-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add an sbom workflow #6251
Open
Amndeep7
wants to merge
18
commits into
master
Choose a base branch
from
sbom-workflow
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Add an sbom workflow #6251
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Explore sbom options
…t permissions of generated file
… consequently permissions can get wonky between them so let's just give it everything.
…e contents of /bin
Quality Gate passedIssues Measures |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Explore sbom options
#6035 - can use the deploy preview here to visualize cyclonedx sboms
GH export SBOM button
Button on the dependency graph that needs to be manually clicked by a logged in person (who presumably has maintainership over the project?), produces what seems to be high quality spdx output, presumably only gives you the sbom for the current state of the default branch
https://github.com/mitre/heimdall2/network/dependencies
heimdall2_mitre_134f056cbf445867284713e2fe0eeb4ad40672bb.json
GH sbom generator action
Unmaintained action, seems to produce not high quality SPDX output only, errors out when trying to convert that SPDX output into CycloneDX format using cyclonedx-cli
https://github.com/advanced-security/sbom-generator-action
spdx-3dce7cb9-8f9a-422f-915c-17d53749621d.spdx.json
GH sbom cli
Maintained cli tool, available in the runner by default, need to install extension (that seems to only get intermittent maintenance) in order to hook into github sbom generation apis
spdx output seems to be high quality and more or less matches the output from the 'export sbom' button in the dependency graph ui, spdx output errors out when trying to convert it into cyclonedx
native cyclonedx times out i think due to using up all the allowed time trying to hit the graphql api
https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2204-Readme.md
https://github.com/advanced-security/gh-sbom
https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/using-github-cli-in-workflows
https://docs.github.com/en/rest/using-the-rest-api/rate-limits-for-the-rest-api?apiVersion=2022-11-28#about-secondary-rate-limits
ghas_cli_sbom.spdx.json
Anchore Syft action
Maintained action, spdx output still throws errors when trying to convert into cyclone dx
https://github.com/anchore/sbom-action
Directory - uninstalled deps
Relatively high quality, seems to provide a full listing of all of the ruby (inspecjs -> inspec-bin for use to update the schema) and npm dependencies, but doesn't list out the go dependencies that were brought in by esbuild, doesn't provide good cross-npm-library dependencies that it should still be able to generate from just the yarn.lock file (the '.' directory is just dependent on everything in there, but ex. doesn't show how all the AWS dependencies are connected)
syft_directory.spdx.json
Just a component list that seems to contain the same components
syft_directory.cdx.json
Directory - with installed deps
More or less the same as above, except it seems to have discovered an additional 100 or so deps somehow.
syft_directory_installed.spdx.json
syft_directory_installed.cdx.json
use cyclonedx diff functionality to determine what the diff is between the two boms, specifically which deps were discovered
The differences seem inconsequential. The following command
.\cyclonedx-win-x64.exe diff --component-versions --output-format json '.\Syft SBOM experiments\syft_directory.cdx.json' '.\Syft SBOM experiments - just directory - installed\syft_directory_installed.cdx.json' > diff.json
created a file that showcased that almost everything was unchanged though there were a few that had stuff in them but for some reason they seemed like they were primarily github action related but seemed to also have the esbuild stuff and some random other ones. You can useadded": \[\n
as an example search regex.diff.json
Image
Relatively high quality, provides the go (esbuild) and npm and operating system (rhel) dependencies but no ruby ones (which makes sense since we don't copy over any of the ruby package manager related stuff into the container), the operating system and go dependencies are properly linked up but the npm ones are not cross-connected properly even though presumably they ought to be since at least the backend's node_modules was brought in
syft_image.spdx.json
Contains more or less the same info ^
syft_image.cdx.json
CycloneDX
Microsoft SBOM-Tool
Does not produce high quality SBOMs. 1) Generates v2.2 SPDX files only (as far as I can tell) whereas the current version of the spec is 2.3 on the 2.x branch and 3.0 on the latest version, 2) requires a workaround to have be converted via cyclone-dx cli (the bug seems to be on the cyclone dx side), 3) more specific info in the directory vs image discussions.
https://github.com/microsoft/sbom-tool
https://github.com/microsoft/sbom-tool/blob/main/docs/sbom-tool-arguments.md
https://github.com/microsoft/sbom-tool/blob/main/docs/setting-up-github-actions.md
https://learn.microsoft.com/en-us/azure/security/container-secure-supply-chain/articles/attach-sbom
SBOM conversion issue. CycloneDX/cyclonedx-cli#385
ExternalRefCategory 'PACKAGE_MANAGER' is not compliant with SPDX 2.2 specification CycloneDX/cyclonedx-dotnet-library#267
Directory
It processes every single file in the directory that I pointed it at resulting in an absolutely insane number of results due to the .git and various node_modules directories. For the packages that it does find, it doesn't return any useful data aside from the name and package version. On top of that, it actually skips a considerable amount of packages according to the output from the terminal and doesn't find any of the relationships.
directory.cdx.json.zip
manifest.spdx.json.zip
manifest_fixed.spdx.json.zip
Image
Same as above but it only found a couple hundred linux packages.
image.zip