-
Notifications
You must be signed in to change notification settings - Fork 1.4k
169 lines (130 loc) · 6.18 KB
/
typescript.yml
File metadata and controls
169 lines (130 loc) · 6.18 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
name: TypeScript
on:
push:
pull_request:
permissions: {}
jobs:
detect-packages:
permissions:
contents: read
runs-on: ubuntu-latest
outputs:
packages: ${{ steps.find-packages.outputs.packages }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Find JS packages
id: find-packages
working-directory: src
run: |
PACKAGES=$(find . -name package.json -not -path "*/node_modules/*" -exec dirname {} \; | sed 's/^\.\///' | jq -R -s -c 'split("\n")[:-1]')
echo "packages=$PACKAGES" >> $GITHUB_OUTPUT
build:
needs: [detect-packages]
if: ${{ needs.detect-packages.outputs.packages != '[]' && needs.detect-packages.outputs.packages != '' }}
strategy:
matrix:
package: ${{ fromJson(needs.detect-packages.outputs.packages) }}
name: Build ${{ matrix.package }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
with:
node-version-file: "src/${{ matrix.package }}/.node-version"
cache: npm
- name: Install dependencies
working-directory: src/${{ matrix.package }}
run: npm ci
- name: Build package
working-directory: src/${{ matrix.package }}
run: npm run build
- name: Upload Distribution
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with:
name: dist-${{ matrix.package }}
path: src/${{ matrix.package }}/dist/
- name: Generate Software Bill of Materials (SBOM)
run:
npx @cyclonedx/cyclonedx-npm --gather-license-texts --mc-type library --output-format XML > src/${{ matrix.package }}/sbom.cyclondx.xml
- name: Set up Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: "3.x"
- name: Display SBOM
run: |
cat <<EOT |
import re
import xml.etree.ElementTree as ET
import importlib.metadata as metadata
def parse_bom(xml_file):
# Parse the XML file
tree = ET.parse(xml_file)
root = tree.getroot()
# Get the latest namespace
find_namespace = re.match(r'\{.*\}', root.tag)
# Define the namespace
ns = {'cyclonedx': find_namespace.group(0)[1:-1] if find_namespace else 'http://cyclonedx.org/schema/bom/1.5'}
# Extract components
components = []
for component in root.findall('.//cyclonedx:component', ns):
comp_info = {}
# Get name, version, description, and purl
comp_info['name'] = component.find('cyclonedx:name', ns).text
comp_info['version'] = component.find('cyclonedx:version', ns).text
comp_info['description'] = component.find('cyclonedx:description', ns).text if component.find('cyclonedx:description', ns) is not None else "No description"
comp_info['purl'] = component.find('cyclonedx:purl', ns).text if component.find('cyclonedx:purl', ns) is not None else "No PURL"
# Get licenses
licenses = component.findall('.//cyclonedx:license/cyclonedx:id', ns)
if licenses:
comp_info['licenses'] = [license.text for license in licenses]
else:
comp_info['licenses'] = ["No licenses"]
# Extract additional information (copyright, etc.)
copyright_info = extract_copyright_from_metadata(comp_info['name'])
comp_info['copyright'] = copyright_info if copyright_info else "No copyright information"
components.append(comp_info)
return components
def extract_copyright_from_metadata(package_name):
try:
# Use importlib.metadata to retrieve metadata from the installed package
dist = metadata.distribution(package_name)
metadata_info = dist.metadata
# Extract relevant metadata
copyright_info = []
author = metadata_info.get('Author')
author_email = metadata_info.get('Author-email')
license_info = metadata_info.get('License')
if author:
copyright_info.append(f"Author: {author}")
if author_email:
copyright_info.append(f"Author Email: {author_email}")
if license_info:
copyright_info.append(f"License: {license_info}")
# Check for classifiers or any extra metadata fields
if 'Classifier' in metadata_info:
for classifier in metadata_info.get_all('Classifier'):
if 'copyright' in classifier.lower():
copyright_info.append(classifier)
return ', '.join(copyright_info) if copyright_info else None
except metadata.PackageNotFoundError:
return None
def main():
bom_file = 'bom.xml' # Replace with your BOM file path
components = parse_bom(bom_file)
for component in components:
print(f"Name: {component['name']}")
print(f"Version: {component['version']}")
print(f"Description: {component['description']}")
print(f"PURL: {component['purl']}")
print(f"Licenses: {', '.join(component['licenses'])}")
print(f"Copyright: {component['copyright']}")
print("-" * 40)
if __name__ == "__main__":
main()
EOT
python -
- name: Upload Software Bill of Materials
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with:
name: sbom-${{ matrix.package }}
path: src/${{ matrix.package }}/sbom.cyclondx.xml