Adds new structure

Screenly · Aug 20, 2024 · 98c373f · 98c373f
1 parent 40d2faa
commit 98c373f
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 19 deletions.
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
@@ -3,39 +3,51 @@ name: Generate SBOMs
 
 on:
   push:
-    branches:
-      - master
-    paths:
-      - 'Cargo.lock'
+    tags:
+      - 'v*'
 
 jobs:
   sbom:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
 
-      - uses: actions/setup-python@v5
-        with:
-          python-version: '3.10'
-          cache: 'pip'
+      - name: Install cyclonedx-rust-cargo
+        run: |
+          cargo install cargo-cyclonedx
 
-      - name: Install sbom4rust
+      - name: Generate SBOM
         run: |
-          pip install git+https://github.com/anthonyharrison/sbom4rust.git
+          cargo cyclonedx \
+            --describe binaries \
+            --no-build-deps \
+            --spec-version 1.5 \
+            -f json
 
-      - name: Run sbom4rust
+      - name: Enrich and clean up SBOM
         run: |
-          sbom4rust -a screenly-cli --sbom spdx --format json -o sbom.spdx.json
-          sbom4rust -a screenly-cli --sbom cyclonedx --format json -o sbom.cyclonedx.json
 
-      - name: Upload SPDX SBOM
-        uses: actions/upload-artifact@v3
-        with:
-          name: cli-SPDX
-          path: sbom.spdx.json
+        # Grab the version
+        export VERSION_TAG="${GITHUB_REF#refs/*/}"
+        export VERION=$(echo $VERSION_TAG | sed 's/^v//g')
+
+        # Delete unnecessary metadata.component.components
+        jq 'del(.metadata.component.components)' \
+          screenly_bin.cdx.json \
+          > screenly_bin.cdx.json
+
+        # Render SBOM metadata template
+        cat sbom/metadata.cdx.json.tmpl | \
+          envsubst > metadata.cdx.json
+
+        # Merge in CycloneDX Metadata
+        jq --slurp '.[0] * .[1]' \
+          screenly_bin.cdx.json \
+          metadata.cdx.json \
+          > screenly-cli.cdx.json
 
       - name: Upload CycloneDX SBOM
         uses: actions/upload-artifact@v3
         with:
           name: cli-CycloneDX
-          path: sbom.cyclonedx.json
+          path: screenly-cli.cdx.json
diff --git a/sbom/metadata.cdx.json.tmpl b/sbom/metadata.cdx.json.tmpl
@@ -0,0 +1,18 @@
+{
+    "version": "${GITHUB_RUN_NUMBER}",
+    "metadata": {
+        "lifecycles": {
+            "stage": "build"
+        },
+        "manufacture": {
+            "name": "Screenly, Inc",
+            "url": "https://www.screenly.io"
+        },
+        "licenses": "MIT",
+        "component": {
+            "bom-ref": "screenly-cli-${VERSION}",
+            "purl": "pkg:github/screenly/cli@$${VERSION_TAG}",
+            "version": "${VERSION}",
+        }
+    },
+}