-
Notifications
You must be signed in to change notification settings - Fork 37
137 lines (119 loc) · 4.04 KB
/
vuln_man.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
name: SBOM generation
on:
workflow_dispatch:
jobs:
# Exercise SBOM generation
sbom:
name: Generate app SBOM
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
project: ["dvna", "vulnado"]
cdx_spec_version: ["1.5"]
include:
- project: vulnado
cdx_spec_version: "1.5"
cdx_image: ghcr.io/cyclonedx/cdxgen-java:v10
- project: dvna
cdx_spec_version: "1.5"
cdx_image: quay.io/pluribus_one/sbom_vex_scanner@sha256:4c93316f95a2fe12bd2683ec34ff36d8e3a29501c797fb4825e7e510bab29ce3
container:
image: ${{matrix.cdx_image}}
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Generate SBOMs
run: |
cd vuln_apps/${{ matrix.project }}
cdxgen \
--format json \
--spec-version="${{matrix.cdx_spec_version}}" \
--project-name="${{ matrix.project }}" \
--project-version="${{ github.run_number }}" \
-o "${{ matrix.project }}_bom.json"
- name: Upload results
if: always()
uses: actions/upload-artifact@v4
with:
name: sbom-${{matrix.project}}
path: "vuln_apps/${{ matrix.project }}/${{ matrix.project }}_bom.json"
retention-days: 5
if-no-files-found: error
## Exercise Docker SBOM generation
# sbom-docker:
# name: Generate docker SBOM
# runs-on: ubuntu-latest
# container: quay.io/pluribus_one/sbom_vex_scanner@sha256:4c93316f95a2fe12bd2683ec34ff36d8e3a29501c797fb4825e7e510bab29ce3
# strategy:
# fail-fast: false
# matrix:
# project: ["dvna", "vulnado"]
# cdx_spec_version: ["1.5"]
# steps:
# - name: Checkout Repository
# uses: actions/checkout@v4
# - name: Set up Docker Buildx
# uses: docker/setup-buildx-action@v3
# - name: Build Docker image
# id: build-image
# uses: docker/build-push-action@v5
# with:
# context: "${{ github.workspace }}/vuln_apps/${{ matrix.project }}"
# push: false
# load: true
# tags: ${{ matrix.project }}:latest
# - name: Generate docker SBOMs
# run: >
# cdxgen
# --type docker
# --format json
# --spec-version="1.5"
# --project-name="${{ project }}"
# --project-version="build-${{ github.run_number }}"
# -o "${{ project }}-docker_bom.json"
# image:tag
# - name: upload Artifacts
# uses: actions/upload-artifact@v4
# with:
# name: sbom-${{matrix.project}}-docker
# path: ${{ matrix.project }}-docker_bom.json
# retention-days: 5
# if-no-files-found: error
## Exercise Merge multiple SBOMs
# merge-sbom:
# name: Merge previously generated SBOM
# runs-on: ubuntu-latest
# needs: ["sbom", "sbom-docker"]
# container: cyclonedx/cyclonedx-cli:0.27.1
# strategy:
# fail-fast: false
# matrix:
# project: ["dvna", "vulnado"]
# steps:
# - name: Download artifact sbom
# uses: actions/download-artifact@v4
# with:
# name: sbom-${{matrix.project}}
# path: ./sboms-${{matrix.project}}
# - name: Download artifact sbom-docker
# uses: actions/download-artifact@v4
# with:
# name: sbom-${{matrix.project}}-docker
# path: ./sboms-${{matrix.project}}
# - name: Merge previously generated sboms
# run: >
# cyclonedx merge
# --input-files file1.json file2.json…
# --output-file output.json
# --name output-project-name
# --version "build-${{ github.run_number }}"
# --hierarchical
# --group devsecops-exercises
# - name: upload Artifacts
# uses: actions/upload-artifact@v4
# with:
# name: sbom-${{matrix.project}}-merged
# path: ${{ matrix.project }}_merged_sbom.json
# retention-days: 5
# if-no-files-found: error