Generate SBOM for generated Package

Generate SBOM file for python wheels, python apps, electron apps and web app. Other Changes ------------- - Add `concurrency` to `package-webapp` workflow. Closes #4770 Signed-off-by: firelight flagboy <firelight.flagboy@gmail.com>
Scille · Jul 6, 2023 · e38b597 · e38b597
1 parent a7f55b1
commit e38b597
Show file tree

Hide file tree

Showing 6 changed files with 115 additions and 28 deletions.
diff --git a/.cspell/custom-words.txt b/.cspell/custom-words.txt
@@ -26,10 +26,6 @@ browserslistrc
 Bsas
 bxsalsa
 cachekey
-latexmk
-librsvg
-luatex
-LATEXMKOPTS
 CAFILE
 camelcase
 capacitorjs
@@ -125,6 +121,7 @@ HKCR
 HKCU
 HKLM
 Hodi
+htmlcov
 hypercorn
 icccm
 IDCANCEL
@@ -145,6 +142,8 @@ JsonSchema
 jvmargs
 KeyFile
 keysyms
+latexmk
+LATEXMKOPTS
 latexpdfja
 levelno
 libasound
@@ -193,6 +192,7 @@ libqtuiotouchplugin
 libqtwebview
 libqvnc
 libqwebgl
+librsvg
 libscene
 LibSodium
 libsqlite
@@ -213,6 +213,7 @@ lproj
 lsregister
 lstfiracode
 lualatex
+luatex
 MACBYTES
 MACFUSE
 makensis
@@ -245,13 +246,16 @@ NONCEBYTES
 noopener
 noreferrer
 noreply
+noserver
 notbase
 notr
 nplurals
 npmkeep
 NSIS
 NSISDIR
 NSPHINXOPTS
+ntics
+ntns
 ntstatus
 numprocesses
 onboarded
@@ -268,6 +272,7 @@ Owholemodule
 PAAS
 packb
 pagetotal
+Passw0rd
 pems
 pgdg
 PGINSTALLATION
@@ -391,6 +396,7 @@ stucking
 subcode
 subsec
 swiftclient
+syft
 SymKey
 syncer
 systray

diff --git a/.github/workflows/package-python.yml b/.github/workflows/package-python.yml
@@ -48,10 +48,13 @@ jobs:
       matrix:
         include:
           - name: 🐧 Linux
+            platform: linux
             os: ubuntu-22.04
           - name: 🍎 macOS
+            platform: macos
             os: macos-12
           - name: 🏁 Windows
+            platform: windows
             os: windows-2022
     name: "${{ matrix.name }}: 📦 Packaging (build Wheel)"
     runs-on: ${{ matrix.os }}
@@ -138,6 +141,14 @@ jobs:
       - name: Generate requirements & constraints infos
         run: python packaging/wheel/wheel_it.py . --output dist --skip-wheel
 
+      # Install syft
+      - uses: taiki-e/install-action@486baeb8af63bc3d9ec3ec66db5af6ba0ca78774 # pin v2.11.6
+        with:
+          tool: syft@0.84.0
+
+      - name: Generate SBOM
+        run: syft packages --config=.syft.yaml --output=spdx-json=dist/Parsec-SBOM-Wheel-${{ matrix.platform }}.spdx.json .
+
       - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # pin v3.1.2
         with:
           name: ${{ runner.os }}-${{ runner.arch }}-wheel
@@ -168,6 +179,9 @@ jobs:
           name: ${{ runner.os }}-${{ runner.arch }}-wheel
           path: dist
 
+      - name: List downloaded artifacts
+        run: tree dist
+
       - name: Copy snap build configuration
         working-directory: ${{ runner.temp }}
         run: |
@@ -194,10 +208,20 @@ jobs:
         working-directory: ${{ runner.temp }}
         run: snapcraft --destructive-mode
 
+      # Install syft
+      - uses: taiki-e/install-action@486baeb8af63bc3d9ec3ec66db5af6ba0ca78774 # pin v2.11.6
+        with:
+          tool: syft@0.84.0
+
+      - name: Generate SBOM
+        run: syft packages --config=.syft.yaml --output=spdx-json=${{ runner.temp }}/Parsec-SBOM-linux-snap.spdx.json .
+
       - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # pin v3.1.2
         with:
           name: ${{ runner.os }}-${{ runner.arch }}-snap
-          path: ${{ runner.temp }}/parsec*.snap
+          path: |
+            ${{ runner.temp }}/parsec*.snap
+            ${{ runner.temp }}/Parsec-SBOM-linux-snap.spdx.json
           if-no-files-found: error
 
   package-linux-test-snap:
@@ -248,6 +272,9 @@ jobs:
           name: ${{ runner.os }}-${{ runner.arch }}-wheel
           path: dist
 
+      - name: List downloaded artifacts
+        run: Get-ChildItem -Recurse -Path dist
+
       - uses: microsoft/setup-msbuild@1ff57057b5cfdc39105cd07a01d78e9b0ea0c14c # pin v1.3.1
 
       - name: Build Icon overlays COM objects
@@ -286,18 +313,28 @@ jobs:
           md dist
           cd build
           # cspell:disable-next-line
-          7z a -tzip ..\dist\${{ steps.names.outputs.archive }} `
+          7z a -tzip ..\${{ steps.names.outputs.archive }} `
             manifest.ini `
             install_files.nsh `
             uninstall_files.nsh `
             parsec-* `
             winfsp-*
         working-directory: ${{ runner.temp }}
 
+      # Install syft
+      - uses: taiki-e/install-action@486baeb8af63bc3d9ec3ec66db5af6ba0ca78774 # pin v2.11.6
+        with:
+          tool: syft@0.84.0
+
+      - name: Generate SBOM
+        run: syft packages --config=.syft.yaml --output=spdx-json=${{ runner.temp }}/Parsec-SBOM-windows-app.spdx.json .
+
       - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # pin v3.1.2
         with:
           name: ${{ runner.os }}-${{ runner.arch }}-installer
-          path: ${{ runner.temp }}/dist/${{ steps.names.outputs.archive }}
+          path: |
+            ${{ runner.temp }}/${{ steps.names.outputs.archive }}
+            ${{ runner.temp }}/Parsec-SBOM-windows-app.spdx.json
           if-no-files-found: error
 
   package-macos-build-app:
@@ -320,6 +357,9 @@ jobs:
           name: ${{ runner.os }}-${{ runner.arch }}-wheel
           path: dist
 
+      - name: List downloaded artifacts
+        run: ls -lR dist
+
       - name: Copy packaging script
         run: cp -Rv ${{ github.workspace }}/packaging/macOS/* ${{ runner.temp }}
 
@@ -337,10 +377,20 @@ jobs:
           --directory build/pyinstaller_dist parsec.app
         working-directory: ${{ runner.temp }}
 
+      # Install syft
+      - uses: taiki-e/install-action@486baeb8af63bc3d9ec3ec66db5af6ba0ca78774 # pin v2.11.6
+        with:
+          tool: syft@0.84.0
+
+      - name: Generate SBOM
+        run: syft packages --config=.syft.yaml --output=spdx-json=${{ runner.temp }}/Parsec-SBOM-macos-app.spdx.json .
+
       - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # pin v3.1.2
         with:
           name: ${{ runner.os }}-${{ runner.arch }}-installer
-          path: ${{ runner.temp }}/parsec-unsigned-v${{ env.WHEEL_VERSION }}-macos-amd64.tar.bz2
+          path: |
+            ${{ runner.temp }}/parsec-unsigned-v${{ env.WHEEL_VERSION }}-macos-amd64.tar.bz2
+            ${{ runner.temp }}/Parsec-SBOM-macos-app.spdx.json
           if-no-files-found: error
 
   package-macos-test-app:

diff --git a/.github/workflows/package-webapp.yml b/.github/workflows/package-webapp.yml
@@ -7,6 +7,13 @@ on:
   workflow_call:
   workflow_dispatch:
 
+# Set `concurrency` to prevent this workflow from being run on code that is not up-to-date on a PR (e.g. when making many push quickly on a PR).
+# This behavior is only intended for a PR and not for merge commits on the main branch. Having the workflow run on each merge commit can be useful to spot regressions missed by previous checks.
+# To distinguish between these cases, we use `head_ref` that is only defined on `pull-request` and fallback to `run_id` (this is a counter, so it's value is unique between workflow call).
+concurrency:
+  group: package-webapp-${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 env:
   # We use the version 18.12 because the version >= 18.13 have some breaking changes on how they format the date.
   # That would break our unit test if we don't update them.
@@ -37,25 +44,10 @@ jobs:
         run: npm clean-install
         working-directory: oxidation/client
 
-      - name: Install wasm-pack
-        run: |
-          set -eux
-          set -o pipefail
-
-          BASE_DIR=wasm-pack-v${{ env.wasm-pack-version }}-x86_64-unknown-linux-musl
-
-          mkdir -p ~/.local/bin
-
-          curl -sSL \
-            https://github.com/rustwasm/wasm-pack/releases/download/v${{ env.wasm-pack-version }}/$BASE_DIR.tar.gz \
-            | tar --extract --gzip --to-stdout \
-              $BASE_DIR/wasm-pack \
-              > ~/.local/bin/wasm-pack
-
-          chmod a+rx ~/.local/bin/wasm-pack
-
-          echo $HOME/.local/bin >> $GITHUB_PATH
-        timeout-minutes: 2
+      # Install syft
+      - uses: taiki-e/install-action@486baeb8af63bc3d9ec3ec66db5af6ba0ca78774 # pin v2.11.6
+        with:
+          tool: syft@0.84.0, wasm-pack@${{ env.wasm-pack-version }}
 
       - name: Build web bindings
         run: npm run build:release
@@ -65,10 +57,15 @@ jobs:
         run: npm run web:release
         working-directory: oxidation/client
 
+      - name: Generate SBOM
+        run: syft packages --config=.syft.yaml --output=spdx-json=Parsec-SBOM-Web.spdx.json .
+
       - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # pin v3.1.2
         with:
           name: webapp
-          path: oxidation/client/dist/
+          path: |
+            oxidation/client/dist/
+            Parsec-SBOM-Web.spdx.json
           if-no-files-found: error
 
   electron:
@@ -77,23 +74,29 @@ jobs:
       matrix:
         include:
           - name: 🐧 Linux
+            platform: linux
             os: ubuntu-20.04
             paths: |
               oxidation/client/electron/dist/parsec_*_*.snap
               oxidation/client/electron/dist/parsec-*.AppImage
               oxidation/client/electron/dist/latest-linux.yml
+              Parsec-SBOM-Electron-linux.spdx.json
           - name: 🏁 Windows
+            platform: windows
             os: windows-2022
             paths: |
               oxidation/client/electron/dist/parsec Setup *.exe
               oxidation/client/electron/dist/parsec Setup *.exe.blockmap
               oxidation/client/electron/dist/latest.yml
+              Parsec-SBOM-Electron-windows.spdx.json
           - name: 🍎 macOS
+            platform: macos
             os: macos-12
             paths: |
               oxidation/client/electron/dist/parsec-*.dmg
               oxidation/client/electron/dist/parsec-*.dmg.blockmap
               oxidation/client/electron/dist/latest-mac.yml
+              Parsec-SBOM-Electron-macos.spdx.json
     name: "${{matrix.name }}: ⚡ Package electron"
     runs-on: ${{ matrix.os }}
     timeout-minutes: 60
@@ -121,6 +124,14 @@ jobs:
         working-directory: oxidation/client
         timeout-minutes: 5
 
+      # Install syft
+      - uses: taiki-e/install-action@486baeb8af63bc3d9ec3ec66db5af6ba0ca78774 # pin v2.11.6
+        with:
+          tool: syft@0.84.0
+
+      - name: Generate SBOM
+        run: syft packages --config=.syft.yaml --output=spdx-json=Parsec-SBOM-Electron-${{ matrix.platform }}.spdx.json .
+
       - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # pin v3.1.2
         with:
           name: ${{ runner.os }}-${{ runner.arch }}-electron-app

diff --git a/.github/workflows/releaser.yml b/.github/workflows/releaser.yml
@@ -116,6 +116,9 @@ jobs:
         env:
           BASH_XTRACEFD: 1
 
+      - name: Copy SBOM files
+        run: cp -v artifacts/**/Parsec-SBOM-*.spdx.json release-files
+
       - name: Generate version file
         run:
           (

diff --git a/.syft.yaml b/.syft.yaml
@@ -0,0 +1,15 @@
+# Config for syft-0.84.0
+quiet: false
+
+check-for-app-update: false
+
+exclude:
+  - ./.git
+  # We don't ignore `target` & `node_modules` directories because they could contain additional dependencies not listed in the lock files.
+  # Ignoring those folder result in less entries produced.
+  # - ./target
+  # - '**/node_modules'
+  - "**/.mypy_cache"
+  - "**/.hypothesis"
+  - "**/.pytest_cache"
+  - "**/htmlcov"
diff --git a/newsfragments/4770.doc.rst b/newsfragments/4770.doc.rst
@@ -0,0 +1,2 @@
+Add SBOM (Software Bills Of Materials) generation on software packaging.
+This provides the list of dependencies used to build the software.