Generate SBOM for generated Package

Generate SBOM file for python wheels, electron apps and web app. Other Changes ------------- - Add `concurrency` to `package-webapp` workflow. Closes #4770 Co-authored-by: Marcos Medrano <786907+mmmarcos@users.noreply.github.com> Signed-off-by: firelight flagboy <firelight.flagboy@gmail.com>
Scille · Jul 6, 2023 · 67b5422 · 67b5422
1 parent 7d6fae4
commit 67b5422
Show file tree

Hide file tree

Showing 5 changed files with 71 additions and 30 deletions.
diff --git a/.cspell/custom-words.txt b/.cspell/custom-words.txt
@@ -26,10 +26,6 @@ browserslistrc
 Bsas
 bxsalsa
 cachekey
-latexmk
-librsvg
-luatex
-LATEXMKOPTS
 CAFILE
 camelcase
 capacitorjs
@@ -125,6 +121,7 @@ HKCR
 HKCU
 HKLM
 Hodi
+htmlcov
 hypercorn
 icccm
 IDCANCEL
@@ -145,6 +142,8 @@ JsonSchema
 jvmargs
 KeyFile
 keysyms
+latexmk
+LATEXMKOPTS
 latexpdfja
 levelno
 libasound
@@ -193,6 +192,7 @@ libqtuiotouchplugin
 libqtwebview
 libqvnc
 libqwebgl
+librsvg
 libscene
 LibSodium
 libsqlite
@@ -214,6 +214,7 @@ lproj
 lsregister
 lstfiracode
 lualatex
+luatex
 MACBYTES
 MACFUSE
 makensis
@@ -237,26 +238,26 @@ multibytes
 mycapacitorapp
 myclass
 Nanos
-ntns
-ntics
 napi
 newsfragment
 newsfragments
 Niño
 nmspc
 nocapture
-noserver
 NONCEBYTES
 noopener
 noreferrer
 noreply
+noserver
 notbase
 notr
 nplurals
 npmkeep
 NSIS
 NSISDIR
 NSPHINXOPTS
+ntics
+ntns
 ntstatus
 numprocesses
 onboarded
@@ -271,10 +272,10 @@ oscrypto
 OSXFUSE
 OURCYGPATTERN
 Owholemodule
-Passw0rd
 PAAS
 packb
 pagetotal
+Passw0rd
 pems
 pgdg
 PGINSTALLATION
@@ -399,6 +400,7 @@ stucking
 subcode
 subsec
 swiftclient
+syft
 SymKey
 syncer
 systray

diff --git a/.github/workflows/package-server.yml b/.github/workflows/package-server.yml
@@ -49,10 +49,13 @@ jobs:
       matrix:
         include:
           - name: 🐧 Linux
+            platform: linux
             os: ubuntu-22.04
           - name: 🍎 macOS
+            platform: macos
             os: macos-12
           - name: 🏁 Windows
+            platform: windows
             os: windows-2022
     name: "${{ matrix.name }}: 📦 Packaging (build Wheel)"
     runs-on: ${{ matrix.os }}
@@ -141,9 +144,18 @@ jobs:
       - name: Generate requirements & constraints infos
         run: python server/packaging/wheel/wheel_it.py ./server --output dist --skip-wheel
 
+      # Install syft
+      - uses: taiki-e/install-action@486baeb8af63bc3d9ec3ec66db5af6ba0ca78774 # pin v2.11.6
+        with:
+          tool: syft@0.84.0
+
+      - name: Generate SBOM
+        run: syft packages --config=.syft.yaml --output=spdx-json=dist/Parsec-Wheel-${{ matrix.platform }}.spdx.json .
+
       - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # pin v3.1.2
         with:
           name: ${{ runner.os }}-${{ runner.arch }}-wheel
-          path: dist/
+          path: |
+            dist/
           if-no-files-found: error
         timeout-minutes: 5
diff --git a/.github/workflows/package-webapp.yml b/.github/workflows/package-webapp.yml
@@ -7,6 +7,13 @@ on:
   workflow_call:
   workflow_dispatch:
 
+# Set `concurrency` to prevent this workflow from being run on code that is not up-to-date on a PR (e.g. when making many push quickly on a PR).
+# This behavior is only intended for a PR and not for merge commits on the main branch. Having the workflow run on each merge commit can be useful to spot regressions missed by previous checks.
+# To distinguish between these cases, we use `head_ref` that is only defined on `pull-request` and fallback to `run_id` (this is a counter, so it's value is unique between workflow call).
+concurrency:
+  group: package-webapp-${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 env:
   # We use the version 18.12 because the version >= 18.13 have some breaking changes on how they format the date.
   # That would break our unit test if we don't update them.
@@ -37,25 +44,10 @@ jobs:
         run: npm clean-install
         working-directory: client
 
-      - name: Install wasm-pack
-        run: |
-          set -eux
-          set -o pipefail
-
-          BASE_DIR=wasm-pack-v${{ env.wasm-pack-version }}-x86_64-unknown-linux-musl
-
-          mkdir -p ~/.local/bin
-
-          curl -sSL \
-            https://github.com/rustwasm/wasm-pack/releases/download/v${{ env.wasm-pack-version }}/$BASE_DIR.tar.gz \
-            | tar --extract --gzip --to-stdout \
-              $BASE_DIR/wasm-pack \
-              > ~/.local/bin/wasm-pack
-
-          chmod a+rx ~/.local/bin/wasm-pack
-
-          echo $HOME/.local/bin >> $GITHUB_PATH
-        timeout-minutes: 2
+      # Install syft
+      - uses: taiki-e/install-action@486baeb8af63bc3d9ec3ec66db5af6ba0ca78774 # pin v2.11.6
+        with:
+          tool: syft@0.84.0, wasm-pack@${{ env.wasm-pack-version }}
 
       - name: Build web bindings
         run: npm run build:release
@@ -65,10 +57,15 @@ jobs:
         run: npm run web:release
         working-directory: client
 
+      - name: Generate SBOM
+        run: syft packages --config=.syft.yaml --output=spdx-json=Parsec-SBOM-Web.spdx.json .
+
       - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # pin v3.1.2
         with:
           name: webapp
-          path: client/dist/
+          path: |
+            client/dist/
+            Parsec-SBOM-Web.spdx.json
           if-no-files-found: error
 
   electron:
@@ -77,18 +74,21 @@ jobs:
       matrix:
         include:
           - name: 🐧 Linux
+            platform: linux
             os: ubuntu-20.04
             paths: |
               client/electron/dist/parsec_*_*.snap
               client/electron/dist/parsec-*.AppImage
               client/electron/dist/latest-linux.yml
           - name: 🏁 Windows
+            platform: windows
             os: windows-2022
             paths: |
               client/electron/dist/parsec Setup *.exe
               client/electron/dist/parsec Setup *.exe.blockmap
               client/electron/dist/latest.yml
           - name: 🍎 macOS
+            platform: macos
             os: macos-12
             paths: |
               client/electron/dist/parsec-*.dmg
@@ -121,9 +121,19 @@ jobs:
         working-directory: client
         timeout-minutes: 5
 
+      # Install syft
+      - uses: taiki-e/install-action@486baeb8af63bc3d9ec3ec66db5af6ba0ca78774 # pin v2.11.6
+        with:
+          tool: syft@0.84.0
+
+      - name: Generate SBOM
+        run: syft packages --config=.syft.yaml --output=spdx-json=Parsec-SBOM-Electron-${{ matrix.platform }}.spdx.json .
+
       - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # pin v3.1.2
         with:
           name: ${{ runner.os }}-${{ runner.arch }}-electron-app
-          path: ${{ matrix.paths }}
+          path: |
+            ${{ matrix.paths }}
+            Parsec-SBOM-Electron-${{ matrix.platform }}.spdx.json
           if-no-files-found: error
         timeout-minutes: 10
diff --git a/.syft.yaml b/.syft.yaml
@@ -0,0 +1,15 @@
+# Config for syft-0.84.0
+quiet: false
+
+check-for-app-update: false
+
+exclude:
+  - ./.git
+  # We don't ignore `target` & `node_modules` directories because they could contain additional dependencies not listed in the lock files.
+  # Ignoring those folder result in less entries produced.
+  # - ./target
+  # - '**/node_modules'
+  - "**/.mypy_cache"
+  - "**/.hypothesis"
+  - "**/.pytest_cache"
+  - "**/htmlcov"
diff --git a/newsfragments/4770.doc.rst b/newsfragments/4770.doc.rst
@@ -0,0 +1,2 @@
+Add SBOM (Software Bills Of Materials) generation on software packaging.
+This provides the list of dependencies used to build the software.