Skip to content
Generate and Upload SBOM Reports

chore(deps-dev): bump org.apache.maven.plugins:maven-compiler-plugin … #356

Sign in to view logs

chore(deps-dev): bump org.apache.maven.plugins:maven-compiler-plugin …

chore(deps-dev): bump org.apache.maven.plugins:maven-compiler-plugin … #356

Workflow file for this run

.github/workflows/ops-sbom.yml at f49625c
name: Generate and Upload SBOM Reports
on:
push:
tags:
- 'v**'
- 'nightly'
permissions:
contents: read
jobs:
enrich_and_upload_sbom:
permissions:
contents: write
if: github.repository == 'JanssenProject/jans'
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Fetch Jans SBOM from Github
run: |
curl -H "Accept: application/vnd.github.v3.raw" \
-o gh-sbom.json \
https://api.github.com/repos/JanssenProject/jans/dependency-graph/sbom
wc gh-sbom.json
- name: Install jq
run: |
sudo apt-get update
sudo apt-get install -y jq
- name: Trim SBOM
run: |
jq '.sbom' gh-sbom.json > trimmed-sbom.json
wc trimmed-sbom.json
- name: Install Parlay CLI
run: |
curl -s https://api.github.com/repos/snyk/parlay/releases/latest |
grep "browser_download_url" |
grep -P "parlay_\d+\.\d+\.\d+_linux_amd64.deb" |
cut -d '"' -f 4 |
xargs curl -LO
sudo dpkg -i parlay_*_linux_amd64.deb
- name: Enrich trimmed SBOM using Parlay
run: |
cat trimmed-sbom.json | \
parlay ecosystems enrich - | \
parlay scorecard enrich - > jans-sbom.json
wc jans-sbom.json
- name: Install sbomqs to generate compliance reports
run: |
curl -s https://api.github.com/repos/interlynk-io/sbomqs/releases/latest | \
grep "browser_download_url" | \
grep -P "sbomqs_\d+\.\d+\.\d+_amd64.deb" | \
cut -d '"' -f 4 | xargs curl -LO
sudo dpkg -i sbomqs_*_amd64.deb
- name: Generate compliance reports using sbomqs
run: |
sbomqs compliance --fsct -j jans-sbom.json > jans-sbom-fsct-report.json
wc jans-sbom-fsct-report.json
sbomqs compliance --bsi-v2 -j jans-sbom.json > jans-sbom-bsi-v2-report.json
wc jans-sbom-bsi-v2-report.json
sbomqs compliance --ntia -j jans-sbom.json > jans-sbom-NTIA-report.json
wc jans-sbom-NTIA-report.json
sbomqs compliance --oct -j jans-sbom.json > jans-sbom-openchain-report.json
wc jans-sbom-openchain-report.json
- name: Upload the enriched SBOM and compliance reports to the release
run: |
VERSION="$(echo ${{ github.event.ref }} | cut -d '/' -f 3)"
echo "${{ secrets.MOAUTO_WORKFLOW_TOKEN }}" | gh auth login --with-token
gh release upload "${VERSION}" jans-sbom.json jans-sbom-fsct-report.json \
jans-sbom-bsi-v2-report.json jans-sbom-NTIA-report.json \
jans-sbom-openchain-report.json --clobber