SBOM-Community · vpetersson · Jan 18, 2025 · Dec 9, 2024 · Dec 10, 2024 · Jan 14, 2025
@@ -0,0 +1,219 @@
+---
+name: Phase 2 - Harbor
+on:
+  push:
+    paths:
+      - .github/workflows/phase_2_harbor.yml
+
+env:
+  HARBOR_TAG: 2.12.1
+  PARLAY_VERSION: 0.6.0
+  SBOMASM_VERSION: 0.1.5
+  SBOMQS_VERSION: 0.1.9
+  TRIVY_VERSION: 0.54.1
+
+jobs:
+  Generate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install Trivy
+        run: |
+          curl -L -o /tmp/trivy.tgz \
+            "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"
+          tar xvf /tmp/trivy.tgz -C /tmp
+          chmod +x /tmp/trivy
+
+      - name: Checkout Harbor
+        run: |
+          curl -L -o /tmp/harbor.tgz \
+            "https://github.com/goharbor/harbor/archive/refs/tags/v${HARBOR_TAG}.tar.gz"
+          tar xvf /tmp/harbor.tgz -C .
+
+
+      - name: Generate SBOM with Trivy
+        run: |
+          /tmp/trivy fs \
+            --timeout 30m0s \
+            --parallel 0 \
+            --format cyclonedx \
+            --skip-db-update \
+            --offline-scan \
+            --output /tmp/generated-harbor-sbom.cdx.json \
+            harbor-${HARBOR_TAG}
+
+          /tmp/trivy fs \
+            --timeout 30m0s \
+            --parallel 0 \
+            --format spdx-json \
+            --skip-db-update \
+            --offline-scan \
+            --output /tmp/generated-harbor-sbom.spdx.json \
+            harbor-${HARBOR_TAG}
+
+      - name: Upload Generated CycloneDX SBOM
+        uses: actions/upload-artifact@v4 # v4
+        with:
+          name: generated-harbor-sbom-cyclonedx
+          path: "/tmp/generated-harbor-sbom.cdx.json"
+          if-no-files-found: error
+
+      - name: Upload Generated SPDX SBOM
+        uses: actions/upload-artifact@v4 # v4
+        with:
+          name: generated-harbor-sbom-spdx
+          path: "/tmp/generated-harbor-sbom.spdx.json"
+          if-no-files-found: error
+
+      - name: List Downloaded Artifacts
+        run: ls -lha
+
+  Augment:
+    runs-on: ubuntu-latest
+    needs: Generate
+    steps:
+
+      - uses: actions/checkout@v4 # v4
+
+      - name: Download all workflow run artifacts
+        uses: actions/download-artifact@v4 # v4
+
+      - name: Augment Stage - List Downloaded Artifacts
+        run: ls -lha
+
+      - name: Install sbomasm
+        run: |
+          curl -L -o /tmp/sbomasm \
+            "https://github.com/interlynk-io/sbomasm/releases/download/v${SBOMASM_VERSION}/sbomasm-linux-amd64"
+          chmod +x /tmp/sbomasm
+
+      - name: Augment harbor SPDX
+        run: |
+          # Augment the Generated SPDX with updated document information
+          #   - Using `--append` option to ensure the author information is appended instead
+          #     of replacing the tool information.
+          /tmp/sbomasm edit --append --subject Document \
+              --author 'CISA Tiger Group for SBOM Generation Reference Implementations' \
+              --supplier 'Harbor by Cloud Native Computing Foundation (CNCF)(https://goharbor.io)' \
+              --repository 'https://github.com/goharbor/harbor.git' \
+              --license 'Apache-2.0 (https://github.com/goharbor/harbor/blob/main/LICENSE)' \
+              generated-harbor-sbom-spdx/generated-harbor-sbom.spdx.json > augmented_harbor-sbom.spdx.json
+
+          # Augment the Generated SPDX with updated primary component information
+          /tmp/sbomasm edit --subject primary-component \
+              --supplier 'Harbor by Cloud Native Computing Foundation (CNCF)(https://goharbor.io)' \
+              --repository 'https://github.com/goharbor/harbor.git' \
+              --license 'Apache-2.0 (https://github.com/goharbor/harbor/blob/main/LICENSE)' \
+              augmented_harbor-sbom.spdx.json > /tmp/augmented_harbor-sbom.spdx.json
+
+      - name: Augment Harbor CycloneDX
+        run: |
+          # Augment the Generated CycloneDX with updated document information
+          /tmp/sbomasm edit --subject Document \
+              --author 'CISA Tiger Group for SBOM Generation Reference Implementations' \
+              --supplier 'Harbor by Cloud Native Computing Foundation (CNCF)(https://goharbor.io)' \
+              --lifecycle 'pre-build' \
+              --repository 'https://github.com/goharbor/harbor.git' \
+              --license 'Apache-2.0 (https://github.com/goharbor/harbor/blob/main/LICENSE)' \
+              generated-harbor-sbom-cyclonedx/generated-harbor-sbom.cdx.json > augmented_harbor-sbom.cdx.json
+
+          # Augment the Generated CycloneDX with updated primary component information
+          /tmp/sbomasm edit --subject primary-component \
+              --author 'CISA Tiger Group for SBOM Generation Reference Implementations' \
+              --supplier 'Harbor by Cloud Native Computing Foundation (CNCF)(https://goharbor.io)' \
+              --repository 'https://github.com/goharbor/harbor.git' \
+              --license 'Apache-2.0 (https://github.com/goharbor/harbor/blob/main/LICENSE)' \
+              augmented_harbor-sbom.cdx.json > /tmp/augmented_harbor-sbom.cdx.json
+
+      - name: Upload Augmented SPDX SBOM
+        uses: actions/upload-artifact@v4 # v4
+        with:
+          name: augmented-harbor-sbom-spdx
+          path: "/tmp/augmented_harbor-sbom.spdx.json"
+
+      - name: Upload Augmented CycloneDX SBOM
+        uses: actions/upload-artifact@v4 # v4
+        with:
+          name: augmented-harbor-sbom-cyclonedx
+          path: "/tmp/augmented_harbor-sbom.cdx.json"
+
+  Enrich:
+    runs-on: ubuntu-latest
+    needs: Augment
+    steps:
+
+      - uses: actions/checkout@v4 # v4
+      - name: Enrich Download all workflow run artifacts
+        uses: actions/download-artifact@v4 # v4
+
+      - name: Enrich Stage - List Downloaded Artifacts
+        run: ls -lha
+
+      - name: Enrich Stage - Download all workflow run artifacts
+        uses: actions/download-artifact@v4 # v4
+
+      - name: Install parlay
+        run: |
+          curl -Ls https://github.com/snyk/parlay/releases/download/v${PARLAY_VERSION}/parlay_Linux_x86_64.tar.gz | tar xvz -C /tmp
+          chmod +x /tmp/parlay
+
+      - name: Enrich Harbor CycloneDX
+        run: |
+          /tmp/parlay ecosystems enrich \
+            augmented-harbor-sbom-cyclonedx/augmented_harbor-sbom.cdx.json > /tmp/enriched_harbor-sbom.cdx.json
+
+      - name: Enrich Harbor SPDX
+        run: |
+          /tmp/parlay ecosystems enrich \
+            augmented-harbor-sbom-spdx/augmented_harbor-sbom.spdx.json > /tmp/enriched_harbor-sbom.spdx.json
+
+      - name: Upload Enriched SPDX SBOM
+        uses: actions/upload-artifact@v4 # v4
+        with:
+          name: enriched-harbor-sbom-spdx
+          path: "/tmp/enriched_harbor-sbom.spdx.json"
+
+      - name: Upload Enriched CycloneDX SBOM
+        uses: actions/upload-artifact@v4 # v4
+        with:
+          name: enriched-harbor-sbom-cyclonedx
+          path: "/tmp/enriched_harbor-sbom.cdx.json"
+
+      - name: Save Final SBOMs
+        run: |
+          cp /tmp/enriched_harbor-sbom.spdx.json /tmp/final_harbor-sbom.spdx.json
+          cp /tmp/enriched_harbor-sbom.cdx.json /tmp/final_harbor-sbom.cdx.json
+
+      - name: Upload Final SPDX SBOM
+        uses: actions/upload-artifact@v4 # v4
+        with:
+          name: final-harbor-sbom-spdx
+          path: "/tmp/final_harbor-sbom.spdx.json"
+
+      - name: Upload Final CycloneDX SBOM
+        uses: actions/upload-artifact@v4 # v4
+        with:
+          name: final-harbor-sbom-cyclonedx
+          path: "/tmp/final_harbor-sbom.cdx.json"
+
+  Validate:
+    needs: Enrich
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Download SBOMs
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
+
+      - name: Install sbomqs
+        run: |
+          curl -L -o /tmp/sbomqs \
+            "https://github.com/interlynk-io/sbomqs/releases/download/v${SBOMQS_VERSION}/sbomqs-linux-amd64"
+          chmod +x /tmp/sbomqs
+
+      - name: "Display SBOM quality score through sbomqs"
+        run: |
+          echo \`\`\` >> ${GITHUB_STEP_SUMMARY}
+          for SBOM in $(find . -iname final*.json); do
+            /tmp/sbomqs score "$SBOM" >> ${GITHUB_STEP_SUMMARY}
+          done
+          echo \`\`\` >> ${GITHUB_STEP_SUMMARY}
@@ -20,6 +20,7 @@ All reference implementations follow a very similar flow and can easily be adapt
 - Keycloak (Java) - [Description](phase_1/keycloak/README.md) - [GitHub Workflow](.github/workflows/phase_1_keycloak.yml) - [GitLab Pipeline](https://gitlab.com/cisa-sbom-community/SBOM-Generation/-/blob/main/.gitlab/ci/phase_1_keycloak.yml?ref_type=heads)
 - Django Application (Python) - [GitHub Workflow](.github/workflows/phase_1_python.yml) - [GitLab Pipeline](https://gitlab.com/cisa-sbom-community/SBOM-Generation/-/blob/main/.gitlab/ci/phase_1_python.yml?ref_type=heads)
 - kubectl (Go) - [GitHub Workflow](.github/workflows/phase_2_kubectl.yml) - [GitLab Pipeline](https://gitlab.com/cisa-sbom-community/SBOM-Generation/-/blob/main/.gitlab/ci/phase_2_kubectl.yml?ref_type=heads)
+- Harbor (Go) - [GitHub Workflow](.github/workflows/phase_2_harbor.yml) - GitLab Pipeline 
 
 ## Meeting