SBOM generation #10

Workflow file for this run

.github/workflows/vuln_man.yml at 97a0072

	name: SBOM generation

	on:
	workflow_dispatch:

	jobs:
	# Exercise SBOM generation
	sbom:
	name: Generate app SBOM
	runs-on: ubuntu-latest
	strategy:
	fail-fast: false
	matrix:
	project: ["dvna", "vulnado"]
	cdx_spec_version: ["1.5"]
	include:
	- project: vulnado
	cdx_spec_version: "1.5"
	cdx_image: ghcr.io/cyclonedx/cdxgen-java:v10
	- project: dvna
	cdx_spec_version: "1.5"
	cdx_image: quay.io/pluribus_one/sbom_vex_scanner@sha256:4c93316f95a2fe12bd2683ec34ff36d8e3a29501c797fb4825e7e510bab29ce3

	container:
	image: ${{matrix.cdx_image}}

	steps:
	- name: Checkout Repository
	uses: actions/checkout@v4

	- name: Generate SBOMs
	run: \|
	cd vuln_apps/${{ matrix.project }}
	cdxgen \
	--format json \
	--spec-version="${{matrix.cdx_spec_version}}" \
	--project-name="${{ matrix.project }}" \
	--project-version="${{ github.run_number }}" \
	-o "${{ matrix.project }}_bom.json"

	- name: Upload results
	if: always()
	uses: actions/upload-artifact@v4
	with:
	name: sbom-${{matrix.project}}
	path: "vuln_apps/${{ matrix.project }}/${{ matrix.project }}_bom.json"
	retention-days: 5
	if-no-files-found: error


	## Exercise Docker SBOM generation
	# sbom-docker:
	# name: Generate docker SBOM
	# runs-on: ubuntu-latest
	# container: quay.io/pluribus_one/sbom_vex_scanner@sha256:4c93316f95a2fe12bd2683ec34ff36d8e3a29501c797fb4825e7e510bab29ce3
	# strategy:
	# fail-fast: false
	# matrix:
	# project: ["dvna", "vulnado"]
	# cdx_spec_version: ["1.5"]

	# steps:
	# - name: Checkout Repository
	# uses: actions/checkout@v4

	# - name: Set up Docker Buildx
	# uses: docker/setup-buildx-action@v3

	# - name: Build Docker image
	# id: build-image
	# uses: docker/build-push-action@v5
	# with:
	# context: "${{ github.workspace }}/vuln_apps/${{ matrix.project }}"
	# push: false
	# load: true
	# tags: ${{ matrix.project }}:latest

	# - name: Generate docker SBOMs
	# run: >
	# cdxgen
	# --type docker
	# --format json
	# --spec-version="1.5"
	# --project-name="${{ project }}"
	# --project-version="build-${{ github.run_number }}"
	# -o "${{ project }}-docker_bom.json"
	# image:tag

	# - name: upload Artifacts
	# uses: actions/upload-artifact@v4
	# with:
	# name: sbom-${{matrix.project}}-docker
	# path: ${{ matrix.project }}-docker_bom.json
	# retention-days: 5
	# if-no-files-found: error

	## Exercise Merge multiple SBOMs
	# merge-sbom:
	# name: Merge previously generated SBOM
	# runs-on: ubuntu-latest
	# needs: ["sbom", "sbom-docker"]
	# container: cyclonedx/cyclonedx-cli:0.27.1
	# strategy:
	# fail-fast: false
	# matrix:
	# project: ["dvna", "vulnado"]

	# steps:
	# - name: Download artifact sbom
	# uses: actions/download-artifact@v4
	# with:
	# name: sbom-${{matrix.project}}
	# path: ./sboms-${{matrix.project}}

	# - name: Download artifact sbom-docker
	# uses: actions/download-artifact@v4
	# with:
	# name: sbom-${{matrix.project}}-docker
	# path: ./sboms-${{matrix.project}}

	# - name: Merge previously generated sboms
	# run: >
	# cyclonedx merge
	# --input-files file1.json file2.json…
	# --output-file output.json
	# --name output-project-name
	# --version "build-${{ github.run_number }}"
	# --hierarchical
	# --group devsecops-exercises

	# - name: upload Artifacts
	# uses: actions/upload-artifact@v4
	# with:
	# name: sbom-${{matrix.project}}-merged
	# path: ${{ matrix.project }}_merged_sbom.json
	# retention-days: 5
	# if-no-files-found: error

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SBOM generation #10

Workflow file

SBOM generation #10

Jobs

Run details

Workflow file for this run