-
Notifications
You must be signed in to change notification settings - Fork 37
136 lines (119 loc) · 4.08 KB
/
vuln_man_solved.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
name: SBOM generation final
on:
workflow_dispatch:
jobs:
## Exercise SBOM generation
sbom:
name: Generate app SBOM
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
project: ["dvna", "vulnado"]
cdx_spec_version: ["1.5"]
include:
- project: vulnado
cdx_spec_version: "1.5"
cdx_image: ghcr.io/cyclonedx/cdxgen-java:v10
- project: dvna
cdx_spec_version: "1.5"
cdx_image: quay.io/pluribus_one/sbom_vex_scanner@sha256:4c93316f95a2fe12bd2683ec34ff36d8e3a29501c797fb4825e7e510bab29ce3
container:
image: ${{matrix.cdx_image}}
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Generate SBOMs
run: |
cd vuln_apps/${{ matrix.project }}
cdxgen \
--format json \
--spec-version="${{matrix.cdx_spec_version}}" \
--project-name="${{ matrix.project }}" \
--project-version="build-${{ github.run_number }}" \
-o "${{ matrix.project }}_bom.json"
- name: Upload results
if: always()
uses: actions/upload-artifact@v4
with:
name: sbom-${{matrix.project}}
path: "vuln_apps/${{ matrix.project }}/${{ matrix.project }}_bom.json"
retention-days: 5
if-no-files-found: error
## Exercise Docker SBOM generation
sbom-docker:
name: Generate docker SBOM
runs-on: ubuntu-latest
container: quay.io/pluribus_one/sbom_vex_scanner@sha256:4c93316f95a2fe12bd2683ec34ff36d8e3a29501c797fb4825e7e510bab29ce3
strategy:
fail-fast: false
matrix:
project: ["dvna", "vulnado"]
cdx_spec_version: ["1.5"]
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build Docker image
id: build-image
uses: docker/build-push-action@v5
with:
context: "${{ github.workspace }}/vuln_apps/${{ matrix.project }}"
push: false
load: true
tags: ${{ matrix.project }}:latest
- name: Generate docker SBOMs
run: >
cdxgen
--type docker
--format json
--spec-version="${{matrix.cdx_spec_version}}"
--project-name="${{ matrix.project }}"
--project-version="build-${{ github.run_number }}"
-o "${{ matrix.project }}-docker_bom.json"
${{ matrix.project }}:latest
- name: upload Artifacts
uses: actions/upload-artifact@v4
with:
name: sbom-${{matrix.project}}-docker
path: ${{ matrix.project }}-docker_bom.json
retention-days: 5
if-no-files-found: error
## Exercise Merge multiple SBOMs
merge-sbom:
name: Merge previously generated SBOM
runs-on: ubuntu-latest
needs: ["sbom", "sbom-docker"]
container: cyclonedx/cyclonedx-cli:0.27.1
strategy:
fail-fast: false
matrix:
project: ["dvna", "vulnado"]
steps:
- name: Download artifact sbom
uses: actions/download-artifact@v4
with:
name: sbom-${{matrix.project}}
path: ./sboms-${{matrix.project}}
- name: Download artifact sbom-docker
uses: actions/download-artifact@v4
with:
name: sbom-${{matrix.project}}-docker
path: ./sboms-${{matrix.project}}
- name: Merge previously generated sboms
run: >
cyclonedx merge
--input-files sboms-${{matrix.project}}/${{ matrix.project }}_bom.json sboms-${{matrix.project}}/${{ matrix.project }}-docker_bom.json
--output-file ${{ matrix.project }}_merged_sbom.json
--hierarchical
--name ${{ matrix.project }}
--version "build-${{ github.run_number }}"
--group devsecops-exercises
- name: upload Artifacts
uses: actions/upload-artifact@v4
with:
name: sbom-${{matrix.project}}-merged
path: ${{ matrix.project }}_merged_sbom.json
retention-days: 5
if-no-files-found: error