From ff0e589fadc9c96e514aa390bf15e8091bf88abd Mon Sep 17 00:00:00 2001 From: huf1 Date: Tue, 27 May 2025 14:31:00 +0200 Subject: [PATCH] chore(sbom): create SBoM from image --- .github/workflows/build.yaml | 62 ++++++++++++++++++++--- .github/workflows/codeql-analysis.yml | 72 --------------------------- .github/workflows/release.yml | 4 +- Dockerfile | 24 --------- syft.yaml | 16 ++++++ 5 files changed, 74 insertions(+), 104 deletions(-) delete mode 100644 .github/workflows/codeql-analysis.yml create mode 100644 syft.yaml diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 3880116..4ad6c0b 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -4,6 +4,9 @@ on: branches: - master pull_request: + branches: + - master + workflow_dispatch: jobs: build: name: Build @@ -16,13 +19,60 @@ jobs: run: | docker build --file Dockerfile --tag conplementag/cops-controller:${{ github.sha }} . - - name: Upload SBOM to DTrack + - name: Download and install syft + run: | + curl -L https://github.com/anchore/syft/releases/download/v${{ vars.SYFT_VERSION }}/syft_${{ vars.SYFT_VERSION }}_linux_amd64.tar.gz --output syft.tgz + echo "${{ vars.SYFT_SHA256 }} syft.tgz" > cksum.txt + sha256sum --check --status cksum.txt + if [ $? -eq 1 ] + then + echo "Security-Error: Unexpected SHA256 of downloaded syft executable!" + exit 1 + fi + rm cksum.txt + tar xvfz syft.tgz + chmod +x ./syft + ./syft --version + export PATH=$PATH:$(pwd) + + - name: Download and install cp BomCleaner + run: | + curl -L https://github.com/conplementAG/BomCleaner/releases/download/v${{ vars.BOMCLEANER_VERSION }}/dotnetbomcleaner --output dotnetbomcleaner + echo "${{vars.BOMCLEANER_SHA256 }} dotnetbomcleaner" > cksum.txt + sha256sum --check --status cksum.txt + if [ $? -eq 1 ] + then + echo "Security-Error: Unexpected SHA256 of downloaded bomcleaner executable!" + exit 1 + fi + rm cksum.txt + chmod +x ./dotnetbomcleaner + export PATH=$PATH:$(pwd) + + - name: Create SBoM with syft + run: | + ./syft conplementag/cops-controller:${{ github.sha }} -c syft.yaml -o cyclonedx-xml=sbom.xml + ret_code=$? + if [ $ret_code -ne 0 ] + then + echo "syft failed to create SBoM with error code $ret_code" + exit 1 + fi + cat sbom.xml + + - name: Clean SBoM with cp BomCleaner + run: | + id=$(docker create conplementag/cops-controller:${{ github.sha }}) + docker cp $id:/app/ConplementAG.CopsController.deps.json ./ConplementAG.CopsController.deps.json + docker rm -v $id + ./dotnetbomcleaner sbom.xml ConplementAG.CopsController.deps.json + + cat ./cleanbom.xml + + - name: Upload SBoM to DTrack run: | - docker run --name cops-controller-${{ github.sha }} --entrypoint dotnet conplementag/cops-controller:${{ github.sha }} --info - docker cp cops-controller-${{ github.sha }}:/sboms/ ./sboms - echo "Uploading SBOM to ${{ vars.DTRACK_URL }}/api/v1/bom" - curl --retry 5 --retry-delay 60 -X 'POST' '${{ vars.DTRACK_URL }}/api/v1/bom' -H 'Content-Type:multipart/form-data' -H 'X-API-Key:${{ secrets.DTRACK_API_KEY }}' -F 'project=${{ secrets.DTRACK_PROJECTID }}' -F 'bom=@./sboms/cops-controller-sbom.xml' + curl --retry 5 --retry-delay 60 -X 'POST' '${{ vars.DTRACK_URL }}/api/v1/bom' -H 'Content-Type:multipart/form-data' -H 'X-API-Key:${{ secrets.DTRACK_API_KEY }}' -F 'project=${{ secrets.DTRACK_PROJECTID }}' -F 'bom=@./cleanbom.xml' echo "Updating Project Version in ${{ vars.DTRACK_URL }}/api/v1/project" - curl --retry 5 --retry-delay 60 -X 'POST' '${{ vars.DTRACK_URL }}/api/v1/project' -H 'Content-Type:application/json' -H 'Accept:application/json' -H 'X-Api-Key:${{ secrets.DTRACK_API_KEY }}' -d '{"uuid": "${{ secrets.DTRACK_PROJECTID }}","name": "${{ vars.DTRACK_PROJECTNAME }}","version": "${{ github.sha }}","classifier": "APPLICATION","tags": [],"active": true}' + curl --retry 5 --retry-delay 60 -X 'POST' '${{ vars.DTRACK_URL }}/api/v1/project' -H 'Content-Type:application/json' -H 'Accept:application/json' -H 'X-Api-Key:${{ secrets.DTRACK_API_KEY }}' -d '{"uuid": "${{ secrets.DTRACK_PROJECTID }}","name": "${{ vars.DTRACK_PROJECTNAME }}","version": "${{ github.sha }}","classifier": "APPLICATION","tags": [],"active": true}' diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml deleted file mode 100644 index 617fece..0000000 --- a/.github/workflows/codeql-analysis.yml +++ /dev/null @@ -1,72 +0,0 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# -name: "CodeQL" - -on: - push: - branches: [ "master" ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ "master" ] - schedule: - - cron: '28 15 * * 6' - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - language: [ 'csharp' ] - # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support - - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality - - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v2 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 12ec0b0..cc9c7ed 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,4 +1,4 @@ -name: 'release' +name: release on: push: branches: @@ -15,7 +15,7 @@ jobs: id: release with: release-type: helm - package-name: cops-controller + package-name: cops-controller extra-files: | deployment/cops-controller/Chart.yaml deployment/cops-controller/values.yaml diff --git a/Dockerfile b/Dockerfile index 4e9b30e..444df8d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,22 +1,6 @@ # .NET 8 LTS End of Lifetime is on 10/11/2026 FROM mcr.microsoft.com/dotnet/sdk:8.0-jammy AS build-env -## Tooling prerequisites CycloneDX Docker ################## -ARG SYFT_RELEASE=1.22.0 -ARG SYFT_SHA256=e324f92306232b8f8e80e9a4d5be9418aafe59d5e7ce8c42a3ad86bb3f0ed6b3 -RUN curl -sLO https://github.com/anchore/syft/releases/download/v${SYFT_RELEASE}/syft_${SYFT_RELEASE}_linux_amd64.deb && \ - echo "${SYFT_SHA256} syft_${SYFT_RELEASE}_linux_amd64.deb" | sha256sum --check --status && \ - dpkg -i syft_${SYFT_RELEASE}_linux_amd64.deb && \ - rm syft_${SYFT_RELEASE}_linux_amd64.deb -## CycloneDX CLI -ARG CycloneDXCLIVersion=0.27.2 -RUN curl -LO https://github.com/CycloneDX/cyclonedx-cli/releases/download/v${CycloneDXCLIVersion}/cyclonedx-linux-x64 -RUN chmod +x cyclonedx-linux-x64 -RUN mv cyclonedx-linux-x64 $GOPATH/bin -RUN cyclonedx-linux-x64 --version - -RUN dotnet tool install --global CycloneDX - WORKDIR /app COPY *.csproj ./ @@ -25,13 +9,6 @@ RUN dotnet restore ConplementAG.CopsController.csproj COPY . ./ RUN dotnet publish ConplementAG.CopsController.csproj -c Release -o out -RUN mkdir /sboms -WORKDIR /sboms -RUN /root/.dotnet/tools/dotnet-CycloneDX /app/ConplementAG.CopsController.csproj -o . -RUN syft scan mcr.microsoft.com/dotnet/aspnet:8.0-jammy -o cyclonedx-xml=./docker-sbom.xml -RUN cyclonedx-linux-x64 merge --input-files bom.xml docker-sbom.xml --output-file cops-controller-sbom.xml -RUN cyclonedx-linux-x64 convert --input-file cops-controller-sbom.xml --output-file cops-controller-sbom-v1.5.xml --output-version v1_5 # DTrack - # .NET 8 LTS End of Lifetime is on 10/11/2026 FROM mcr.microsoft.com/dotnet/aspnet:8.0-jammy-chiseled @@ -42,5 +19,4 @@ ENV ASPNETCORE_URLS=http://+:8080 WORKDIR /app COPY --from=build-env /app/out . -COPY --from=build-env --chown=donetuser:donetuser /sboms/cops-controller-sbom-v1.5.xml /sboms/cops-controller-sbom.xml ENTRYPOINT ["dotnet", "ConplementAG.CopsController.dll"] \ No newline at end of file diff --git a/syft.yaml b/syft.yaml new file mode 100644 index 0000000..79a8c84 --- /dev/null +++ b/syft.yaml @@ -0,0 +1,16 @@ +default-catalogers: + - alpm-db-cataloger + - apk-db-cataloger + - binary-classifier-cataloger + - dotnet-packages-lock-cataloger + - dpkg-db-cataloger + - go-module-binary-cataloger + - go-module-file-cataloger + - linux-kernel-cataloger + - rpm-archive-cataloger + - rpm-db-cataloger + - sbom-cataloger +check-for-app-update: true +format: + pretty: true +parallelism: 1 \ No newline at end of file