Skip to content

SBOM generation

SBOM generation #108

Workflow file for this run

name: SBOM generation
on:
workflow_dispatch:
schedule:
# Runs at 02:00 UTC every Monday
- cron: '2 0 * * 1'
permissions:
contents: read
jobs:
sbom_gen:
permissions:
contents: write # for peter-evans/create-pull-request to create branch
pull-requests: write # for peter-evans/create-pull-request to create a PR
name: Generate SBOM
if: github.repository == 'intel/cve-bin-tool' # for SBOM generation on forks
runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
strategy:
matrix:
python: ['3.8', '3.9', '3.10', '3.11', '3.12']
steps:
- name: Harden Runner
uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
with:
egress-policy: audit
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
with:
python-version: ${{ matrix.python }}
cache: 'pip'
cache-dependency-path: '**/requirements.txt'
- name: Install dependencies and cve-bin-tool
run: |
python -m pip install --upgrade pip
python -m pip install --upgrade setuptools
python -m pip install --upgrade wheel
python -m pip install --upgrade sbom4python
pip install . --upgrade --upgrade-strategy=eager
- name: Generate SBOM for cve-bin-tool
run: |
sbom4python --module cve-bin-tool --output cve-bin-tool-py${{ matrix.python }}.spdx
sbom4python --module cve-bin-tool --sbom cyclonedx --format json --output cve-bin-tool-py${{ matrix.python }}.json
- name: Compare SBOM for cve-bin-tool
id: diff-sbom
# This would fail due to time/date of SBOM generation in SBOM header
# Therefore ignore first 10 lines of file in comparison which is SBOM header
run: |
/bin/tail -n +10 sbom/cve-bin-tool-py${{ matrix.python }}.spdx > orig
/bin/tail -n +10 cve-bin-tool-py${{ matrix.python }}.spdx > new
echo "changed=$(/bin/diff -q orig new)" >> $GITHUB_OUTPUT
- name: Display generated SBOM if difference detected
if: ${{ steps.diff-sbom.outputs.changed }}
run: |
/bin/cat cve-bin-tool-py${{ matrix.python }}.spdx
- name: Update existing SBOM if difference detected
if: ${{ steps.diff-sbom.outputs.changed }}
run: |
cp cve-bin-tool-py${{ matrix.python }}.spdx sbom/cve-bin-tool-py${{ matrix.python }}.spdx
cp cve-bin-tool-py${{ matrix.python }}.json sbom/cve-bin-tool-py${{ matrix.python }}.json
- name: Create Pull Request
if: ${{ steps.diff-sbom.outputs.changed }}
uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0
with:
commit-message: "chore: update SBOM for Python ${{ matrix.python }}"
title: "chore: update SBOM for Python ${{ matrix.python }}"
branch: chore-sbom-py${{ matrix.python }}
delete-branch: true
author: GitHub <[email protected]>
add-paths: sbom