From 420622724e8a3de20a49b0114da77055dea5f9d8 Mon Sep 17 00:00:00 2001 From: mhg Date: Fri, 23 Feb 2024 11:13:23 +0100 Subject: [PATCH] feat: As a developer I want a pipeline to create a SBOM and analyse it with through the CSAF --- .github/workflows/c4po-ci.yml | 3 +- .github/workflows/c4po-sbom.yml | 179 ++++++++++++++++++++++++++++++++ 2 files changed, 181 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/c4po-sbom.yml diff --git a/.github/workflows/c4po-ci.yml b/.github/workflows/c4po-ci.yml index fe89b39..c4c2fca 100644 --- a/.github/workflows/c4po-ci.yml +++ b/.github/workflows/c4po-ci.yml @@ -11,7 +11,8 @@ name: "Security C4PO CI" on: pull_request: - branches: [ "main" ] + # ToDo: Change back to main + branches: [ "test" ] env: diff --git a/.github/workflows/c4po-sbom.yml b/.github/workflows/c4po-sbom.yml new file mode 100644 index 0000000..8c6ebdd --- /dev/null +++ b/.github/workflows/c4po-sbom.yml @@ -0,0 +1,179 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# GitHub recommends pinning actions to a commit SHA. +# To get a newer version, you will need to update the SHA. +# You can also reference a tag or branch, but the action may change without warning. + +name: "Supply Chain Security C4PO SBOM Demo" + +on: + pull_request: + branches: [ "main" ] + + +env: + ANGULAR_PATH: security-c4po-angular + API_PATH: security-c4po-api + REPORTING_PATH: security-c4po-reporting + CFG_PATH: security-c4po-cfg + + ANGULAR_CLI_VERSION: 13 + + +jobs: + + angular_job: + name: "Angular SBOM Job" + + runs-on: ubuntu-latest + + steps: + - name: "Check out code" + uses: actions/checkout@v3 + + - name: "Use Node.js 14.x" + uses: actions/setup-node@v1 + with: + node-version: '14.x' + cache: 'npm' + + - name: "Install NPM dependencies" + run: | + cd $ANGULAR_PATH + npm ci + + - name: "Build assets" + run: | + cd $ANGULAR_PATH + npm run build --if-present + + - name: "Run tests" + run: | + cd $ANGULAR_PATH + npm test + + # Step to install OWASP Dependency-Check + - name: Install Dependency-Check + run: | + wget https://github.com/jeremylong/DependencyCheck/releases/download/v7.3.0/dependency-check-7.3.0-release.zip + unzip dependency-check-7.3.0-release.zip + + - name: "Generate SBOM" + id: sbom + uses: anchore/sbom-action@v0 + with: + format: cyclonedx-json + output-file: "${{ github.event.repository.name }}-angular-sbom.cyclonedx.json" + + # Step to run SBOM analysis using Dependency-Check + #- name: "Run Dependency-Check SBOM Analysis" + # run: | + # ./dependency-check/bin/dependency-check.sh --scan '${{ github.event.repository.name }}-angular-sbom.cyclonedx.json' --out reports/ --format HTML + + # Optionally, display the analysis report in the GitHub Actions log + #- name: "Display Analysis Report" + # run: | + # cat reports/dependency-check-report.html + + # Optionally, upload the analysis report as an artifact + #- name: "Upload Analysis Report" + # uses: actions/upload-artifact@v3 + # with: + # name: c4po-angular-analysis-report + # path: reports/dependency-check-report.html + + # Working version to generate & analyse SBOMs + # Might be not good for company data + - name: Generate SBOM + id: sbom_generation + uses: codenotary/sbom.sh-create@main + with: + scan_type: 'grypefs' + target: './security-c4po-angular' # . -> Assuming you want to scan the entire repository + + - name: Output SBOM URL + run: echo "The SBOM can be found at $SBOM_SHARE_URL" + + reporting_job: + name: "Reporting SBOM Job" + + runs-on: ubuntu-latest + + steps: + - name: "Check out code" + uses: actions/checkout@v3 + + - name: "Set up JDK 11" + uses: actions/setup-java@v3 + with: + java-version: '11' + distribution: 'temurin' + + - name: "Setup Gradle" + uses: gradle/gradle-build-action@v2 + with: + gradle-version: 6.5 + + - name: "Execute Gradle build" + run: | + cd $REPORTING_PATH + ./gradlew clean build + + # Step to install OWASP Dependency-Check + - name: Install Dependency-Check + run: | + wget https://github.com/jeremylong/DependencyCheck/releases/download/v7.3.0/dependency-check-7.3.0-release.zip + unzip dependency-check-7.3.0-release.zip + + - name: "Generate SBOM" + id: sbom + uses: anchore/sbom-action@v0 + with: + format: cyclonedx-json + output-file: "${{ github.event.repository.name }}-reporting-sbom.cyclonedx.json" + + # Step to run SBOM analysis using Dependency-Check + - name: "Run Dependency-Check SBOM Analysis" + run: | + ./dependency-check/bin/dependency-check.sh --scan '${{ github.event.repository.name }}-reporting-sbom.cyclonedx.json' --out reports/ --format HTML + + # Optionally, display the analysis report in the GitHub Actions log + - name: "Display Analysis Report" + run: | + cat reports/dependency-check-report.html + + # Optionally, upload the analysis report as an artifact + - name: "Upload Analysis Report" + uses: actions/upload-artifact@v3 + with: + name: c4po-reporting-analysis-report + path: reports/dependency-check-report.html + +# shift + cmd + / +# api_job: +# name: "API Job" + +# runs-on: ubuntu-latest + +# steps: +# - name: "Check out code" +# uses: actions/checkout@v3 + +# - name: "Set up JDK 11" +# uses: actions/setup-java@v3 +# with: +# java-version: '11' +# distribution: 'temurin' + +# - name: "Setup Gradle" +# uses: gradle/gradle-build-action@v2 +# with: +# gradle-version: 6.5 + +# - name: "Execute Gradle build" +# run: | +# cd $API_PATH +# ./gradlew clean build -x dependencyCheckAnalyze