From 29f45dbf0c648fe382364d012a6acdfb11072e47 Mon Sep 17 00:00:00 2001 From: "Ricardo A. Reyes" Date: Mon, 9 Dec 2024 17:27:33 -0500 Subject: [PATCH 1/7] Adding Harbor for Phase 2 workflow, primarely a Go project Signed-off-by: Ricardo A. Reyes --- .github/workflows/phase_2_harbor.yml | 221 +++++++++++++++++++++++++++ 1 file changed, 221 insertions(+) create mode 100644 .github/workflows/phase_2_harbor.yml diff --git a/.github/workflows/phase_2_harbor.yml b/.github/workflows/phase_2_harbor.yml new file mode 100644 index 0000000..6304fff --- /dev/null +++ b/.github/workflows/phase_2_harbor.yml @@ -0,0 +1,221 @@ +--- +name: Phase 2 - Harbor +on: + push: + paths: + - .github/workflows/phase_2_harbor.yml + +env: + HARBOR_TAG: 2.11.2 + PARLAY_VERSION: 0.6.0 + SBOMASM_VERSION: 0.1.5 + SBOMQS_VERSION: 0.1.9 + TRIVY_VERSION: 0.54.1 + +jobs: + Generate: + runs-on: ubuntu-latest + steps: + - name: Install Trivy + run: | + curl -L -o /tmp/trivy.tgz \ + "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" + tar xvf /tmp/trivy.tgz -C /tmp + chmod +x /tmp/trivy + + - name: Checkout Harbor + run: | + git --version + git clone https://github.com/goharbor/harbor.git + pwd + cp -r harbor harbor-${HARBOR_TAG} + ls harbor-${HARBOR_TAG} + + + - name: Generate SBOM with Trivy + run: | + /tmp/trivy fs \ + --timeout 30m0s \ + --parallel 0 \ + --format cyclonedx \ + --skip-db-update \ + --offline-scan \ + --output /tmp/generated-harbor-sbom.cdx.json \ + harbor-${HARBOR_TAG} + + /tmp/trivy fs \ + --timeout 30m0s \ + --parallel 0 \ + --format spdx-json \ + --skip-db-update \ + --offline-scan \ + --output /tmp/generated-harbor-sbom.spdx.json \ + harbor-${HARBOR_TAG} + + - name: Upload Generated CycloneDX SBOM + uses: actions/upload-artifact@v4 # v4 + with: + name: generated-harbor-sbom-cyclonedx + path: "/tmp/generated-harbor-sbom.cdx.json" + if-no-files-found: error + + - name: Upload Generated SPDX SBOM + uses: actions/upload-artifact@v4 # v4 + with: + name: generated-harbor-sbom-spdx + path: "/tmp/generated-harbor-sbom.spdx.json" + if-no-files-found: error + + - name: List Downloaded Artifacts + run: ls -lha + + Augment: + runs-on: ubuntu-latest + needs: Generate + steps: + + - uses: actions/checkout@v4 # v4 + + - name: Download all workflow run artifacts + uses: actions/download-artifact@v4 # v4 + + - name: Augment Stage - List Downloaded Artifacts + run: ls -lha + + - name: Install sbomasm + run: | + curl -L -o /tmp/sbomasm \ + "https://github.com/interlynk-io/sbomasm/releases/download/v${SBOMASM_VERSION}/sbomasm-linux-amd64" + chmod +x /tmp/sbomasm + + - name: Augment harbor SPDX + run: | + # Augment the Generated SPDX with updated document information + # - Using `--append` option to ensure the author information is appended instead + # of replacing the tool information. + /tmp/sbomasm edit --append --subject Document \ + --author 'CISA Tiger Group for SBOM Generation Reference Implementations' \ + --supplier 'Habor by Cloud Native Computing Foundation (CNCF)(https://goharbor.io)' \ + --repository 'https://github.com/goharbor/harbor.git' \ + --license 'Apache-2.0 (https://github.com/goharbor/harbor/blob/main/LICENSE)' \ + generated-harbor-sbom-spdx/generated-harbor-sbom.spdx.json > augmented_harbor-sbom.spdx.json + + # Augment the Generated SPDX with updated primary component information + /tmp/sbomasm edit --subject primary-component \ + --supplier 'Habor by Cloud Native Computing Foundation (CNCF)(https://goharbor.io)' \ + --repository 'https://github.com/goharbor/harbor.git' \ + --license 'Apache-2.0 (https://github.com/goharbor/harbor/blob/main/LICENSE)' \ + augmented_harbor-sbom.spdx.json > /tmp/augmented_harbor-sbom.spdx.json + + - name: Augment Harbor CycloneDX + run: | + # Augment the Generated CycloneDX with updated document information + /tmp/sbomasm edit --subject Document \ + --author 'CISA Tiger Group for SBOM Generation Reference Implementations' \ + --supplier 'Habor by Cloud Native Computing Foundation (CNCF)(https://goharbor.io)' \ + --lifecycle 'pre-build' \ + --repository 'https://github.com/goharbor/harbor.git' \ + --license 'Apache-2.0 (https://github.com/goharbor/harbor/blob/main/LICENSE)' \ + generated-harbor-sbom-cyclonedx/generated-harbor-sbom.cdx.json > augmented_harbor-sbom.cdx.json + + # Augment the Generated CycloneDX with updated primary component information + /tmp/sbomasm edit --subject primary-component \ + --author 'CISA Tiger Group for SBOM Generation Reference Implementations' \ + --supplier 'Habor by Cloud Native Computing Foundation (CNCF)(https://goharbor.io)' \ + --repository 'https://github.com/goharbor/harbor.git' \ + --license 'Apache-2.0 (https://github.com/goharbor/harbor/blob/main/LICENSE)' \ + augmented_harbor-sbom.cdx.json > /tmp/augmented_harbor-sbom.cdx.json + + - name: Upload Augmented SPDX SBOM + uses: actions/upload-artifact@v4 # v4 + with: + name: augmented-harbor-sbom-spdx + path: "/tmp/augmented_harbor-sbom.spdx.json" + + - name: Upload Augmented CycloneDX SBOM + uses: actions/upload-artifact@v4 # v4 + with: + name: augmented-harbor-sbom-cyclonedx + path: "/tmp/augmented_harbor-sbom.cdx.json" + + Enrich: + runs-on: ubuntu-latest + needs: Augment + steps: + + - uses: actions/checkout@v4 # v4 + - name: Enrich Download all workflow run artifacts + uses: actions/download-artifact@v4 # v4 + + - name: Enrich Stage - List Downloaded Artifacts + run: ls -lha + + - name: Enrich Stage - Download all workflow run artifacts + uses: actions/download-artifact@v4 # v4 + + - name: Install parlay + run: | + curl -Ls https://github.com/snyk/parlay/releases/download/v${PARLAY_VERSION}/parlay_Linux_x86_64.tar.gz | tar xvz -C /tmp + chmod +x /tmp/parlay + + - name: Enrich Harbor CycloneDX + run: | + /tmp/parlay ecosystems enrich \ + augmented-harbor-sbom-cyclonedx/augmented_harbor-sbom.cdx.json > /tmp/enriched_harbor-sbom.cdx.json + + - name: Enrich Harbor SPDX + run: | + /tmp/parlay ecosystems enrich \ + augmented-harbor-sbom-spdx/augmented_harbor-sbom.spdx.json > /tmp/enriched_harbor-sbom.spdx.json + + - name: Upload Enriched SPDX SBOM + uses: actions/upload-artifact@v4 # v4 + with: + name: enriched-harbor-sbom-spdx + path: "/tmp/enriched_harbor-sbom.spdx.json" + + - name: Upload Enriched CycloneDX SBOM + uses: actions/upload-artifact@v4 # v4 + with: + name: enriched-harbor-sbom-cyclonedx + path: "/tmp/enriched_harbor-sbom.cdx.json" + + - name: Save Final SBOMs + run: | + cp /tmp/enriched_harbor-sbom.spdx.json /tmp/final_harbor-sbom.spdx.json + cp /tmp/enriched_harbor-sbom.cdx.json /tmp/final_harbor-sbom.cdx.json + + - name: Upload Final SPDX SBOM + uses: actions/upload-artifact@v4 # v4 + with: + name: final-harbor-sbom-spdx + path: "/tmp/final_harbor-sbom.spdx.json" + + - name: Upload Final CycloneDX SBOM + uses: actions/upload-artifact@v4 # v4 + with: + name: final-harbor-sbom-cyclonedx + path: "/tmp/final_harbor-sbom.cdx.json" + + Validate: + needs: Enrich + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + + - name: Download SBOMs + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 + + - name: Install sbomqs + run: | + curl -L -o /tmp/sbomqs \ + "https://github.com/interlynk-io/sbomqs/releases/download/v${SBOMQS_VERSION}/sbomqs-linux-amd64" + chmod +x /tmp/sbomqs + + - name: "Display SBOM quality score through sbomqs" + run: | + echo \`\`\` >> ${GITHUB_STEP_SUMMARY} + for SBOM in $(find . -iname final*.json); do + /tmp/sbomqs score "$SBOM" >> ${GITHUB_STEP_SUMMARY} + done + echo \`\`\` >> ${GITHUB_STEP_SUMMARY} From ed0026f71626297bce22fb428ae2bf3477e70fed Mon Sep 17 00:00:00 2001 From: "Ricardo A. Reyes" Date: Tue, 10 Dec 2024 10:44:33 -0500 Subject: [PATCH 2/7] Referenced Harbor workflow in ReadMe file Signed-off-by: Ricardo A. Reyes --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 648ca5e..bc1921f 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,7 @@ All reference implementations follow a very similar flow and can easily be adapt - Keycloak (Java) - [Description](phase_1/keycloak/README.md) - [GitHub Workflow](.github/workflows/phase_1_keycloak.yml) - [GitLab Pipeline](https://gitlab.com/cisa-sbom-community/SBOM-Generation/-/blob/main/.gitlab/ci/phase_1_keycloak.yml?ref_type=heads) - Django Application (Python) - [GitHub Workflow](.github/workflows/phase_1_python.yml) - [GitLab Pipeline](https://gitlab.com/cisa-sbom-community/SBOM-Generation/-/blob/main/.gitlab/ci/phase_1_python.yml?ref_type=heads) - kubectl (Go) - [GitHub Workflow](.github/workflows/phase_2_kubectl.yml) - [GitLab Pipeline](https://gitlab.com/cisa-sbom-community/SBOM-Generation/-/blob/main/.gitlab/ci/phase_2_kubectl.yml?ref_type=heads) +- Harbor (Go) - [GitHub Workflow](.github/workflows/phase_2_harbor.yml) - GitLab Pipeline ## Meeting From 9e1af5fcc412a605d55d4388b6c4b3ce1d575045 Mon Sep 17 00:00:00 2001 From: "Ricardo A. Reyes" Date: Tue, 14 Jan 2025 11:00:12 -0500 Subject: [PATCH 3/7] Update .github/workflows/phase_2_harbor.yml Co-authored-by: Tieg Zaharia --- .github/workflows/phase_2_harbor.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/phase_2_harbor.yml b/.github/workflows/phase_2_harbor.yml index 6304fff..58d6ace 100644 --- a/.github/workflows/phase_2_harbor.yml +++ b/.github/workflows/phase_2_harbor.yml @@ -102,7 +102,7 @@ jobs: # Augment the Generated SPDX with updated primary component information /tmp/sbomasm edit --subject primary-component \ - --supplier 'Habor by Cloud Native Computing Foundation (CNCF)(https://goharbor.io)' \ + --supplier 'Harbor by Cloud Native Computing Foundation (CNCF)(https://goharbor.io)' \ --repository 'https://github.com/goharbor/harbor.git' \ --license 'Apache-2.0 (https://github.com/goharbor/harbor/blob/main/LICENSE)' \ augmented_harbor-sbom.spdx.json > /tmp/augmented_harbor-sbom.spdx.json From b61072af23698e0cd83611da7c00f217b3caaff8 Mon Sep 17 00:00:00 2001 From: "Ricardo A. Reyes" Date: Tue, 14 Jan 2025 11:00:28 -0500 Subject: [PATCH 4/7] Update .github/workflows/phase_2_harbor.yml Co-authored-by: Tieg Zaharia --- .github/workflows/phase_2_harbor.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/phase_2_harbor.yml b/.github/workflows/phase_2_harbor.yml index 58d6ace..131f8d2 100644 --- a/.github/workflows/phase_2_harbor.yml +++ b/.github/workflows/phase_2_harbor.yml @@ -95,7 +95,7 @@ jobs: # of replacing the tool information. /tmp/sbomasm edit --append --subject Document \ --author 'CISA Tiger Group for SBOM Generation Reference Implementations' \ - --supplier 'Habor by Cloud Native Computing Foundation (CNCF)(https://goharbor.io)' \ + --supplier 'Harbor by Cloud Native Computing Foundation (CNCF)(https://goharbor.io)' \ --repository 'https://github.com/goharbor/harbor.git' \ --license 'Apache-2.0 (https://github.com/goharbor/harbor/blob/main/LICENSE)' \ generated-harbor-sbom-spdx/generated-harbor-sbom.spdx.json > augmented_harbor-sbom.spdx.json From bb9598c8736c87914cc117f61055ed92492ea3d8 Mon Sep 17 00:00:00 2001 From: "Ricardo A. Reyes" Date: Tue, 14 Jan 2025 11:00:41 -0500 Subject: [PATCH 5/7] Update .github/workflows/phase_2_harbor.yml Co-authored-by: Tieg Zaharia --- .github/workflows/phase_2_harbor.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/phase_2_harbor.yml b/.github/workflows/phase_2_harbor.yml index 131f8d2..d94cd16 100644 --- a/.github/workflows/phase_2_harbor.yml +++ b/.github/workflows/phase_2_harbor.yml @@ -112,7 +112,7 @@ jobs: # Augment the Generated CycloneDX with updated document information /tmp/sbomasm edit --subject Document \ --author 'CISA Tiger Group for SBOM Generation Reference Implementations' \ - --supplier 'Habor by Cloud Native Computing Foundation (CNCF)(https://goharbor.io)' \ + --supplier 'Harbor by Cloud Native Computing Foundation (CNCF)(https://goharbor.io)' \ --lifecycle 'pre-build' \ --repository 'https://github.com/goharbor/harbor.git' \ --license 'Apache-2.0 (https://github.com/goharbor/harbor/blob/main/LICENSE)' \ From 3e7ec8581c705a792b3678be59daefcb1ff59d24 Mon Sep 17 00:00:00 2001 From: "Ricardo A. Reyes" Date: Tue, 14 Jan 2025 11:00:56 -0500 Subject: [PATCH 6/7] Update .github/workflows/phase_2_harbor.yml fix typo Co-authored-by: Tieg Zaharia --- .github/workflows/phase_2_harbor.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/phase_2_harbor.yml b/.github/workflows/phase_2_harbor.yml index d94cd16..5a36185 100644 --- a/.github/workflows/phase_2_harbor.yml +++ b/.github/workflows/phase_2_harbor.yml @@ -121,7 +121,7 @@ jobs: # Augment the Generated CycloneDX with updated primary component information /tmp/sbomasm edit --subject primary-component \ --author 'CISA Tiger Group for SBOM Generation Reference Implementations' \ - --supplier 'Habor by Cloud Native Computing Foundation (CNCF)(https://goharbor.io)' \ + --supplier 'Harbor by Cloud Native Computing Foundation (CNCF)(https://goharbor.io)' \ --repository 'https://github.com/goharbor/harbor.git' \ --license 'Apache-2.0 (https://github.com/goharbor/harbor/blob/main/LICENSE)' \ augmented_harbor-sbom.cdx.json > /tmp/augmented_harbor-sbom.cdx.json From 0fdf0af8e25ca6dafb446dfeb9f53fd6c594b1f0 Mon Sep 17 00:00:00 2001 From: "Ricardo A. Reyes" Date: Wed, 15 Jan 2025 22:38:10 -0500 Subject: [PATCH 7/7] using published release version 2.12.1, not repository code --- .github/workflows/phase_2_harbor.yml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/.github/workflows/phase_2_harbor.yml b/.github/workflows/phase_2_harbor.yml index 5a36185..6296733 100644 --- a/.github/workflows/phase_2_harbor.yml +++ b/.github/workflows/phase_2_harbor.yml @@ -6,7 +6,7 @@ on: - .github/workflows/phase_2_harbor.yml env: - HARBOR_TAG: 2.11.2 + HARBOR_TAG: 2.12.1 PARLAY_VERSION: 0.6.0 SBOMASM_VERSION: 0.1.5 SBOMQS_VERSION: 0.1.9 @@ -25,11 +25,9 @@ jobs: - name: Checkout Harbor run: | - git --version - git clone https://github.com/goharbor/harbor.git - pwd - cp -r harbor harbor-${HARBOR_TAG} - ls harbor-${HARBOR_TAG} + curl -L -o /tmp/harbor.tgz \ + "https://github.com/goharbor/harbor/archive/refs/tags/v${HARBOR_TAG}.tar.gz" + tar xvf /tmp/harbor.tgz -C . - name: Generate SBOM with Trivy