Skip to content

Add augmentation and enrichment to keycloak pipeline #29

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 20 commits into from
Oct 1, 2024
Merged

Add augmentation and enrichment to keycloak pipeline #29

merged 20 commits into from
Oct 1, 2024

Conversation

idunbarh
Copy link
Contributor

@idunbarh idunbarh commented Sep 30, 2024
edited
Loading

This PR adds the remaining capabilities to the Phase 1 Keycloak workflow.

This PR adds:

Additionally there are several tweaks:

  • Changing trivy to scan offline due to how long the workflow was running
  • validating only the enriched SBOMs

You can find the SBOM Quality Scoring here.

@idunbarh
feat: adding cyclonedx augmentation to keycloak
cf25897 
Signed-off-by: Ian Dunbar-Hall <[email protected]>
@idunbarh
feat: adding augmentation to phase 1 keycloak
8dfba99 
Signed-off-by: Ian Dunbar-Hall <[email protected]>
@idunbarh
adding sbomasm download to the workflow
b3231ce 
Signed-off-by: Ian Dunbar-Hall <[email protected]>
@idunbarh
fix: update trivy parallel to 4, to match number of cpus in github ru…
f272863 
…nners

Signed-off-by: Ian Dunbar-Hall <[email protected]>
@idunbarh
adding docs and parlay for enriching
781adf2 
Signed-off-by: Ian Dunbar-Hall <[email protected]>
@idunbarh
fixing parlay tar issue
76c2f67 
Signed-off-by: Ian Dunbar-Hall <[email protected]>
@idunbarh
fixing parlay tar issue
65679ea 
Signed-off-by: Ian Dunbar-Hall <[email protected]>
@idunbarh
only validating enriched SBOMs
9f1ab84 
Signed-off-by: Ian Dunbar-Hall <[email protected]>
@idunbarh idunbarh linked an issue Sep 30, 2024 that may be closed by this pull request
Add augmentation to keycloak pipeline #24
Closed
@idunbarh idunbarh requested review from douglasdennis, tiegz and a team September 30, 2024 05:04
@idunbarh
fixing link
d03df22 
Signed-off-by: Ian Dunbar-Hall <[email protected]>
djmoch
djmoch reviewed Sep 30, 2024
View reviewed changes
Copy link
Contributor

@djmoch djmoch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see any mention of sbomasm in the README, while parlay and snyk are both discussed. Am I just missing the discussion of sbomasm? Should we add some discussion to the README?

@idunbarh
minor spelling
4bc2c15 
Signed-off-by: Ian Dunbar-Hall <[email protected]>
@idunbarh
Copy link
Contributor Author

I don't see any mention of sbomasm in the README, while parlay and snyk are both discussed. Am I just missing the discussion of sbomasm? Should we add some discussion to the README?

Its included under ...

- `Augment Keycloak SPDX` and `Augment Keycloak CycloneDX` Jobs
  - __Tool__
    - [sbomasm](https://github.com/interlynk-io/sbomasm)

I'm not super happy with how this info is presented, which leads to details being missed.

tiegz
tiegz reviewed Sep 30, 2024
View reviewed changes
Copy link
Member

@tiegz tiegz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good! Left a few minor changes/questions

@douglasdennis
Copy link
Contributor

It looks like there is a bug or something in parlay where it doesn't fill in supplier information for SPDX. A quick search found this open issue: snyk/parlay#76

I didn't see a fix in there, but I've only scanned pretty quickly.

douglasdennis
douglasdennis reviewed Oct 1, 2024
View reviewed changes
Copy link
Contributor

@douglasdennis douglasdennis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm still running through some of the scorecard to see what the enrichments are doing. What would be the best way to handle that? Maybe merge this and then start opening issues that get PRs to fix? Or do we want to keep tackling stuff in this PR?

@idunbarh
Copy link
Contributor Author

idunbarh commented Oct 1, 2024

I'm still running through some of the scorecard to see what the enrichments are doing. What would be the best way to handle that? Maybe merge this and then start opening issues that get PRs to fix? Or do we want to keep tackling stuff in this PR?

My vote would be merge, and then continue to improve through additional PRs.

idunbarh and others added 2 commits September 30, 2024 21:29
@dasarpjonam
Copy link
Collaborator

@idunbarh - Thanks for putting this together. This looks good to me. The sbomqs is too verbose. it could be a artifact. we can have a green (pass) or red(fail) stamp based on the sbomqs output.

@idunbarh
Adding the --append option to SPDX augmentation to ensure the tool in…
4d57439 
…formation is not overridden

Signed-off-by: Ian Dunbar-Hall <[email protected]>
vpetersson
vpetersson approved these changes Oct 1, 2024
View reviewed changes
Copy link
Collaborator

@vpetersson vpetersson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added minor comments.

@idunbarh idunbarh merged commit 336d4d9 into main Oct 1, 2024
9 checks passed
@idunbarh idunbarh deleted the 24-add-augmentation-to-keycloak-pipeline branch October 1, 2024 18:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dasarpjonam dasarpjonam dasarpjonam left review comments

@douglasdennis douglasdennis douglasdennis left review comments

@tiegz tiegz tiegz approved these changes

@vpetersson vpetersson vpetersson approved these changes

@djmoch djmoch djmoch approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add augmentation to keycloak pipeline
6 participants
@idunbarh @douglasdennis @dasarpjonam @tiegz @vpetersson @djmoch