '${{ github.event.repository.name }}-reporting-sbom.cyclonedx.json' --out reports/ --format HTML
+     
+            # Optionally, display the analysis report in the GitHub Actions log
+            - name: "Display Analysis Report"
+              run: |
+                 cat reports/dependency-check-report.html
+     
+            # Optionally, upload the analysis report as an artifact
+            - name: "Upload Analysis Report"
+              uses: actions/upload-artifact@v3
+              with:
+                 name: c4po-reporting-analysis-report
+                 path: reports/dependency-check-report.html
+
+# shift + cmd + /
+#   api_job:
+#     name: "API Job"
+
+#     runs-on: ubuntu-latest
+
+#     steps:
+#       - name: "Check out code"
+#         uses: actions/checkout@v3
+
+#       - name: "Set up JDK 11"
+#         uses: actions/setup-java@v3
+#         with:
+#           java-version: '11'
+#           distribution: 'temurin'
+
+#       - name: "Setup Gradle"
+#         uses: gradle/gradle-build-action@v2
+#         with:
+#           gradle-version: 6.5
+
+#       - name: "Execute Gradle build"
+#         run: |
+#           cd $API_PATH
+#           ./gradlew clean build -x dependencyCheckAnalyze