Generate SBOM for generated Package

Generate SBOM file for python wheels, python apps, electron apps and web app. Other Changes ------------- - Add `concurrency` to `package-webapp` workflow. Closes #4770
Scille · Jun 29, 2023 · ca4f1fb
1 parent da94d3f
commit ca4f1fb
Show file tree

Hide file tree

Showing 5 changed files with 107 additions and 28 deletions.
diff --git a/.cspell/custom-words.txt b/.cspell/custom-words.txt
@@ -26,10 +26,6 @@ browserslistrc
 Bsas
 bxsalsa
 cachekey
-latexmk
-librsvg
-luatex
-LATEXMKOPTS
 CAFILE
 camelcase
 capacitorjs
@@ -125,6 +121,7 @@ HKCR
 HKCU
 HKLM
 Hodi
+htmlcov
 hypercorn
 icccm
 IDCANCEL
@@ -145,6 +142,8 @@ JsonSchema
 jvmargs
 KeyFile
 keysyms
+latexmk
+LATEXMKOPTS
 latexpdfja
 levelno
 libasound
@@ -193,6 +192,7 @@ libqtuiotouchplugin
 libqtwebview
 libqvnc
 libqwebgl
+librsvg
 libscene
 LibSodium
 libsqlite
@@ -213,6 +213,7 @@ lproj
 lsregister
 lstfiracode
 lualatex
+luatex
 MACBYTES
 MACFUSE
 makensis
@@ -245,13 +246,16 @@ NONCEBYTES
 noopener
 noreferrer
 noreply
+noserver
 notbase
 notr
 nplurals
 npmkeep
 NSIS
 NSISDIR
 NSPHINXOPTS
+ntics
+ntns
 ntstatus
 numprocesses
 onboarded
@@ -268,6 +272,7 @@ Owholemodule
 PAAS
 packb
 pagetotal
+Passw0rd
 pems
 pgdg
 PGINSTALLATION
@@ -391,6 +396,7 @@ stucking
 subcode
 subsec
 swiftclient
+syft
 SymKey
 syncer
 systray

diff --git a/.github/workflows/package-python.yml b/.github/workflows/package-python.yml
@@ -48,10 +48,13 @@ jobs:
       matrix:
         include:
           - name: 🐧 Linux
+            platform: linux
             os: ubuntu-22.04
           - name: 🍎 macOS
+            platform: macos
             os: macos-12
           - name: 🏁 Windows
+            platform: windows
             os: windows-2022
     name: "${{ matrix.name }}: 📦 Packaging (build Wheel)"
     runs-on: ${{ matrix.os }}
@@ -138,10 +141,20 @@ jobs:
       - name: Generate requirements & constraints infos
         run: python packaging/wheel/wheel_it.py . --output dist --skip-wheel
 
+      # Install syft
+      - uses: taiki-e/install-action@486baeb8af63bc3d9ec3ec66db5af6ba0ca78774 # pin v2.11.6
+        with:
+          tool: syft@0.84.0
+
+      - name: Generate SBOM
+        run: syft packages --config=.syft.yaml --output=spdx-json=Parsec-SBOM-Wheel-${{ matrix.platform }}.spdx.json .
+
       - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # pin v3.1.2
         with:
           name: ${{ runner.os }}-${{ runner.arch }}-wheel
-          path: dist/
+          path: |
+            dist/
+            Parsec-SBOM-Wheel-${{ matrix.platform }}.spdx.json
           if-no-files-found: error
         timeout-minutes: 5
 
@@ -194,10 +207,20 @@ jobs:
         working-directory: ${{ runner.temp }}
         run: snapcraft --destructive-mode
 
+      # Install syft
+      - uses: taiki-e/install-action@486baeb8af63bc3d9ec3ec66db5af6ba0ca78774 # pin v2.11.6
+        with:
+          tool: syft@0.84.0
+
+      - name: Generate SBOM
+        run: syft packages --config=.syft.yaml --output=spdx-json=Parsec-SBOM-linux-snap.spdx.json .
+
       - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # pin v3.1.2
         with:
           name: ${{ runner.os }}-${{ runner.arch }}-snap
-          path: ${{ runner.temp }}/parsec*.snap
+          path: |
+            ${{ runner.temp }}/parsec*.snap
+            Parsec-SBOM-linux-snap.spdx.json
           if-no-files-found: error
 
   package-linux-test-snap:
@@ -294,10 +317,20 @@ jobs:
             winfsp-*
         working-directory: ${{ runner.temp }}
 
+      # Install syft
+      - uses: taiki-e/install-action@486baeb8af63bc3d9ec3ec66db5af6ba0ca78774 # pin v2.11.6
+        with:
+          tool: syft@0.84.0
+
+      - name: Generate SBOM
+        run: syft packages --config=.syft.yaml --output=spdx-json=Parsec-SBOM-windows-app.spdx.json .
+
       - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # pin v3.1.2
         with:
           name: ${{ runner.os }}-${{ runner.arch }}-installer
-          path: ${{ runner.temp }}/dist/${{ steps.names.outputs.archive }}
+          path: |
+            ${{ runner.temp }}/dist/${{ steps.names.outputs.archive }}
+            Parsec-SBOM-windows-app.spdx.json
           if-no-files-found: error
 
   package-macos-build-app:
@@ -337,10 +370,20 @@ jobs:
           --directory build/pyinstaller_dist parsec.app
         working-directory: ${{ runner.temp }}
 
+      # Install syft
+      - uses: taiki-e/install-action@486baeb8af63bc3d9ec3ec66db5af6ba0ca78774 # pin v2.11.6
+        with:
+          tool: syft@0.84.0
+
+      - name: Generate SBOM
+        run: syft packages --config=.syft.yaml --output=spdx-json=Parsec-SBOM-macos-app.spdx.json .
+
       - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # pin v3.1.2
         with:
           name: ${{ runner.os }}-${{ runner.arch }}-installer
-          path: ${{ runner.temp }}/parsec-unsigned-v${{ env.WHEEL_VERSION }}-macos-amd64.tar.bz2
+          path: |
+            ${{ runner.temp }}/parsec-unsigned-v${{ env.WHEEL_VERSION }}-macos-amd64.tar.bz2
+            Parsec-SBOM-macos-app.spdx.json
           if-no-files-found: error
 
   package-macos-test-app:

diff --git a/.github/workflows/package-webapp.yml b/.github/workflows/package-webapp.yml
@@ -7,6 +7,15 @@ on:
   workflow_call:
   workflow_dispatch:
 
+# We set `concurrency` to prevent having this workflow being run on code that is not up-to-date on a PR (a user make multiple push in a quick manner).
+# But on the main branch, we don't want that behavior.
+# Having the workflow run on each merge commit is something we would like, that could help us where a regression was made and missed by previous checks.
+#
+# For that we use `head_ref` that is only defined on `pull-request` and fallback to `run_id` (this is a counter, so it's value is unique between workflow call).
+concurrency:
+  group: package-webapp-${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 env:
   # We use the version 18.12 because the version >= 18.13 have some breaking changes on how they format the date.
   # That would break our unit test if we don't update them.
@@ -37,25 +46,10 @@ jobs:
         run: npm clean-install
         working-directory: oxidation/client
 
-      - name: Install wasm-pack
-        run: |
-          set -eux
-          set -o pipefail
-
-          BASE_DIR=wasm-pack-v${{ env.wasm-pack-version }}-x86_64-unknown-linux-musl
-
-          mkdir -p ~/.local/bin
-
-          curl -sSL \
-            https://github.com/rustwasm/wasm-pack/releases/download/v${{ env.wasm-pack-version }}/$BASE_DIR.tar.gz \
-            | tar --extract --gzip --to-stdout \
-              $BASE_DIR/wasm-pack \
-              > ~/.local/bin/wasm-pack
-
-          chmod a+rx ~/.local/bin/wasm-pack
-
-          echo $HOME/.local/bin >> $GITHUB_PATH
-        timeout-minutes: 2
+      # Install syft
+      - uses: taiki-e/install-action@486baeb8af63bc3d9ec3ec66db5af6ba0ca78774 # pin v2.11.6
+        with:
+          tool: syft@0.84.0, wasm-pack@${{ env.wasm-pack-version }}
 
       - name: Build web bindings
         run: npm run build:release
@@ -65,10 +59,15 @@ jobs:
         run: npm run web:release
         working-directory: oxidation/client
 
+      - name: Generate SBOM
+        run: syft packages --config=.syft.yaml --output=spdx-json=Parsec-SBOM-Web.spdx.json .
+
       - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # pin v3.1.2
         with:
           name: webapp
-          path: oxidation/client/dist/
+          path: |
+            oxidation/client/dist/
+            Parsec-SBOM-Web.spdx.json
           if-no-files-found: error
 
   electron:
@@ -77,23 +76,29 @@ jobs:
       matrix:
         include:
           - name: 🐧 Linux
+            platform: linux
             os: ubuntu-20.04
             paths: |
               oxidation/client/electron/dist/parsec_*_*.snap
               oxidation/client/electron/dist/parsec-*.AppImage
               oxidation/client/electron/dist/latest-linux.yml
+              Parsec-SBOM-Electron-linux.spdx.json
           - name: 🏁 Windows
+            platform: windows
             os: windows-2022
             paths: |
               oxidation/client/electron/dist/parsec Setup *.exe
               oxidation/client/electron/dist/parsec Setup *.exe.blockmap
               oxidation/client/electron/dist/latest.yml
+              Parsec-SBOM-Electron-windows.spdx.json
           - name: 🍎 macOS
+            platform: macos
             os: macos-12
             paths: |
               oxidation/client/electron/dist/parsec-*.dmg
               oxidation/client/electron/dist/parsec-*.dmg.blockmap
               oxidation/client/electron/dist/latest-mac.yml
+              Parsec-SBOM-Electron-macos.spdx.json
     name: "${{matrix.name }}: ⚡ Package electron"
     runs-on: ${{ matrix.os }}
     timeout-minutes: 60
@@ -121,6 +126,14 @@ jobs:
         working-directory: oxidation/client
         timeout-minutes: 5
 
+      # Install syft
+      - uses: taiki-e/install-action@486baeb8af63bc3d9ec3ec66db5af6ba0ca78774 # pin v2.11.6
+        with:
+          tool: syft@0.84.0
+
+      - name: Generate SBOM
+        run: syft packages --config=.syft.yaml --output=spdx-json=Parsec-SBOM-Electron-${{ matrix.platform }}.spdx.json .
+
       - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # pin v3.1.2
         with:
           name: ${{ runner.os }}-${{ runner.arch }}-electron-app

diff --git a/.syft.yaml b/.syft.yaml
@@ -0,0 +1,15 @@
+# Config for syft-0.84.0
+quiet: false
+
+check-for-app-update: false
+
+exclude:
+  - ./.git
+  # We don't ignore `target` & `node_modules` folders because they could containe additional dependencies not listed in the lock files.
+  # Ignoring those folder result in less entries produced.
+  # - ./target
+  # - '**/node_modules'
+  - "**/.mypy_cache"
+  - "**/.hypothesis"
+