database_system/.github/workflows/sbom.yml at eaf659c67159b997a2b0b53785ff44e433030f3d · kcenon/database_system · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
name: SBOM Generation

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
  release:
    types: [ published ]
  schedule:
    # Generate SBOM weekly on Sunday at 3 AM UTC
    - cron: '0 3 * * 0'
  workflow_dispatch:

permissions:
  contents: write
  packages: read
  security-events: write

jobs:
  generate-sbom:
    runs-on: ubuntu-latest

    steps:
    - name: Checkout code
      uses: actions/checkout@v6
      with:
        submodules: true

    - name: Generate SBOM with Syft (CycloneDX)
      uses: anchore/sbom-action@v0
      with:
        path: .
        format: cyclonedx-json
        output-file: sbom-cyclonedx.json
        artifact-name: sbom-cyclonedx

    - name: Generate SBOM with Syft (SPDX)
      uses: anchore/sbom-action@v0
      with:
        path: .
        format: spdx-json
        output-file: sbom-spdx.json
        artifact-name: sbom-spdx

    - name: Scan SBOM for CVEs with Grype
      uses: anchore/scan-action@v7
      id: grype-scan
      with:
        sbom: sbom-cyclonedx.json
        severity-cutoff: ${{ vars.GRYPE_SEVERITY_CUTOFF || 'critical' }}
        fail-build: ${{ github.event_name == 'pull_request' }}
        output-format: sarif

    - name: Upload Grype SARIF to GitHub Security
      uses: github/codeql-action/upload-sarif@v4
      if: always() && steps.grype-scan.outputs.sarif != ''
      continue-on-error: true
      with:
        sarif_file: ${{ steps.grype-scan.outputs.sarif }}

    - name: Parse vcpkg dependencies
      run: |
        if [ -f "vcpkg.json" ]; then
          python3 << 'PYEOF' > vcpkg-dependencies.md
        import json

        with open('vcpkg.json', 'r') as f:
            manifest = json.load(f)

        print("# vcpkg Dependencies")
        print()
        print(f"**Project**: {manifest.get('name', 'N/A')}")
        print(f"**Version**: {manifest.get('version', 'N/A')}")
        print()
        print("## Direct Dependencies")
        print()
        print("| Package | Version Constraint | Features |")
        print("|---------|-------------------|----------|")

        deps = manifest.get('dependencies', [])
        for dep in deps:
            if isinstance(dep, str):
                print(f"| {dep} | - | - |")
            elif isinstance(dep, dict):
                name = dep.get('name', 'unknown')
                version = dep.get('version>=', '-')
                features = ', '.join(dep.get('features', [])) or '-'
                print(f"| {name} | {version} | {features} |")

        features = manifest.get('features', {})
        if features:
            print()
            print("## Feature Dependencies")
            print()
            for feat_name, feat_data in features.items():
                feat_deps = feat_data.get('dependencies', [])
                if feat_deps:
                    print(f"### {feat_name}")
                    print()
                    print("| Package | Version Constraint | Features |")
                    print("|---------|-------------------|----------|")
                    for dep in feat_deps:
                        if isinstance(dep, str):
                            print(f"| {dep} | - | - |")
                        elif isinstance(dep, dict):
                            name = dep.get('name', 'unknown')
                            version = dep.get('version>=', '-')
                            dep_features = ', '.join(dep.get('features', [])) or '-'
                            print(f"| {name} | {version} | {dep_features} |")
                    print()
        PYEOF
        else
          echo "No vcpkg.json found" > vcpkg-dependencies.md
        fi

    - name: Create combined SBOM report
      run: |
        echo "# Software Bill of Materials (SBOM)" > SBOM_REPORT.md
        echo "" >> SBOM_REPORT.md
        echo "**Repository**: ${{ github.repository }}" >> SBOM_REPORT.md
        echo "**Branch**: ${{ github.ref_name }}" >> SBOM_REPORT.md
        echo "**Commit**: ${{ github.sha }}" >> SBOM_REPORT.md
        echo "**Generated**: $(date -u)" >> SBOM_REPORT.md
        echo "" >> SBOM_REPORT.md
        echo "## Available Formats" >> SBOM_REPORT.md
        echo "" >> SBOM_REPORT.md
        echo "- **CycloneDX**: sbom-cyclonedx.json" >> SBOM_REPORT.md
        echo "- **SPDX**: sbom-spdx.json" >> SBOM_REPORT.md
        echo "" >> SBOM_REPORT.md
        cat vcpkg-dependencies.md >> SBOM_REPORT.md

    - name: Upload SBOM artifacts
      uses: actions/upload-artifact@v7
      with:
        name: sbom-${{ github.sha }}
        path: |
          sbom-cyclonedx.json
          sbom-spdx.json
          vcpkg-dependencies.md
          SBOM_REPORT.md
        retention-days: 90

    - name: Upload SBOM to release
      if: github.event_name == 'release'
      uses: softprops/action-gh-release@v2
      with:
        files: |
          sbom-cyclonedx.json
          sbom-spdx.json
          SBOM_REPORT.md
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

    - name: Submit SBOM to Dependency Graph
      uses: advanced-security/spdx-dependency-submission-action@v0.2.0
      if: github.event_name == 'push' && github.ref == 'refs/heads/main'
      continue-on-error: true
      with:
        filePath: sbom-spdx.json