From 4fc64038b87bcecfe1c0549e4144467ddc87955e Mon Sep 17 00:00:00 2001 From: Federico Bo Date: Mon, 27 Nov 2023 17:37:45 +0100 Subject: [PATCH 01/40] Update README.md --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index ff27fed..74e4ac8 100644 --- a/README.md +++ b/README.md @@ -98,6 +98,7 @@ Le applicazioni vulnerabili che abbiamo esposto in questa repository sono prese https://owasp.org/www-project-vulnerable-web-applications-directory/ + # Follow Us on Security News Restate aggiornati con le ultime news su temi di cybersecurity, effettuando la subscribe al seguente link: -https://davideariu.substack.com/ \ No newline at end of file +https://davideariu.substack.com/ From 292968a3d6468db979a6605bbd693514f220bc92 Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Thu, 21 Mar 2024 12:05:38 +0100 Subject: [PATCH 02/40] generate sbom docker images --- .github/workflows/image_sbom.yml | 43 ++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 .github/workflows/image_sbom.yml diff --git a/.github/workflows/image_sbom.yml b/.github/workflows/image_sbom.yml new file mode 100644 index 0000000..7fb99bf --- /dev/null +++ b/.github/workflows/image_sbom.yml @@ -0,0 +1,43 @@ +name: Images scanner + +on: + workflow_dispatch: + +jobs: + images-security-scan: + name: Images Scanner + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + prj_folder: ["dvna", "vulnado"] + + steps: + - name: Checkout Repository + uses: actions/checkout@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build Docker image + id: build-image + uses: docker/build-push-action@v5 + with: + context: "${{ github.workspace }}/vuln_apps/${{ matrix.prj_folder }}" + push: false + load: true + tags: ${{ matrix.prj_folder }}:latest + + - name: Generate SBOMs + run: | + cdxgen --format docker -o "${{ matrix.prj_folder }}_bom.json" local://${{ matrix.prj_folder }}:latest + + - name: upload Artifacts + uses: actions/upload-artifact@v3 + with: + name: image-sbom + path: ${{matrix.prj_folder}}_* + retention-days: 5 + + + From d80408af3cc9be32b2ba46e55fad1d9a8c5ffb3b Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Thu, 21 Mar 2024 12:06:39 +0100 Subject: [PATCH 03/40] change name --- .github/workflows/image_sbom.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/image_sbom.yml b/.github/workflows/image_sbom.yml index 7fb99bf..5e6c8bd 100644 --- a/.github/workflows/image_sbom.yml +++ b/.github/workflows/image_sbom.yml @@ -1,11 +1,11 @@ -name: Images scanner +name: Images Generate Sbom on: workflow_dispatch: jobs: images-security-scan: - name: Images Scanner + name: Images Generate Sbom runs-on: ubuntu-latest strategy: fail-fast: false From 8ab3c6e339bc528ba45d0b0f261bb52cccb7001b Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Thu, 21 Mar 2024 12:15:46 +0100 Subject: [PATCH 04/40] change container --- .github/workflows/image_sbom.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/image_sbom.yml b/.github/workflows/image_sbom.yml index 5e6c8bd..21cca53 100644 --- a/.github/workflows/image_sbom.yml +++ b/.github/workflows/image_sbom.yml @@ -4,9 +4,10 @@ on: workflow_dispatch: jobs: - images-security-scan: + image-sbom: name: Images Generate Sbom runs-on: ubuntu-latest + container: quay.io/pluribus_one/sbom_vex_scanner:latest strategy: fail-fast: false matrix: From 53ccaf028f38486e315e25d4c36fcdbcff24c641 Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Thu, 21 Mar 2024 12:26:16 +0100 Subject: [PATCH 05/40] docker connection --- .github/workflows/image_sbom.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/image_sbom.yml b/.github/workflows/image_sbom.yml index 21cca53..c64db62 100644 --- a/.github/workflows/image_sbom.yml +++ b/.github/workflows/image_sbom.yml @@ -31,13 +31,13 @@ jobs: - name: Generate SBOMs run: | - cdxgen --format docker -o "${{ matrix.prj_folder }}_bom.json" local://${{ matrix.prj_folder }}:latest + cdxgen --format docker -o "${{ matrix.prj_folder }}_bom.json" ${{ matrix.prj_folder }}:latest - name: upload Artifacts uses: actions/upload-artifact@v3 with: name: image-sbom - path: ${{matrix.prj_folder}}_* + path: "*_bom.json" retention-days: 5 From 7d7d2e4b9b85d3cdd0acf401a9104c38cc87206c Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Thu, 21 Mar 2024 12:46:04 +0100 Subject: [PATCH 06/40] update actions --- .github/workflows/codeql.yml | 2 +- .github/workflows/image_sbom.yml | 4 ++-- .github/workflows/image_scan.yml | 2 +- .github/workflows/sbom-vex-scan.yml | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 4da8f0a..8eda44c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -29,7 +29,7 @@ jobs: steps: # Checkout the repo, this will setup the pipeline with our actual codebase - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Setup CodeQL tool, with this setup step, we are specifying the language of the scan, and also some extra arguments in a configuration file - name: Initialize CodeQL diff --git a/.github/workflows/image_sbom.yml b/.github/workflows/image_sbom.yml index c64db62..dcfafd1 100644 --- a/.github/workflows/image_sbom.yml +++ b/.github/workflows/image_sbom.yml @@ -15,7 +15,7 @@ jobs: steps: - name: Checkout Repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 @@ -34,7 +34,7 @@ jobs: cdxgen --format docker -o "${{ matrix.prj_folder }}_bom.json" ${{ matrix.prj_folder }}:latest - name: upload Artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: image-sbom path: "*_bom.json" diff --git a/.github/workflows/image_scan.yml b/.github/workflows/image_scan.yml index db3c972..93a7b43 100644 --- a/.github/workflows/image_scan.yml +++ b/.github/workflows/image_scan.yml @@ -14,7 +14,7 @@ jobs: steps: - name: Checkout Repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 diff --git a/.github/workflows/sbom-vex-scan.yml b/.github/workflows/sbom-vex-scan.yml index c132cf0..deb1d4e 100644 --- a/.github/workflows/sbom-vex-scan.yml +++ b/.github/workflows/sbom-vex-scan.yml @@ -16,7 +16,7 @@ jobs: steps: - name: Checkout Repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Generate SBOMs run: | @@ -39,7 +39,7 @@ jobs: - name: Upload results if: always() - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: sbom-vex-jsons path: vuln_apps/**/${{matrix.prj_folder}}_* From 348cb4b2cb4fab5208cdace425874788f9f97861 Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Thu, 21 Mar 2024 12:51:43 +0100 Subject: [PATCH 07/40] artifact_name --- .github/workflows/image_sbom.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/image_sbom.yml b/.github/workflows/image_sbom.yml index dcfafd1..2e9677e 100644 --- a/.github/workflows/image_sbom.yml +++ b/.github/workflows/image_sbom.yml @@ -37,7 +37,7 @@ jobs: uses: actions/upload-artifact@v4 with: name: image-sbom - path: "*_bom.json" + path: "{{ matrix.prj_folder }}_bom.json" retention-days: 5 From 1d0a233ee42521cf50b2d87575e7365004e7683f Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Thu, 21 Mar 2024 15:13:33 +0100 Subject: [PATCH 08/40] update workflows --- .github/workflows/image_sbom.yml | 4 +- .github/workflows/vuln_man.yml | 133 +++++++++++++++++++++++++++++++ 2 files changed, 135 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/vuln_man.yml diff --git a/.github/workflows/image_sbom.yml b/.github/workflows/image_sbom.yml index 2e9677e..69f8abe 100644 --- a/.github/workflows/image_sbom.yml +++ b/.github/workflows/image_sbom.yml @@ -31,13 +31,13 @@ jobs: - name: Generate SBOMs run: | - cdxgen --format docker -o "${{ matrix.prj_folder }}_bom.json" ${{ matrix.prj_folder }}:latest + cdxgen --type docker -o "${{ matrix.prj_folder }}-docker_bom.json" ${{ matrix.prj_folder }}:latest - name: upload Artifacts uses: actions/upload-artifact@v4 with: name: image-sbom - path: "{{ matrix.prj_folder }}_bom.json" + path: "{{ matrix.prj_folder }}-docker_bom.json" retention-days: 5 diff --git a/.github/workflows/vuln_man.yml b/.github/workflows/vuln_man.yml new file mode 100644 index 0000000..a853851 --- /dev/null +++ b/.github/workflows/vuln_man.yml @@ -0,0 +1,133 @@ +name: Vulnerability management workflow + +on: + workflow_dispatch: + + +jobs: + sbom: + name: Generate app SBOM + runs-on: ubuntu-latest + container: quay.io/pluribus_one/sbom_vex_scanner:latest + outputs: + sbom: ${{ steps.sbom_app.outputs }} + strategy: + fail-fast: false + matrix: + prj_folder: [ "dvna", "vulnado" ] + + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Generate SBOMs + id: sbom_app + run: | + cd vuln_apps/${{ matrix.prj_folder }} + cdxgen --format json -o "${{ matrix.prj_folder }}_bom.json" + echo "bom=$cat ${{ matrix.prj_folder }}_bom.json" >> "$GITHUB_OUTPUT" + + - name: Upload results + if: always() + uses: actions/upload-artifact@v4 + with: + name: sbom-vex-jsons + path: vuln_apps/${{matrix.prj_folder}}/${{matrix.prj_folder}}_* + retention-days: 5 + + sbom-docker: + name: Generate docker SBOM + runs-on: ubuntu-latest + container: quay.io/pluribus_one/sbom_vex_scanner:latest + outputs: + sbom-docker: ${{ steps.sbom_app.outputs.test }} + strategy: + fail-fast: false + matrix: + prj_folder: [ "dvna", "vulnado" ] + + steps: + + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build Docker image + id: build-image + uses: docker/build-push-action@v5 + with: + context: "${{ github.workspace }}/vuln_apps/${{ matrix.prj_folder }}" + push: false + load: true + tags: ${{ matrix.prj_folder }}:latest + + - name: Generate docker SBOMs + id: sbom_docker + run: | + cdxgen --type docker -o "${{ matrix.prj_folder }}-docker_bom.json" ${{ matrix.prj_folder }}:latest + echo "bom=$cat(${{ matrix.prj_folder }}-docker_bom.json)" >> "$GITHUB_OUTPUT" + + - name: upload Artifacts + uses: actions/upload-artifact@v4 + with: + name: image-sbom + path: "{{ matrix.prj_folder }}-docker_bom.json" + retention-days: 5 + + merge-sbom: + name: Merge VEX from SBOM + runs-on: ubuntu-latest + needs: [ "sbom", "sbom-docker"] + container: cyclonedx/cyclonedx-cli:0.25.2 + outputs: + sbom-merge: ${{ steps.merge_sbom.outputs }} + steps: + - name: Merge previously generated sboms + id: "sbom-merge" + run: | + echo ${{ needs.sbom.outputs.bom }} + echo ${{ needs.sbom-docker.outputs.bom }} + ls -la + + +#cyclonedx merge --input-files ${{ matrix.prj_folder }}-docker_bom.json vuln_apps/${{matrix.prj_folder}}/${{ matrix.prj_folder }}_bom.json --output-file ${{ matrix.prj_folder }}_merged_sbom.json --hierarchical --name {{ matrix.prj_folder }}_final --version $BUILD_NUMBER +#cat ${{ matrix.prj_folder }}_merged_sbom.json >> "$GITHUB_OUTPUT" + + + # vex-bom: + # name: Generate VEX from SBOM + # needs: [ "sbom", "sbom-docker"] + # runs-on: ubuntu-latest + # container: quay.io/pluribus_one/sbom_vex_scanner:latest + # strategy: + # fail-fast: false + # matrix: + # prj_folder: [ "dvna", "vulnado" ] + + # steps: + # - name: Set up Docker Buildx + # uses: docker/setup-buildx-action@v3 + + # - name: Generate VEXs (JSON) + # uses: aquasecurity/trivy-action@master + # with: + # scan-type: "sbom vuln_apps/${{ matrix.prj_folder }}/${{ matrix.prj_folder }}_bom.json" + # format: "cyclonedx" + # output: "vuln_apps/${{ matrix.prj_folder }}/${{ matrix.prj_folder }}_vex.json" + + # - name: Generate VEXs (Human) + # uses: aquasecurity/trivy-action@master + # with: + # scan-type: "sbom vuln_apps/${{ matrix.prj_folder }}/${{ matrix.prj_folder }}_bom.json" + # format: "table" + # output: "vuln_apps/${{ matrix.prj_folder }}/${{ matrix.prj_folder }}_vex_human" + + # - name: Upload results + # if: always() + # uses: actions/upload-artifact@v4 + # with: + # name: sbom-vex-jsons + # path: vuln_apps/**/${{matrix.prj_folder}}_* + # retention-days: 5 From 763effad9a4eadeb1fe7b4564e8c6eafea270f46 Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Thu, 21 Mar 2024 15:17:45 +0100 Subject: [PATCH 09/40] artifacts --- .github/workflows/vuln_man.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/vuln_man.yml b/.github/workflows/vuln_man.yml index a853851..faf605f 100644 --- a/.github/workflows/vuln_man.yml +++ b/.github/workflows/vuln_man.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest container: quay.io/pluribus_one/sbom_vex_scanner:latest outputs: - sbom: ${{ steps.sbom_app.outputs }} + sbom: ${{ steps.sbom_app.outputs.bom }} strategy: fail-fast: false matrix: @@ -32,7 +32,7 @@ jobs: uses: actions/upload-artifact@v4 with: name: sbom-vex-jsons - path: vuln_apps/${{matrix.prj_folder}}/${{matrix.prj_folder}}_* + path: vuln_apps/${{ matrix.prj_folder }}/${{ matrix.prj_folder }}_bom.json retention-days: 5 sbom-docker: @@ -40,7 +40,7 @@ jobs: runs-on: ubuntu-latest container: quay.io/pluribus_one/sbom_vex_scanner:latest outputs: - sbom-docker: ${{ steps.sbom_app.outputs.test }} + sbom-docker: ${{ steps.sbom_app.outputs.bom }} strategy: fail-fast: false matrix: From 96fa8ce86649925516616c0873febe530635560d Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Thu, 21 Mar 2024 15:23:32 +0100 Subject: [PATCH 10/40] artifacts --- .github/workflows/vuln_man.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/vuln_man.yml b/.github/workflows/vuln_man.yml index faf605f..edcf33f 100644 --- a/.github/workflows/vuln_man.yml +++ b/.github/workflows/vuln_man.yml @@ -25,13 +25,13 @@ jobs: run: | cd vuln_apps/${{ matrix.prj_folder }} cdxgen --format json -o "${{ matrix.prj_folder }}_bom.json" - echo "bom=$cat ${{ matrix.prj_folder }}_bom.json" >> "$GITHUB_OUTPUT" + echo "bom=$(cat ${{ matrix.prj_folder }}_bom.json)" >> "$GITHUB_OUTPUT" - name: Upload results if: always() uses: actions/upload-artifact@v4 with: - name: sbom-vex-jsons + name: sbom-apps path: vuln_apps/${{ matrix.prj_folder }}/${{ matrix.prj_folder }}_bom.json retention-days: 5 @@ -67,12 +67,12 @@ jobs: id: sbom_docker run: | cdxgen --type docker -o "${{ matrix.prj_folder }}-docker_bom.json" ${{ matrix.prj_folder }}:latest - echo "bom=$cat(${{ matrix.prj_folder }}-docker_bom.json)" >> "$GITHUB_OUTPUT" + echo "bom=$(cat ${{ matrix.prj_folder }}-docker_bom.json)" >> "$GITHUB_OUTPUT" - name: upload Artifacts uses: actions/upload-artifact@v4 with: - name: image-sbom + name: sbom-images path: "{{ matrix.prj_folder }}-docker_bom.json" retention-days: 5 From 2a90cb5d7d058de2d20390c57c01bd0f9287d672 Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Thu, 21 Mar 2024 15:36:07 +0100 Subject: [PATCH 11/40] change matrix name and artifacts fix --- .github/workflows/vuln_man.yml | 44 +++++++++++++++++----------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/.github/workflows/vuln_man.yml b/.github/workflows/vuln_man.yml index edcf33f..162d18a 100644 --- a/.github/workflows/vuln_man.yml +++ b/.github/workflows/vuln_man.yml @@ -14,7 +14,7 @@ jobs: strategy: fail-fast: false matrix: - prj_folder: [ "dvna", "vulnado" ] + project: [ "dvna", "vulnado" ] steps: - name: Checkout Repository @@ -23,16 +23,16 @@ jobs: - name: Generate SBOMs id: sbom_app run: | - cd vuln_apps/${{ matrix.prj_folder }} - cdxgen --format json -o "${{ matrix.prj_folder }}_bom.json" - echo "bom=$(cat ${{ matrix.prj_folder }}_bom.json)" >> "$GITHUB_OUTPUT" + cd vuln_apps/${{ matrix.project }} + cdxgen --format json -o "${{ matrix.project }}_bom.json" + echo "bom=$(cat ${{ matrix.project }}_bom.json)" >> "$GITHUB_OUTPUT" - name: Upload results if: always() uses: actions/upload-artifact@v4 with: - name: sbom-apps - path: vuln_apps/${{ matrix.prj_folder }}/${{ matrix.prj_folder }}_bom.json + name: sbom-${{matrix.project}} + path: "**/${{ matrix.project }}_bom.json" retention-days: 5 sbom-docker: @@ -44,10 +44,9 @@ jobs: strategy: fail-fast: false matrix: - prj_folder: [ "dvna", "vulnado" ] + project: [ "dvna", "vulnado" ] steps: - - name: Checkout Repository uses: actions/checkout@v4 @@ -58,22 +57,23 @@ jobs: id: build-image uses: docker/build-push-action@v5 with: - context: "${{ github.workspace }}/vuln_apps/${{ matrix.prj_folder }}" + context: "${{ github.workspace }}/vuln_apps/${{ matrix.project }}" push: false load: true - tags: ${{ matrix.prj_folder }}:latest + tags: ${{ matrix.project }}:latest - name: Generate docker SBOMs id: sbom_docker run: | - cdxgen --type docker -o "${{ matrix.prj_folder }}-docker_bom.json" ${{ matrix.prj_folder }}:latest - echo "bom=$(cat ${{ matrix.prj_folder }}-docker_bom.json)" >> "$GITHUB_OUTPUT" + cdxgen --type docker -o "${{ matrix.project }}-docker_bom.json" ${{ matrix.project }}:latest + cat ${{ matrix.project }}-docker_bom.json + echo "bom=$(cat ${{ matrix.project }}-docker_bom.json)" >> "$GITHUB_OUTPUT" - name: upload Artifacts uses: actions/upload-artifact@v4 with: - name: sbom-images - path: "{{ matrix.prj_folder }}-docker_bom.json" + name: sbom-image-{{matrix.project}} + path: "{{ matrix.project }}-docker_bom.json" retention-days: 5 merge-sbom: @@ -92,8 +92,8 @@ jobs: ls -la -#cyclonedx merge --input-files ${{ matrix.prj_folder }}-docker_bom.json vuln_apps/${{matrix.prj_folder}}/${{ matrix.prj_folder }}_bom.json --output-file ${{ matrix.prj_folder }}_merged_sbom.json --hierarchical --name {{ matrix.prj_folder }}_final --version $BUILD_NUMBER -#cat ${{ matrix.prj_folder }}_merged_sbom.json >> "$GITHUB_OUTPUT" +#cyclonedx merge --input-files ${{ matrix.project }}-docker_bom.json vuln_apps/${{matrix.project}}/${{ matrix.project }}_bom.json --output-file ${{ matrix.project }}_merged_sbom.json --hierarchical --name {{ matrix.project }}_final --version $BUILD_NUMBER +#cat ${{ matrix.project }}_merged_sbom.json >> "$GITHUB_OUTPUT" # vex-bom: @@ -104,7 +104,7 @@ jobs: # strategy: # fail-fast: false # matrix: - # prj_folder: [ "dvna", "vulnado" ] + # project: [ "dvna", "vulnado" ] # steps: # - name: Set up Docker Buildx @@ -113,21 +113,21 @@ jobs: # - name: Generate VEXs (JSON) # uses: aquasecurity/trivy-action@master # with: - # scan-type: "sbom vuln_apps/${{ matrix.prj_folder }}/${{ matrix.prj_folder }}_bom.json" + # scan-type: "sbom vuln_apps/${{ matrix.project }}/${{ matrix.project }}_bom.json" # format: "cyclonedx" - # output: "vuln_apps/${{ matrix.prj_folder }}/${{ matrix.prj_folder }}_vex.json" + # output: "vuln_apps/${{ matrix.project }}/${{ matrix.project }}_vex.json" # - name: Generate VEXs (Human) # uses: aquasecurity/trivy-action@master # with: - # scan-type: "sbom vuln_apps/${{ matrix.prj_folder }}/${{ matrix.prj_folder }}_bom.json" + # scan-type: "sbom vuln_apps/${{ matrix.project }}/${{ matrix.project }}_bom.json" # format: "table" - # output: "vuln_apps/${{ matrix.prj_folder }}/${{ matrix.prj_folder }}_vex_human" + # output: "vuln_apps/${{ matrix.project }}/${{ matrix.project }}_vex_human" # - name: Upload results # if: always() # uses: actions/upload-artifact@v4 # with: # name: sbom-vex-jsons - # path: vuln_apps/**/${{matrix.prj_folder}}_* + # path: vuln_apps/**/${{matrix.project}}_* # retention-days: 5 From 1771be73e40dd89deef89e72b20fdfe1b57080d2 Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Thu, 21 Mar 2024 15:43:12 +0100 Subject: [PATCH 12/40] sbom --- .github/workflows/image_sbom.yml | 4 ++-- .github/workflows/vuln_man.yml | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/image_sbom.yml b/.github/workflows/image_sbom.yml index 69f8abe..5aab48c 100644 --- a/.github/workflows/image_sbom.yml +++ b/.github/workflows/image_sbom.yml @@ -36,8 +36,8 @@ jobs: - name: upload Artifacts uses: actions/upload-artifact@v4 with: - name: image-sbom - path: "{{ matrix.prj_folder }}-docker_bom.json" + name: image-sbom-${{matrix.proj_folder}} + path: "${{ matrix.prj_folder }}-docker_bom.json" retention-days: 5 diff --git a/.github/workflows/vuln_man.yml b/.github/workflows/vuln_man.yml index 162d18a..32216bc 100644 --- a/.github/workflows/vuln_man.yml +++ b/.github/workflows/vuln_man.yml @@ -72,8 +72,8 @@ jobs: - name: upload Artifacts uses: actions/upload-artifact@v4 with: - name: sbom-image-{{matrix.project}} - path: "{{ matrix.project }}-docker_bom.json" + name: sbom-image-${{matrix.project}} + path: "${{ matrix.project }}-docker_bom.json" retention-days: 5 merge-sbom: @@ -92,7 +92,7 @@ jobs: ls -la -#cyclonedx merge --input-files ${{ matrix.project }}-docker_bom.json vuln_apps/${{matrix.project}}/${{ matrix.project }}_bom.json --output-file ${{ matrix.project }}_merged_sbom.json --hierarchical --name {{ matrix.project }}_final --version $BUILD_NUMBER +#cyclonedx merge --input-files ${{ matrix.project }}-docker_bom.json vuln_apps/${{matrix.project}}/${{ matrix.project }}_bom.json --output-file ${{ matrix.project }}_merged_sbom.json --hierarchical --name ${{ matrix.project }}_final --version $BUILD_NUMBER #cat ${{ matrix.project }}_merged_sbom.json >> "$GITHUB_OUTPUT" From a8f0e9bcd7f67253df40c786e55800b8dc2ac4fd Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Thu, 21 Mar 2024 15:48:40 +0100 Subject: [PATCH 13/40] version --- .github/workflows/vuln_man.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/vuln_man.yml b/.github/workflows/vuln_man.yml index 32216bc..891b57d 100644 --- a/.github/workflows/vuln_man.yml +++ b/.github/workflows/vuln_man.yml @@ -80,7 +80,7 @@ jobs: name: Merge VEX from SBOM runs-on: ubuntu-latest needs: [ "sbom", "sbom-docker"] - container: cyclonedx/cyclonedx-cli:0.25.2 + container: cyclonedx/cyclonedx-cli:0.25.0 outputs: sbom-merge: ${{ steps.merge_sbom.outputs }} steps: From 30691124312a95992d496cab52556202003bc8f0 Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Thu, 21 Mar 2024 16:42:22 +0100 Subject: [PATCH 14/40] artifacts instead of outputs --- .github/workflows/vuln_man.yml | 47 ++++++++++++++++++++++++---------- 1 file changed, 33 insertions(+), 14 deletions(-) diff --git a/.github/workflows/vuln_man.yml b/.github/workflows/vuln_man.yml index 891b57d..a4cc61a 100644 --- a/.github/workflows/vuln_man.yml +++ b/.github/workflows/vuln_man.yml @@ -9,8 +9,8 @@ jobs: name: Generate app SBOM runs-on: ubuntu-latest container: quay.io/pluribus_one/sbom_vex_scanner:latest - outputs: - sbom: ${{ steps.sbom_app.outputs.bom }} + # outputs: + # sbom: ${{ steps.sbom_app.outputs.bom }} strategy: fail-fast: false matrix: @@ -21,11 +21,11 @@ jobs: uses: actions/checkout@v4 - name: Generate SBOMs - id: sbom_app + # id: "sbom_app" run: | cd vuln_apps/${{ matrix.project }} cdxgen --format json -o "${{ matrix.project }}_bom.json" - echo "bom=$(cat ${{ matrix.project }}_bom.json)" >> "$GITHUB_OUTPUT" +# echo "bom=$(cat ${{ matrix.project }}_bom.json)" >> "$GITHUB_OUTPUT" - name: Upload results if: always() @@ -39,8 +39,8 @@ jobs: name: Generate docker SBOM runs-on: ubuntu-latest container: quay.io/pluribus_one/sbom_vex_scanner:latest - outputs: - sbom-docker: ${{ steps.sbom_app.outputs.bom }} + # outputs: + # sbom: ${{ steps.sbom_docker.outputs.bom }} strategy: fail-fast: false matrix: @@ -63,11 +63,11 @@ jobs: tags: ${{ matrix.project }}:latest - name: Generate docker SBOMs - id: sbom_docker + # id: "sbom_docker" run: | cdxgen --type docker -o "${{ matrix.project }}-docker_bom.json" ${{ matrix.project }}:latest cat ${{ matrix.project }}-docker_bom.json - echo "bom=$(cat ${{ matrix.project }}-docker_bom.json)" >> "$GITHUB_OUTPUT" +# echo "bom=$(cat ${{ matrix.project }}-docker_bom.json)" >> "$GITHUB_OUTPUT" - name: upload Artifacts uses: actions/upload-artifact@v4 @@ -81,15 +81,34 @@ jobs: runs-on: ubuntu-latest needs: [ "sbom", "sbom-docker"] container: cyclonedx/cyclonedx-cli:0.25.0 - outputs: - sbom-merge: ${{ steps.merge_sbom.outputs }} + # outputs: + # sbom-merge: ${{ steps.merge_sbom.outputs }} + strategy: + fail-fast: false + matrix: + project: [ "dvna", "vulnado" ] + steps: + + - name: Download artifact sbom + uses: actions/download-artifact@v4 + with: + name: sbom-${{matrix.project}} + path: ./sboms-${{matrix.project}} + + - name: Download artifact sbom-docker + uses: actions/download-artifact@v4 + with: + name: sbom-image-${{matrix.project}} + path: ./sboms-${{matrix.project}} + - name: Merge previously generated sboms - id: "sbom-merge" - run: | - echo ${{ needs.sbom.outputs.bom }} - echo ${{ needs.sbom-docker.outputs.bom }} + # id: "merge_sbom" + run: + cd sboms-${{matrix.project}} ls -la + cat ${{ matrix.project }}-docker_bom.json + cat ${{ matrix.project }}_bom.json #cyclonedx merge --input-files ${{ matrix.project }}-docker_bom.json vuln_apps/${{matrix.project}}/${{ matrix.project }}_bom.json --output-file ${{ matrix.project }}_merged_sbom.json --hierarchical --name ${{ matrix.project }}_final --version $BUILD_NUMBER From 52843a57b923222e0434f3fef45591ddb18b17f6 Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Thu, 21 Mar 2024 16:52:20 +0100 Subject: [PATCH 15/40] debug --- .github/workflows/vuln_man.yml | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/.github/workflows/vuln_man.yml b/.github/workflows/vuln_man.yml index a4cc61a..b5c7105 100644 --- a/.github/workflows/vuln_man.yml +++ b/.github/workflows/vuln_man.yml @@ -104,14 +104,19 @@ jobs: - name: Merge previously generated sboms # id: "merge_sbom" - run: - cd sboms-${{matrix.project}} - ls -la - cat ${{ matrix.project }}-docker_bom.json - cat ${{ matrix.project }}_bom.json - - -#cyclonedx merge --input-files ${{ matrix.project }}-docker_bom.json vuln_apps/${{matrix.project}}/${{ matrix.project }}_bom.json --output-file ${{ matrix.project }}_merged_sbom.json --hierarchical --name ${{ matrix.project }}_final --version $BUILD_NUMBER + run: | + ls -la sboms-${{matrix.project}} + cat sboms-${{matrix.project}}/${{ matrix.project }}-docker_bom.json + cat sboms-${{matrix.project}}/${{ matrix.project }}_bom.json + cyclonedx merge --input-files ${{ matrix.project }}-docker_bom.json ${{ matrix.project }}_bom.json --output-file ${{ matrix.project }}_merged_sbom.json --hierarchical --name ${{ matrix.project }}_final --version $BUILD_NUMBER + + - name: upload Artifacts + uses: actions/upload-artifact@v4 + with: + name: sbom-merged-${{matrix.project}} + path: "sboms-${{matrix.project}}/${{ matrix.project }}_merged_sbom.json" + retention-days: 5 + #cat ${{ matrix.project }}_merged_sbom.json >> "$GITHUB_OUTPUT" From 35f94d91720c12549540e182ad0abe0ff392b9e5 Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Thu, 21 Mar 2024 16:59:14 +0100 Subject: [PATCH 16/40] upload artifacts flatten files --- .github/workflows/vuln_man.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/vuln_man.yml b/.github/workflows/vuln_man.yml index b5c7105..695b376 100644 --- a/.github/workflows/vuln_man.yml +++ b/.github/workflows/vuln_man.yml @@ -21,18 +21,18 @@ jobs: uses: actions/checkout@v4 - name: Generate SBOMs - # id: "sbom_app" + # id: "sbom_app" run: | cd vuln_apps/${{ matrix.project }} cdxgen --format json -o "${{ matrix.project }}_bom.json" -# echo "bom=$(cat ${{ matrix.project }}_bom.json)" >> "$GITHUB_OUTPUT" + # echo "bom=$(cat ${{ matrix.project }}_bom.json)" >> "$GITHUB_OUTPUT" - name: Upload results if: always() uses: actions/upload-artifact@v4 with: name: sbom-${{matrix.project}} - path: "**/${{ matrix.project }}_bom.json" + path: "vuln_apps/${{ matrix.project }}/${{ matrix.project }}_bom.json" retention-days: 5 sbom-docker: @@ -63,11 +63,11 @@ jobs: tags: ${{ matrix.project }}:latest - name: Generate docker SBOMs - # id: "sbom_docker" + # id: "sbom_docker" run: | cdxgen --type docker -o "${{ matrix.project }}-docker_bom.json" ${{ matrix.project }}:latest cat ${{ matrix.project }}-docker_bom.json -# echo "bom=$(cat ${{ matrix.project }}-docker_bom.json)" >> "$GITHUB_OUTPUT" + # echo "bom=$(cat ${{ matrix.project }}-docker_bom.json)" >> "$GITHUB_OUTPUT" - name: upload Artifacts uses: actions/upload-artifact@v4 From e29f432455f817335fe500ec88f656ef1e6634ed Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Thu, 21 Mar 2024 17:05:07 +0100 Subject: [PATCH 17/40] update version of cyclonedx-cli --- .github/workflows/vuln_man.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/vuln_man.yml b/.github/workflows/vuln_man.yml index 695b376..903ba58 100644 --- a/.github/workflows/vuln_man.yml +++ b/.github/workflows/vuln_man.yml @@ -104,11 +104,7 @@ jobs: - name: Merge previously generated sboms # id: "merge_sbom" - run: | - ls -la sboms-${{matrix.project}} - cat sboms-${{matrix.project}}/${{ matrix.project }}-docker_bom.json - cat sboms-${{matrix.project}}/${{ matrix.project }}_bom.json - cyclonedx merge --input-files ${{ matrix.project }}-docker_bom.json ${{ matrix.project }}_bom.json --output-file ${{ matrix.project }}_merged_sbom.json --hierarchical --name ${{ matrix.project }}_final --version $BUILD_NUMBER + run: cyclonedx merge --input-files ${{ matrix.project }}-docker_bom.json ${{ matrix.project }}_bom.json --output-file ${{ matrix.project }}_merged_sbom.json --hierarchical --name ${{ matrix.project }} --version ${{ github.run_number }} - name: upload Artifacts uses: actions/upload-artifact@v4 From 55a056bdc61ea56250e7d1995e51cee631a0a722 Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Thu, 21 Mar 2024 17:13:07 +0100 Subject: [PATCH 18/40] update folder --- .github/workflows/vuln_man.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/vuln_man.yml b/.github/workflows/vuln_man.yml index 903ba58..dc6667a 100644 --- a/.github/workflows/vuln_man.yml +++ b/.github/workflows/vuln_man.yml @@ -104,7 +104,9 @@ jobs: - name: Merge previously generated sboms # id: "merge_sbom" - run: cyclonedx merge --input-files ${{ matrix.project }}-docker_bom.json ${{ matrix.project }}_bom.json --output-file ${{ matrix.project }}_merged_sbom.json --hierarchical --name ${{ matrix.project }} --version ${{ github.run_number }} + run: | + cd sboms-${{matrix.project}} + cyclonedx merge --input-files ${{ matrix.project }}-docker_bom.json ${{ matrix.project }}_bom.json --output-file ${{ matrix.project }}_merged_sbom.json --hierarchical --name ${{ matrix.project }} --version ${{ github.run_number }} - name: upload Artifacts uses: actions/upload-artifact@v4 From be64ac188e9a30a2084c005ddcc7ed840338ba2b Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Thu, 21 Mar 2024 17:39:29 +0100 Subject: [PATCH 19/40] update steps --- .github/workflows/image_sbom.yml | 44 ----------------- .github/workflows/vuln_man.yml | 81 +++++++++++++++++--------------- 2 files changed, 42 insertions(+), 83 deletions(-) delete mode 100644 .github/workflows/image_sbom.yml diff --git a/.github/workflows/image_sbom.yml b/.github/workflows/image_sbom.yml deleted file mode 100644 index 5aab48c..0000000 --- a/.github/workflows/image_sbom.yml +++ /dev/null @@ -1,44 +0,0 @@ -name: Images Generate Sbom - -on: - workflow_dispatch: - -jobs: - image-sbom: - name: Images Generate Sbom - runs-on: ubuntu-latest - container: quay.io/pluribus_one/sbom_vex_scanner:latest - strategy: - fail-fast: false - matrix: - prj_folder: ["dvna", "vulnado"] - - steps: - - name: Checkout Repository - uses: actions/checkout@v4 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Build Docker image - id: build-image - uses: docker/build-push-action@v5 - with: - context: "${{ github.workspace }}/vuln_apps/${{ matrix.prj_folder }}" - push: false - load: true - tags: ${{ matrix.prj_folder }}:latest - - - name: Generate SBOMs - run: | - cdxgen --type docker -o "${{ matrix.prj_folder }}-docker_bom.json" ${{ matrix.prj_folder }}:latest - - - name: upload Artifacts - uses: actions/upload-artifact@v4 - with: - name: image-sbom-${{matrix.proj_folder}} - path: "${{ matrix.prj_folder }}-docker_bom.json" - retention-days: 5 - - - diff --git a/.github/workflows/vuln_man.yml b/.github/workflows/vuln_man.yml index dc6667a..0a30454 100644 --- a/.github/workflows/vuln_man.yml +++ b/.github/workflows/vuln_man.yml @@ -3,12 +3,11 @@ name: Vulnerability management workflow on: workflow_dispatch: - jobs: sbom: name: Generate app SBOM runs-on: ubuntu-latest - container: quay.io/pluribus_one/sbom_vex_scanner:latest + container: ghcr.io/cyclonedx/cdxgen:v10.2.4 # outputs: # sbom: ${{ steps.sbom_app.outputs.bom }} strategy: @@ -38,7 +37,7 @@ jobs: sbom-docker: name: Generate docker SBOM runs-on: ubuntu-latest - container: quay.io/pluribus_one/sbom_vex_scanner:latest + container: ghcr.io/cyclonedx/cdxgen:v10.2.4 # outputs: # sbom: ${{ steps.sbom_docker.outputs.bom }} strategy: @@ -89,7 +88,6 @@ jobs: project: [ "dvna", "vulnado" ] steps: - - name: Download artifact sbom uses: actions/download-artifact@v4 with: @@ -118,38 +116,43 @@ jobs: #cat ${{ matrix.project }}_merged_sbom.json >> "$GITHUB_OUTPUT" - # vex-bom: - # name: Generate VEX from SBOM - # needs: [ "sbom", "sbom-docker"] - # runs-on: ubuntu-latest - # container: quay.io/pluribus_one/sbom_vex_scanner:latest - # strategy: - # fail-fast: false - # matrix: - # project: [ "dvna", "vulnado" ] - - # steps: - # - name: Set up Docker Buildx - # uses: docker/setup-buildx-action@v3 - - # - name: Generate VEXs (JSON) - # uses: aquasecurity/trivy-action@master - # with: - # scan-type: "sbom vuln_apps/${{ matrix.project }}/${{ matrix.project }}_bom.json" - # format: "cyclonedx" - # output: "vuln_apps/${{ matrix.project }}/${{ matrix.project }}_vex.json" - - # - name: Generate VEXs (Human) - # uses: aquasecurity/trivy-action@master - # with: - # scan-type: "sbom vuln_apps/${{ matrix.project }}/${{ matrix.project }}_bom.json" - # format: "table" - # output: "vuln_apps/${{ matrix.project }}/${{ matrix.project }}_vex_human" - - # - name: Upload results - # if: always() - # uses: actions/upload-artifact@v4 - # with: - # name: sbom-vex-jsons - # path: vuln_apps/**/${{matrix.project}}_* - # retention-days: 5 + vex-bom: + name: Generate VEX from SBOM + needs: [ "merge-sbom"] + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + project: [ "dvna", "vulnado" ] + + steps: + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Download merged sbom + uses: actions/download-artifact@v4 + with: + name: sbom-merged-${{matrix.project}} + path: ./sboms-${{matrix.project}} + + - name: Generate VEXs (JSON) + uses: aquasecurity/trivy-action@master + with: + scan-type: "sbom sboms-${{matrix.project}}/${{ matrix.project }}_merged_sbom.json" + format: "cyclonedx" + output: "${{ matrix.project }}_vex.json" + + - name: Generate VEXs (Human) + uses: aquasecurity/trivy-action@master + with: + scan-type: "sbom sboms-${{matrix.project}}/${{ matrix.project }}_merged_sbom.json" + format: 'sarif' + output: "${{ matrix.project }}_vex_sarif" + + - name: Upload results + if: always() + uses: actions/upload-artifact@v4 + with: + name: sbom-vex + path: ${{matrix.project}}_vex* + retention-days: 5 From e894155027b6fb8a4b55cc98525d884913e536e0 Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Thu, 21 Mar 2024 17:58:27 +0100 Subject: [PATCH 20/40] switch to quay image --- .github/workflows/vuln_man.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/vuln_man.yml b/.github/workflows/vuln_man.yml index 0a30454..6786056 100644 --- a/.github/workflows/vuln_man.yml +++ b/.github/workflows/vuln_man.yml @@ -7,7 +7,7 @@ jobs: sbom: name: Generate app SBOM runs-on: ubuntu-latest - container: ghcr.io/cyclonedx/cdxgen:v10.2.4 + container: quay.io/pluribus_one/sbom_vex_scanner:latest # outputs: # sbom: ${{ steps.sbom_app.outputs.bom }} strategy: @@ -37,7 +37,7 @@ jobs: sbom-docker: name: Generate docker SBOM runs-on: ubuntu-latest - container: ghcr.io/cyclonedx/cdxgen:v10.2.4 + container: quay.io/pluribus_one/sbom_vex_scanner:latest # outputs: # sbom: ${{ steps.sbom_docker.outputs.bom }} strategy: From 650f718617af092c5a0351b0105b04aab78b5e8a Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Fri, 22 Mar 2024 10:33:15 +0100 Subject: [PATCH 21/40] artifact upload --- .github/workflows/vuln_man.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/vuln_man.yml b/.github/workflows/vuln_man.yml index 6786056..36479b4 100644 --- a/.github/workflows/vuln_man.yml +++ b/.github/workflows/vuln_man.yml @@ -126,9 +126,6 @@ jobs: project: [ "dvna", "vulnado" ] steps: - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - name: Download merged sbom uses: actions/download-artifact@v4 with: @@ -153,6 +150,6 @@ jobs: if: always() uses: actions/upload-artifact@v4 with: - name: sbom-vex + name: sbom-vex-${{matrix.project}} path: ${{matrix.project}}_vex* retention-days: 5 From f7995a431f43bfef5b09f65916f9bd280672935e Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Fri, 22 Mar 2024 10:44:31 +0100 Subject: [PATCH 22/40] remove trivy scans --- .github/workflows/vuln_man.yml | 59 ++++++---------------------------- 1 file changed, 9 insertions(+), 50 deletions(-) diff --git a/.github/workflows/vuln_man.yml b/.github/workflows/vuln_man.yml index 36479b4..c4903cb 100644 --- a/.github/workflows/vuln_man.yml +++ b/.github/workflows/vuln_man.yml @@ -13,7 +13,7 @@ jobs: strategy: fail-fast: false matrix: - project: [ "dvna", "vulnado" ] + project: ["dvna", "vulnado"] steps: - name: Checkout Repository @@ -25,7 +25,7 @@ jobs: cd vuln_apps/${{ matrix.project }} cdxgen --format json -o "${{ matrix.project }}_bom.json" # echo "bom=$(cat ${{ matrix.project }}_bom.json)" >> "$GITHUB_OUTPUT" - + - name: Upload results if: always() uses: actions/upload-artifact@v4 @@ -43,7 +43,7 @@ jobs: strategy: fail-fast: false matrix: - project: [ "dvna", "vulnado" ] + project: ["dvna", "vulnado"] steps: - name: Checkout Repository @@ -60,14 +60,14 @@ jobs: push: false load: true tags: ${{ matrix.project }}:latest - + - name: Generate docker SBOMs # id: "sbom_docker" run: | cdxgen --type docker -o "${{ matrix.project }}-docker_bom.json" ${{ matrix.project }}:latest cat ${{ matrix.project }}-docker_bom.json # echo "bom=$(cat ${{ matrix.project }}-docker_bom.json)" >> "$GITHUB_OUTPUT" - + - name: upload Artifacts uses: actions/upload-artifact@v4 with: @@ -78,14 +78,14 @@ jobs: merge-sbom: name: Merge VEX from SBOM runs-on: ubuntu-latest - needs: [ "sbom", "sbom-docker"] + needs: ["sbom", "sbom-docker"] container: cyclonedx/cyclonedx-cli:0.25.0 # outputs: # sbom-merge: ${{ steps.merge_sbom.outputs }} strategy: fail-fast: false matrix: - project: [ "dvna", "vulnado" ] + project: ["dvna", "vulnado"] steps: - name: Download artifact sbom @@ -99,57 +99,16 @@ jobs: with: name: sbom-image-${{matrix.project}} path: ./sboms-${{matrix.project}} - + - name: Merge previously generated sboms # id: "merge_sbom" run: | cd sboms-${{matrix.project}} cyclonedx merge --input-files ${{ matrix.project }}-docker_bom.json ${{ matrix.project }}_bom.json --output-file ${{ matrix.project }}_merged_sbom.json --hierarchical --name ${{ matrix.project }} --version ${{ github.run_number }} - + - name: upload Artifacts uses: actions/upload-artifact@v4 with: name: sbom-merged-${{matrix.project}} path: "sboms-${{matrix.project}}/${{ matrix.project }}_merged_sbom.json" retention-days: 5 - -#cat ${{ matrix.project }}_merged_sbom.json >> "$GITHUB_OUTPUT" - - - vex-bom: - name: Generate VEX from SBOM - needs: [ "merge-sbom"] - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - project: [ "dvna", "vulnado" ] - - steps: - - name: Download merged sbom - uses: actions/download-artifact@v4 - with: - name: sbom-merged-${{matrix.project}} - path: ./sboms-${{matrix.project}} - - - name: Generate VEXs (JSON) - uses: aquasecurity/trivy-action@master - with: - scan-type: "sbom sboms-${{matrix.project}}/${{ matrix.project }}_merged_sbom.json" - format: "cyclonedx" - output: "${{ matrix.project }}_vex.json" - - - name: Generate VEXs (Human) - uses: aquasecurity/trivy-action@master - with: - scan-type: "sbom sboms-${{matrix.project}}/${{ matrix.project }}_merged_sbom.json" - format: 'sarif' - output: "${{ matrix.project }}_vex_sarif" - - - name: Upload results - if: always() - uses: actions/upload-artifact@v4 - with: - name: sbom-vex-${{matrix.project}} - path: ${{matrix.project}}_vex* - retention-days: 5 From 67afef52dd4d6f00f78b07e0e84e6e310fc35109 Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Fri, 22 Mar 2024 11:45:50 +0100 Subject: [PATCH 23/40] generate sboms --- .github/workflows/vuln_man.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/vuln_man.yml b/.github/workflows/vuln_man.yml index c4903cb..3a2ce00 100644 --- a/.github/workflows/vuln_man.yml +++ b/.github/workflows/vuln_man.yml @@ -1,4 +1,4 @@ -name: Vulnerability management workflow +name: Sbom generation on: workflow_dispatch: @@ -76,7 +76,7 @@ jobs: retention-days: 5 merge-sbom: - name: Merge VEX from SBOM + name: Merge previously generated SBOM runs-on: ubuntu-latest needs: ["sbom", "sbom-docker"] container: cyclonedx/cyclonedx-cli:0.25.0 From d401f2338e3ddc64e96365dd7090c1c330050eff Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Mon, 25 Mar 2024 17:07:10 +0100 Subject: [PATCH 24/40] flow updates --- .github/workflows/vuln_man.yml | 88 +++++++++----------- .github/workflows/vuln_man_solved.yml | 114 ++++++++++++++++++++++++++ 2 files changed, 151 insertions(+), 51 deletions(-) create mode 100644 .github/workflows/vuln_man_solved.yml diff --git a/.github/workflows/vuln_man.yml b/.github/workflows/vuln_man.yml index 3a2ce00..96593a4 100644 --- a/.github/workflows/vuln_man.yml +++ b/.github/workflows/vuln_man.yml @@ -8,8 +8,6 @@ jobs: name: Generate app SBOM runs-on: ubuntu-latest container: quay.io/pluribus_one/sbom_vex_scanner:latest - # outputs: - # sbom: ${{ steps.sbom_app.outputs.bom }} strategy: fail-fast: false matrix: @@ -20,11 +18,9 @@ jobs: uses: actions/checkout@v4 - name: Generate SBOMs - # id: "sbom_app" run: | cd vuln_apps/${{ matrix.project }} cdxgen --format json -o "${{ matrix.project }}_bom.json" - # echo "bom=$(cat ${{ matrix.project }}_bom.json)" >> "$GITHUB_OUTPUT" - name: Upload results if: always() @@ -34,54 +30,46 @@ jobs: path: "vuln_apps/${{ matrix.project }}/${{ matrix.project }}_bom.json" retention-days: 5 - sbom-docker: - name: Generate docker SBOM - runs-on: ubuntu-latest - container: quay.io/pluribus_one/sbom_vex_scanner:latest - # outputs: - # sbom: ${{ steps.sbom_docker.outputs.bom }} - strategy: - fail-fast: false - matrix: - project: ["dvna", "vulnado"] - - steps: - - name: Checkout Repository - uses: actions/checkout@v4 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Build Docker image - id: build-image - uses: docker/build-push-action@v5 - with: - context: "${{ github.workspace }}/vuln_apps/${{ matrix.project }}" - push: false - load: true - tags: ${{ matrix.project }}:latest - - - name: Generate docker SBOMs - # id: "sbom_docker" - run: | - cdxgen --type docker -o "${{ matrix.project }}-docker_bom.json" ${{ matrix.project }}:latest - cat ${{ matrix.project }}-docker_bom.json - # echo "bom=$(cat ${{ matrix.project }}-docker_bom.json)" >> "$GITHUB_OUTPUT" - - - name: upload Artifacts - uses: actions/upload-artifact@v4 - with: - name: sbom-image-${{matrix.project}} - path: "${{ matrix.project }}-docker_bom.json" - retention-days: 5 + # sbom-docker: + # name: Generate docker SBOM + # runs-on: ubuntu-latest + # container: quay.io/pluribus_one/sbom_vex_scanner:latest + # strategy: + # fail-fast: false + # matrix: + # project: ["dvna", "vulnado"] + + # steps: + # - name: Checkout Repository + # uses: actions/checkout@v4 + + # - name: Set up Docker Buildx + # uses: docker/setup-buildx-action@v3 + + # - name: Build Docker image + # id: build-image + # uses: docker/build-push-action@v5 + # with: + # context: "${{ github.workspace }}/vuln_apps/${{ matrix.project }}" + # push: false + # load: true + # tags: ${{ matrix.project }}:latest + + # - name: Generate docker SBOMs + # run: | + # cdxgen --type docker + + # - name: upload Artifacts + # uses: actions/upload-artifact@v4 + # with: + # name: sbom-image-${{matrix.project}} + # path: "/path/to/output/bom.json" merge-sbom: name: Merge previously generated SBOM runs-on: ubuntu-latest needs: ["sbom", "sbom-docker"] - container: cyclonedx/cyclonedx-cli:0.25.0 - # outputs: - # sbom-merge: ${{ steps.merge_sbom.outputs }} + container: cyclonedx/container:tag strategy: fail-fast: false matrix: @@ -101,14 +89,12 @@ jobs: path: ./sboms-${{matrix.project}} - name: Merge previously generated sboms - # id: "merge_sbom" run: | - cd sboms-${{matrix.project}} - cyclonedx merge --input-files ${{ matrix.project }}-docker_bom.json ${{ matrix.project }}_bom.json --output-file ${{ matrix.project }}_merged_sbom.json --hierarchical --name ${{ matrix.project }} --version ${{ github.run_number }} + cyclonedx merge --input-files file_in_1.json file_in_2.json --output-file file_out.json --hierarchical --name ${{ matrix.project }} --version ${{ github.run_number }} - name: upload Artifacts uses: actions/upload-artifact@v4 with: name: sbom-merged-${{matrix.project}} - path: "sboms-${{matrix.project}}/${{ matrix.project }}_merged_sbom.json" + path: "path/to/output/file.json" retention-days: 5 diff --git a/.github/workflows/vuln_man_solved.yml b/.github/workflows/vuln_man_solved.yml new file mode 100644 index 0000000..3a2ce00 --- /dev/null +++ b/.github/workflows/vuln_man_solved.yml @@ -0,0 +1,114 @@ +name: Sbom generation + +on: + workflow_dispatch: + +jobs: + sbom: + name: Generate app SBOM + runs-on: ubuntu-latest + container: quay.io/pluribus_one/sbom_vex_scanner:latest + # outputs: + # sbom: ${{ steps.sbom_app.outputs.bom }} + strategy: + fail-fast: false + matrix: + project: ["dvna", "vulnado"] + + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Generate SBOMs + # id: "sbom_app" + run: | + cd vuln_apps/${{ matrix.project }} + cdxgen --format json -o "${{ matrix.project }}_bom.json" + # echo "bom=$(cat ${{ matrix.project }}_bom.json)" >> "$GITHUB_OUTPUT" + + - name: Upload results + if: always() + uses: actions/upload-artifact@v4 + with: + name: sbom-${{matrix.project}} + path: "vuln_apps/${{ matrix.project }}/${{ matrix.project }}_bom.json" + retention-days: 5 + + sbom-docker: + name: Generate docker SBOM + runs-on: ubuntu-latest + container: quay.io/pluribus_one/sbom_vex_scanner:latest + # outputs: + # sbom: ${{ steps.sbom_docker.outputs.bom }} + strategy: + fail-fast: false + matrix: + project: ["dvna", "vulnado"] + + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build Docker image + id: build-image + uses: docker/build-push-action@v5 + with: + context: "${{ github.workspace }}/vuln_apps/${{ matrix.project }}" + push: false + load: true + tags: ${{ matrix.project }}:latest + + - name: Generate docker SBOMs + # id: "sbom_docker" + run: | + cdxgen --type docker -o "${{ matrix.project }}-docker_bom.json" ${{ matrix.project }}:latest + cat ${{ matrix.project }}-docker_bom.json + # echo "bom=$(cat ${{ matrix.project }}-docker_bom.json)" >> "$GITHUB_OUTPUT" + + - name: upload Artifacts + uses: actions/upload-artifact@v4 + with: + name: sbom-image-${{matrix.project}} + path: "${{ matrix.project }}-docker_bom.json" + retention-days: 5 + + merge-sbom: + name: Merge previously generated SBOM + runs-on: ubuntu-latest + needs: ["sbom", "sbom-docker"] + container: cyclonedx/cyclonedx-cli:0.25.0 + # outputs: + # sbom-merge: ${{ steps.merge_sbom.outputs }} + strategy: + fail-fast: false + matrix: + project: ["dvna", "vulnado"] + + steps: + - name: Download artifact sbom + uses: actions/download-artifact@v4 + with: + name: sbom-${{matrix.project}} + path: ./sboms-${{matrix.project}} + + - name: Download artifact sbom-docker + uses: actions/download-artifact@v4 + with: + name: sbom-image-${{matrix.project}} + path: ./sboms-${{matrix.project}} + + - name: Merge previously generated sboms + # id: "merge_sbom" + run: | + cd sboms-${{matrix.project}} + cyclonedx merge --input-files ${{ matrix.project }}-docker_bom.json ${{ matrix.project }}_bom.json --output-file ${{ matrix.project }}_merged_sbom.json --hierarchical --name ${{ matrix.project }} --version ${{ github.run_number }} + + - name: upload Artifacts + uses: actions/upload-artifact@v4 + with: + name: sbom-merged-${{matrix.project}} + path: "sboms-${{matrix.project}}/${{ matrix.project }}_merged_sbom.json" + retention-days: 5 From 02878f379884c2f069d1ee2cea80987bb2054c22 Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Tue, 26 Mar 2024 11:55:00 +0100 Subject: [PATCH 25/40] update flow --- .github/workflows/vuln_man.yml | 59 +++++++++++++++++----------------- 1 file changed, 30 insertions(+), 29 deletions(-) diff --git a/.github/workflows/vuln_man.yml b/.github/workflows/vuln_man.yml index 96593a4..f29849f 100644 --- a/.github/workflows/vuln_man.yml +++ b/.github/workflows/vuln_man.yml @@ -64,37 +64,38 @@ jobs: # with: # name: sbom-image-${{matrix.project}} # path: "/path/to/output/bom.json" + # retention-days: 5 - merge-sbom: - name: Merge previously generated SBOM - runs-on: ubuntu-latest - needs: ["sbom", "sbom-docker"] - container: cyclonedx/container:tag - strategy: - fail-fast: false - matrix: - project: ["dvna", "vulnado"] + # merge-sbom: + # name: Merge previously generated SBOM + # runs-on: ubuntu-latest + # needs: ["sbom", "sbom-docker"] + # container: cyclonedx/container:tag + # strategy: + # fail-fast: false + # matrix: + # project: ["dvna", "vulnado"] - steps: - - name: Download artifact sbom - uses: actions/download-artifact@v4 - with: - name: sbom-${{matrix.project}} - path: ./sboms-${{matrix.project}} + # steps: + # - name: Download artifact sbom + # uses: actions/download-artifact@v4 + # with: + # name: sbom-${{matrix.project}} + # path: ./sboms-${{matrix.project}} - - name: Download artifact sbom-docker - uses: actions/download-artifact@v4 - with: - name: sbom-image-${{matrix.project}} - path: ./sboms-${{matrix.project}} + # - name: Download artifact sbom-docker + # uses: actions/download-artifact@v4 + # with: + # name: sbom-image-${{matrix.project}} + # path: ./sboms-${{matrix.project}} - - name: Merge previously generated sboms - run: | - cyclonedx merge --input-files file_in_1.json file_in_2.json --output-file file_out.json --hierarchical --name ${{ matrix.project }} --version ${{ github.run_number }} + # - name: Merge previously generated sboms + # run: | + # cyclonedx merge --input-files sboms-${{matrix.project}}/file_in_1.json sboms-${{matrix.project}}/file_in_2.json --output-file file_out.json --hierarchical --name ${{ matrix.project }} --version ${{ github.run_number }} - - name: upload Artifacts - uses: actions/upload-artifact@v4 - with: - name: sbom-merged-${{matrix.project}} - path: "path/to/output/file.json" - retention-days: 5 + # - name: upload Artifacts + # uses: actions/upload-artifact@v4 + # with: + # name: sbom-merged-${{matrix.project}} + # path: "path/to/output/file.json" + # retention-days: 5 From 87a1d5dcc2e36c1cb3ab54b245cc7b6c7aadf71d Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Tue, 26 Mar 2024 12:22:53 +0100 Subject: [PATCH 26/40] rename workflow --- .github/workflows/vuln_man.yml | 2 +- .github/workflows/vuln_man_mod.yml | 101 ++++++++++++++++++++++++++ .github/workflows/vuln_man_solved.yml | 2 +- 3 files changed, 103 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/vuln_man_mod.yml diff --git a/.github/workflows/vuln_man.yml b/.github/workflows/vuln_man.yml index f29849f..7d7eea9 100644 --- a/.github/workflows/vuln_man.yml +++ b/.github/workflows/vuln_man.yml @@ -1,4 +1,4 @@ -name: Sbom generation +name: SBOM generation on: workflow_dispatch: diff --git a/.github/workflows/vuln_man_mod.yml b/.github/workflows/vuln_man_mod.yml new file mode 100644 index 0000000..7d7eea9 --- /dev/null +++ b/.github/workflows/vuln_man_mod.yml @@ -0,0 +1,101 @@ +name: SBOM generation + +on: + workflow_dispatch: + +jobs: + sbom: + name: Generate app SBOM + runs-on: ubuntu-latest + container: quay.io/pluribus_one/sbom_vex_scanner:latest + strategy: + fail-fast: false + matrix: + project: ["dvna", "vulnado"] + + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Generate SBOMs + run: | + cd vuln_apps/${{ matrix.project }} + cdxgen --format json -o "${{ matrix.project }}_bom.json" + + - name: Upload results + if: always() + uses: actions/upload-artifact@v4 + with: + name: sbom-${{matrix.project}} + path: "vuln_apps/${{ matrix.project }}/${{ matrix.project }}_bom.json" + retention-days: 5 + + # sbom-docker: + # name: Generate docker SBOM + # runs-on: ubuntu-latest + # container: quay.io/pluribus_one/sbom_vex_scanner:latest + # strategy: + # fail-fast: false + # matrix: + # project: ["dvna", "vulnado"] + + # steps: + # - name: Checkout Repository + # uses: actions/checkout@v4 + + # - name: Set up Docker Buildx + # uses: docker/setup-buildx-action@v3 + + # - name: Build Docker image + # id: build-image + # uses: docker/build-push-action@v5 + # with: + # context: "${{ github.workspace }}/vuln_apps/${{ matrix.project }}" + # push: false + # load: true + # tags: ${{ matrix.project }}:latest + + # - name: Generate docker SBOMs + # run: | + # cdxgen --type docker + + # - name: upload Artifacts + # uses: actions/upload-artifact@v4 + # with: + # name: sbom-image-${{matrix.project}} + # path: "/path/to/output/bom.json" + # retention-days: 5 + + # merge-sbom: + # name: Merge previously generated SBOM + # runs-on: ubuntu-latest + # needs: ["sbom", "sbom-docker"] + # container: cyclonedx/container:tag + # strategy: + # fail-fast: false + # matrix: + # project: ["dvna", "vulnado"] + + # steps: + # - name: Download artifact sbom + # uses: actions/download-artifact@v4 + # with: + # name: sbom-${{matrix.project}} + # path: ./sboms-${{matrix.project}} + + # - name: Download artifact sbom-docker + # uses: actions/download-artifact@v4 + # with: + # name: sbom-image-${{matrix.project}} + # path: ./sboms-${{matrix.project}} + + # - name: Merge previously generated sboms + # run: | + # cyclonedx merge --input-files sboms-${{matrix.project}}/file_in_1.json sboms-${{matrix.project}}/file_in_2.json --output-file file_out.json --hierarchical --name ${{ matrix.project }} --version ${{ github.run_number }} + + # - name: upload Artifacts + # uses: actions/upload-artifact@v4 + # with: + # name: sbom-merged-${{matrix.project}} + # path: "path/to/output/file.json" + # retention-days: 5 diff --git a/.github/workflows/vuln_man_solved.yml b/.github/workflows/vuln_man_solved.yml index 3a2ce00..6b71152 100644 --- a/.github/workflows/vuln_man_solved.yml +++ b/.github/workflows/vuln_man_solved.yml @@ -1,4 +1,4 @@ -name: Sbom generation +name: SBOM generation on: workflow_dispatch: From 27ded85a6302abddd9973c860edd56beefaff313 Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Tue, 26 Mar 2024 12:24:21 +0100 Subject: [PATCH 27/40] update names --- .github/workflows/vuln_man_mod.yml | 2 +- .github/workflows/vuln_man_solved.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/vuln_man_mod.yml b/.github/workflows/vuln_man_mod.yml index 7d7eea9..80be97f 100644 --- a/.github/workflows/vuln_man_mod.yml +++ b/.github/workflows/vuln_man_mod.yml @@ -1,4 +1,4 @@ -name: SBOM generation +name: SBOM generation mod on: workflow_dispatch: diff --git a/.github/workflows/vuln_man_solved.yml b/.github/workflows/vuln_man_solved.yml index 6b71152..4ef7904 100644 --- a/.github/workflows/vuln_man_solved.yml +++ b/.github/workflows/vuln_man_solved.yml @@ -1,4 +1,4 @@ -name: SBOM generation +name: SBOM generation final on: workflow_dispatch: From b6affee414201298bb8354b6a1ab1dcf878a088a Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Tue, 26 Mar 2024 14:24:13 +0100 Subject: [PATCH 28/40] prova ex2 --- .github/workflows/vuln_man_mod.yml | 60 +++++++++++++-------------- .github/workflows/vuln_man_solved.yml | 2 +- 2 files changed, 31 insertions(+), 31 deletions(-) diff --git a/.github/workflows/vuln_man_mod.yml b/.github/workflows/vuln_man_mod.yml index 80be97f..261a044 100644 --- a/.github/workflows/vuln_man_mod.yml +++ b/.github/workflows/vuln_man_mod.yml @@ -30,41 +30,41 @@ jobs: path: "vuln_apps/${{ matrix.project }}/${{ matrix.project }}_bom.json" retention-days: 5 - # sbom-docker: - # name: Generate docker SBOM - # runs-on: ubuntu-latest - # container: quay.io/pluribus_one/sbom_vex_scanner:latest - # strategy: - # fail-fast: false - # matrix: - # project: ["dvna", "vulnado"] + sbom-docker: + name: Generate docker SBOM + runs-on: ubuntu-latest + container: quay.io/pluribus_one/sbom_vex_scanner:latest + strategy: + fail-fast: false + matrix: + project: ["dvna", "vulnado"] - # steps: - # - name: Checkout Repository - # uses: actions/checkout@v4 + steps: + - name: Checkout Repository + uses: actions/checkout@v4 - # - name: Set up Docker Buildx - # uses: docker/setup-buildx-action@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 - # - name: Build Docker image - # id: build-image - # uses: docker/build-push-action@v5 - # with: - # context: "${{ github.workspace }}/vuln_apps/${{ matrix.project }}" - # push: false - # load: true - # tags: ${{ matrix.project }}:latest + - name: Build Docker image + id: build-image + uses: docker/build-push-action@v5 + with: + context: "${{ github.workspace }}/vuln_apps/${{ matrix.project }}" + push: false + load: true + tags: ${{ matrix.project }}:latest - # - name: Generate docker SBOMs - # run: | - # cdxgen --type docker + - name: Generate docker SBOMs + run: | + cdxgen --type docker -o "${{ matrix.project }}-docker_bom.json" ${{ matrix.project }}:latest - # - name: upload Artifacts - # uses: actions/upload-artifact@v4 - # with: - # name: sbom-image-${{matrix.project}} - # path: "/path/to/output/bom.json" - # retention-days: 5 + - name: upload Artifacts + uses: actions/upload-artifact@v4 + with: + name: sbom-image-${{matrix.project}} + path: "/path/to/output/bom.json" + retention-days: 5 # merge-sbom: # name: Merge previously generated SBOM diff --git a/.github/workflows/vuln_man_solved.yml b/.github/workflows/vuln_man_solved.yml index 4ef7904..2be67bf 100644 --- a/.github/workflows/vuln_man_solved.yml +++ b/.github/workflows/vuln_man_solved.yml @@ -65,7 +65,7 @@ jobs: # id: "sbom_docker" run: | cdxgen --type docker -o "${{ matrix.project }}-docker_bom.json" ${{ matrix.project }}:latest - cat ${{ matrix.project }}-docker_bom.json + # cat ${{ matrix.project }}-docker_bom.json # echo "bom=$(cat ${{ matrix.project }}-docker_bom.json)" >> "$GITHUB_OUTPUT" - name: upload Artifacts From 0881753ba51991b920e38198476f190ffd5077e4 Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Tue, 26 Mar 2024 14:28:19 +0100 Subject: [PATCH 29/40] ex2 --- .github/workflows/vuln_man_mod.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/vuln_man_mod.yml b/.github/workflows/vuln_man_mod.yml index 261a044..a07d53d 100644 --- a/.github/workflows/vuln_man_mod.yml +++ b/.github/workflows/vuln_man_mod.yml @@ -63,7 +63,7 @@ jobs: uses: actions/upload-artifact@v4 with: name: sbom-image-${{matrix.project}} - path: "/path/to/output/bom.json" + path: "${{ matrix.project }}-docker_bom.json" retention-days: 5 # merge-sbom: From c33d729885624850ce7205c10ad33aa0d97c42c4 Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Tue, 26 Mar 2024 14:30:19 +0100 Subject: [PATCH 30/40] error if no artifact found --- .github/workflows/vuln_man_mod.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/vuln_man_mod.yml b/.github/workflows/vuln_man_mod.yml index a07d53d..99c30e3 100644 --- a/.github/workflows/vuln_man_mod.yml +++ b/.github/workflows/vuln_man_mod.yml @@ -29,6 +29,7 @@ jobs: name: sbom-${{matrix.project}} path: "vuln_apps/${{ matrix.project }}/${{ matrix.project }}_bom.json" retention-days: 5 + if-no-files-found: error sbom-docker: name: Generate docker SBOM @@ -65,6 +66,7 @@ jobs: name: sbom-image-${{matrix.project}} path: "${{ matrix.project }}-docker_bom.json" retention-days: 5 + if-no-files-found: error # merge-sbom: # name: Merge previously generated SBOM @@ -99,3 +101,4 @@ jobs: # name: sbom-merged-${{matrix.project}} # path: "path/to/output/file.json" # retention-days: 5 + # if-no-files-found: error From 3683512d30ced29f1c1b26ba5a6ed06e017bb403 Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Tue, 26 Mar 2024 14:34:45 +0100 Subject: [PATCH 31/40] change artifact name --- .github/workflows/vuln_man_mod.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/vuln_man_mod.yml b/.github/workflows/vuln_man_mod.yml index 99c30e3..4d0b167 100644 --- a/.github/workflows/vuln_man_mod.yml +++ b/.github/workflows/vuln_man_mod.yml @@ -63,7 +63,7 @@ jobs: - name: upload Artifacts uses: actions/upload-artifact@v4 with: - name: sbom-image-${{matrix.project}} + name: sbom-docker-${{matrix.project}} path: "${{ matrix.project }}-docker_bom.json" retention-days: 5 if-no-files-found: error @@ -88,7 +88,7 @@ jobs: # - name: Download artifact sbom-docker # uses: actions/download-artifact@v4 # with: - # name: sbom-image-${{matrix.project}} + # name: sbom-docker-${{matrix.project}} # path: ./sboms-${{matrix.project}} # - name: Merge previously generated sboms From f46899daa4ebda00eb6d3e8d2dab73f4cda95ad0 Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Tue, 26 Mar 2024 14:45:38 +0100 Subject: [PATCH 32/40] ex3 --- .github/workflows/vuln_man_mod.yml | 72 +++++++++++++++--------------- 1 file changed, 36 insertions(+), 36 deletions(-) diff --git a/.github/workflows/vuln_man_mod.yml b/.github/workflows/vuln_man_mod.yml index 4d0b167..09d6d5d 100644 --- a/.github/workflows/vuln_man_mod.yml +++ b/.github/workflows/vuln_man_mod.yml @@ -27,7 +27,7 @@ jobs: uses: actions/upload-artifact@v4 with: name: sbom-${{matrix.project}} - path: "vuln_apps/${{ matrix.project }}/${{ matrix.project }}_bom.json" + path: vuln_apps/${{ matrix.project }}/${{ matrix.project }}_bom.json retention-days: 5 if-no-files-found: error @@ -64,41 +64,41 @@ jobs: uses: actions/upload-artifact@v4 with: name: sbom-docker-${{matrix.project}} - path: "${{ matrix.project }}-docker_bom.json" + path: ${{ matrix.project }}-docker_bom.json retention-days: 5 if-no-files-found: error - # merge-sbom: - # name: Merge previously generated SBOM - # runs-on: ubuntu-latest - # needs: ["sbom", "sbom-docker"] - # container: cyclonedx/container:tag - # strategy: - # fail-fast: false - # matrix: - # project: ["dvna", "vulnado"] - - # steps: - # - name: Download artifact sbom - # uses: actions/download-artifact@v4 - # with: - # name: sbom-${{matrix.project}} - # path: ./sboms-${{matrix.project}} - - # - name: Download artifact sbom-docker - # uses: actions/download-artifact@v4 - # with: - # name: sbom-docker-${{matrix.project}} - # path: ./sboms-${{matrix.project}} - - # - name: Merge previously generated sboms - # run: | - # cyclonedx merge --input-files sboms-${{matrix.project}}/file_in_1.json sboms-${{matrix.project}}/file_in_2.json --output-file file_out.json --hierarchical --name ${{ matrix.project }} --version ${{ github.run_number }} - - # - name: upload Artifacts - # uses: actions/upload-artifact@v4 - # with: - # name: sbom-merged-${{matrix.project}} - # path: "path/to/output/file.json" - # retention-days: 5 - # if-no-files-found: error + merge-sbom: + name: Merge previously generated SBOM + runs-on: ubuntu-latest + needs: ["sbom", "sbom-docker"] + container: cyclonedx/cyclonedx-cli:0.25.0 + strategy: + fail-fast: false + matrix: + project: ["dvna", "vulnado"] + + steps: + - name: Download artifact sbom + uses: actions/download-artifact@v4 + with: + name: sbom-${{matrix.project}} + path: ./sboms-${{matrix.project}} + + - name: Download artifact sbom-docker + uses: actions/download-artifact@v4 + with: + name: sbom-docker-${{matrix.project}} + path: ./sboms-${{matrix.project}} + + - name: Merge previously generated sboms + run: | + cyclonedx merge --input-files ${{ matrix.project }}_bom.json ${{ matrix.project }}-docker_bom.json --output-file ${{ matrix.project }}_merged_sbom.json --hierarchical --name ${{ matrix.project }}--version ${{ github.run_number }} --version ${{ github.run_number }} --group devsecops-exercises + + - name: upload Artifacts + uses: actions/upload-artifact@v4 + with: + name: sbom-merged-${{matrix.project}} + path: ${{ matrix.project }}_merged_sbom.json + retention-days: 5 + if-no-files-found: error From d5bc0e70ba1edac8422f4d0dc76fdc4b0bd7c14e Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Tue, 26 Mar 2024 14:50:51 +0100 Subject: [PATCH 33/40] repetition --- .github/workflows/vuln_man_mod.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/vuln_man_mod.yml b/.github/workflows/vuln_man_mod.yml index 09d6d5d..55b02b5 100644 --- a/.github/workflows/vuln_man_mod.yml +++ b/.github/workflows/vuln_man_mod.yml @@ -93,7 +93,7 @@ jobs: - name: Merge previously generated sboms run: | - cyclonedx merge --input-files ${{ matrix.project }}_bom.json ${{ matrix.project }}-docker_bom.json --output-file ${{ matrix.project }}_merged_sbom.json --hierarchical --name ${{ matrix.project }}--version ${{ github.run_number }} --version ${{ github.run_number }} --group devsecops-exercises + cyclonedx merge --input-files ${{ matrix.project }}_bom.json ${{ matrix.project }}-docker_bom.json --output-file ${{ matrix.project }}_merged_sbom.json --hierarchical --name ${{ matrix.project }} --version ${{ github.run_number }} --group devsecops-exercises - name: upload Artifacts uses: actions/upload-artifact@v4 From bb85112b9b52def647c1be52689393f4dd29b5f5 Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Tue, 26 Mar 2024 14:56:18 +0100 Subject: [PATCH 34/40] change name --- .github/workflows/vuln_man_mod.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/vuln_man_mod.yml b/.github/workflows/vuln_man_mod.yml index 55b02b5..bac5556 100644 --- a/.github/workflows/vuln_man_mod.yml +++ b/.github/workflows/vuln_man_mod.yml @@ -63,7 +63,7 @@ jobs: - name: upload Artifacts uses: actions/upload-artifact@v4 with: - name: sbom-docker-${{matrix.project}} + name: sbom-${{matrix.project}}-docker path: ${{ matrix.project }}-docker_bom.json retention-days: 5 if-no-files-found: error @@ -88,7 +88,7 @@ jobs: - name: Download artifact sbom-docker uses: actions/download-artifact@v4 with: - name: sbom-docker-${{matrix.project}} + name: sbom-${{matrix.project}}-docker path: ./sboms-${{matrix.project}} - name: Merge previously generated sboms From 2d6972e07d8b0e181177486ecc386a7892b5a6dc Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Tue, 26 Mar 2024 14:57:48 +0100 Subject: [PATCH 35/40] change out --- .github/workflows/vuln_man_mod.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/vuln_man_mod.yml b/.github/workflows/vuln_man_mod.yml index bac5556..a94fffc 100644 --- a/.github/workflows/vuln_man_mod.yml +++ b/.github/workflows/vuln_man_mod.yml @@ -93,7 +93,7 @@ jobs: - name: Merge previously generated sboms run: | - cyclonedx merge --input-files ${{ matrix.project }}_bom.json ${{ matrix.project }}-docker_bom.json --output-file ${{ matrix.project }}_merged_sbom.json --hierarchical --name ${{ matrix.project }} --version ${{ github.run_number }} --group devsecops-exercises + cyclonedx merge --input-files sboms-${{matrix.project}}/${{ matrix.project }}_bom.json sboms-${{matrix.project}}/${{ matrix.project }}-docker_bom.json --output-file ${{ matrix.project }}_merged_sbom.json --hierarchical --name ${{ matrix.project }} --version ${{ github.run_number }} --group devsecops-exercises - name: upload Artifacts uses: actions/upload-artifact@v4 From a45c6d504bfab20661dd66eabb8a57df2eff1a1b Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Tue, 26 Mar 2024 15:15:53 +0100 Subject: [PATCH 36/40] update name --- .github/workflows/vuln_man_mod.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/vuln_man_mod.yml b/.github/workflows/vuln_man_mod.yml index a94fffc..98417a2 100644 --- a/.github/workflows/vuln_man_mod.yml +++ b/.github/workflows/vuln_man_mod.yml @@ -98,7 +98,7 @@ jobs: - name: upload Artifacts uses: actions/upload-artifact@v4 with: - name: sbom-merged-${{matrix.project}} + name: sbom-${{matrix.project}}-merged path: ${{ matrix.project }}_merged_sbom.json retention-days: 5 if-no-files-found: error From b04b571d028182d90f05972272dae6bb3a04f556 Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Tue, 26 Mar 2024 15:20:26 +0100 Subject: [PATCH 37/40] update files --- .github/workflows/vuln_man_mod.yml | 4 ++-- .github/workflows/vuln_man_solved.yml | 16 +++++++++------- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/.github/workflows/vuln_man_mod.yml b/.github/workflows/vuln_man_mod.yml index 98417a2..562f2dd 100644 --- a/.github/workflows/vuln_man_mod.yml +++ b/.github/workflows/vuln_man_mod.yml @@ -72,7 +72,7 @@ jobs: name: Merge previously generated SBOM runs-on: ubuntu-latest needs: ["sbom", "sbom-docker"] - container: cyclonedx/cyclonedx-cli:0.25.0 + container: cyclonedx/cyclonedx-cli:0.25.0 strategy: fail-fast: false matrix: @@ -93,7 +93,7 @@ jobs: - name: Merge previously generated sboms run: | - cyclonedx merge --input-files sboms-${{matrix.project}}/${{ matrix.project }}_bom.json sboms-${{matrix.project}}/${{ matrix.project }}-docker_bom.json --output-file ${{ matrix.project }}_merged_sbom.json --hierarchical --name ${{ matrix.project }} --version ${{ github.run_number }} --group devsecops-exercises + cyclonedx merge --input-files sboms-${{matrix.project}}/${{ matrix.project }}_bom.json sboms-${{matrix.project}}/${{ matrix.project }}-docker_bom.json --output-file ${{ matrix.project }}_merged_sbom.json --hierarchical --name ${{ matrix.project }} --version ${{ github.run_number }} --group devsecops-exercises - name: upload Artifacts uses: actions/upload-artifact@v4 diff --git a/.github/workflows/vuln_man_solved.yml b/.github/workflows/vuln_man_solved.yml index 2be67bf..4d56b6b 100644 --- a/.github/workflows/vuln_man_solved.yml +++ b/.github/workflows/vuln_man_solved.yml @@ -33,6 +33,7 @@ jobs: name: sbom-${{matrix.project}} path: "vuln_apps/${{ matrix.project }}/${{ matrix.project }}_bom.json" retention-days: 5 + if-no-files-found: error sbom-docker: name: Generate docker SBOM @@ -71,9 +72,10 @@ jobs: - name: upload Artifacts uses: actions/upload-artifact@v4 with: - name: sbom-image-${{matrix.project}} - path: "${{ matrix.project }}-docker_bom.json" + name: sbom-${{matrix.project}}-docker + path: ${{ matrix.project }}-docker_bom.json retention-days: 5 + if-no-files-found: error merge-sbom: name: Merge previously generated SBOM @@ -97,18 +99,18 @@ jobs: - name: Download artifact sbom-docker uses: actions/download-artifact@v4 with: - name: sbom-image-${{matrix.project}} + name: sbom-${{matrix.project}}-docker path: ./sboms-${{matrix.project}} - name: Merge previously generated sboms # id: "merge_sbom" run: | - cd sboms-${{matrix.project}} - cyclonedx merge --input-files ${{ matrix.project }}-docker_bom.json ${{ matrix.project }}_bom.json --output-file ${{ matrix.project }}_merged_sbom.json --hierarchical --name ${{ matrix.project }} --version ${{ github.run_number }} + cyclonedx merge --input-files sboms-${{matrix.project}}/${{ matrix.project }}_bom.json sboms-${{matrix.project}}/${{ matrix.project }}-docker_bom.json --output-file ${{ matrix.project }}_merged_sbom.json --hierarchical --name ${{ matrix.project }} --version ${{ github.run_number }} --group devsecops-exercises - name: upload Artifacts uses: actions/upload-artifact@v4 with: - name: sbom-merged-${{matrix.project}} - path: "sboms-${{matrix.project}}/${{ matrix.project }}_merged_sbom.json" + name: sbom-${{matrix.project}}-merged + path: ${{ matrix.project }}_merged_sbom.json retention-days: 5 + if-no-files-found: error From b42bbe01b89564646169c863e4cac621d34263ea Mon Sep 17 00:00:00 2001 From: "federico.bo" Date: Tue, 26 Mar 2024 15:26:19 +0100 Subject: [PATCH 38/40] update sbom generation --- .github/workflows/vuln_man.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/workflows/vuln_man.yml b/.github/workflows/vuln_man.yml index 7d7eea9..2358b58 100644 --- a/.github/workflows/vuln_man.yml +++ b/.github/workflows/vuln_man.yml @@ -29,6 +29,7 @@ jobs: name: sbom-${{matrix.project}} path: "vuln_apps/${{ matrix.project }}/${{ matrix.project }}_bom.json" retention-days: 5 + if-no-files-found: error # sbom-docker: # name: Generate docker SBOM @@ -62,9 +63,10 @@ jobs: # - name: upload Artifacts # uses: actions/upload-artifact@v4 # with: - # name: sbom-image-${{matrix.project}} + # name: sbom-${{matrix.project}}-docker # path: "/path/to/output/bom.json" # retention-days: 5 + # if-no-files-found: error # merge-sbom: # name: Merge previously generated SBOM @@ -86,7 +88,7 @@ jobs: # - name: Download artifact sbom-docker # uses: actions/download-artifact@v4 # with: - # name: sbom-image-${{matrix.project}} + # name: sbom-${{matrix.project}}-docker # path: ./sboms-${{matrix.project}} # - name: Merge previously generated sboms @@ -96,6 +98,7 @@ jobs: # - name: upload Artifacts # uses: actions/upload-artifact@v4 # with: - # name: sbom-merged-${{matrix.project}} - # path: "path/to/output/file.json" + # name: sbom-${{matrix.project}}-merged + # path: "path/to/file_out.json" # retention-days: 5 + # if-no-files-found: error From 60a20a37043cd7f0f29aa3fc0cf7720a993f8a9f Mon Sep 17 00:00:00 2001 From: Federico Bo Date: Fri, 19 Apr 2024 12:15:03 +0200 Subject: [PATCH 39/40] Create semgrep.yml add semgrep --- .github/workflows/semgrep.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 .github/workflows/semgrep.yml diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml new file mode 100644 index 0000000..40bb1a5 --- /dev/null +++ b/.github/workflows/semgrep.yml @@ -0,0 +1,25 @@ +name: Semgrep +on: + workflow_dispatch: {} + pull_request: {} + push: + branches: + - main + - master + paths: + - .github/workflows/semgrep.yml + schedule: + # random HH:MM to avoid a load spike on GitHub Actions at 00:00 + - cron: '12 1 * * *' +jobs: + semgrep: + name: semgrep/ci + runs-on: ubuntu-20.04 + env: + SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} + container: + image: semgrep/semgrep + if: (github.actor != 'dependabot[bot]') + steps: + - uses: actions/checkout@v3 + - run: semgrep ci From 4f4d5df7830a579c733623fc664c8afbb7d9dae0 Mon Sep 17 00:00:00 2001 From: "semgrep.dev on behalf of @federicobo" Date: Fri, 19 Apr 2024 10:15:54 +0000 Subject: [PATCH 40/40] Add Semgrep CI --- .github/workflows/semgrep.yml | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 40bb1a5..c322317 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -1,16 +1,16 @@ -name: Semgrep on: workflow_dispatch: {} pull_request: {} push: branches: - - main - - master + - main + - master paths: - - .github/workflows/semgrep.yml + - .github/workflows/semgrep.yml schedule: - # random HH:MM to avoid a load spike on GitHub Actions at 00:00 - - cron: '12 1 * * *' + # random HH:MM to avoid a load spike on GitHub Actions at 00:00 + - cron: 12 1 * * * +name: Semgrep jobs: semgrep: name: semgrep/ci @@ -18,8 +18,7 @@ jobs: env: SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} container: - image: semgrep/semgrep - if: (github.actor != 'dependabot[bot]') + image: returntocorp/semgrep steps: - - uses: actions/checkout@v3 - - run: semgrep ci + - uses: actions/checkout@v3 + - run: semgrep ci