sbom/.github/workflows/tests.yaml at 10d735bf40aef93e035d7acc0840ec06d25d48ab · scality/sbom · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
name: "action-test"
on:
  push:
  pull_request:

jobs:
  test-as-action:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          path: ./
          fetch-depth: 0
          fetch-tags: true

      - name: Download artifact
        shell: bash
        run: curl -o /tmp/Core-15.0.iso https://distro.ibiblio.org/tinycorelinux/15.x/x86/release/Core-15.0.iso

      - name: Scan repo
        uses: ./
        with:
          target: ./
          output-dir: "/tmp/test/sbom"
          vuln-report: True

      - name: Scan directory
        uses: ./
        with:
          target: /usr/local/bin
          output-dir: "/tmp/test/sbom"
          syft-version: "1.10.0"
          name: "usrlocalbin"

      - name: Scan iso
        uses: ./
        with:
          target: /tmp/Core-15.0.iso
          output-dir: "/tmp/test/sbom"
          version: "15.0"
          name: "tinycorelinux"
          vuln-report: False

      - name: Ensure generated sbom file for repo contains the expected content
        shell: bash
        run: |
          if jq -e '.components[] | select(.name == "lodash")' /tmp/test/sbom/repo_sbom_*.json > /dev/null; then
            echo "lodash is present in the JSON file."
            exit 0
          else
            echo "lodash is NOT present in the JSON file."
            exit 1
          fi

      - name: Ensure generated sbom file for iso contains the expected content
        shell: bash
        run: |
          if jq -e '.components[] | select(.version == "6.6.8-tinycore")' /tmp/test/sbom/iso_tinycorelinux_15.0.json > /dev/null; then
            echo "tinycore is present in the JSON file."
            exit 0
          else
            echo "tinycore is NOT present in the JSON file."
            exit 1
          fi

      - name: Ensure generated sbom file for dir contains the expected content
        shell: bash
        run: |
          if jq -e '.components[] | select(.purl == "pkg:golang/github.com/anchore/syft@v1.10.0")' /tmp/test/sbom/dir_bin_undefined.json > /dev/null; then
            echo "syft is present in the JSON file."
            exit 0
          else
            echo "syft is NOT present in the JSON file."
            exit 1
          fi

      - name: Print the content of generated sbom file
        shell: bash
        run: |
          for sbom in /tmp/test/sbom/*.json; do
            echo "Content of $sbom"
            cat $sbom
          done
          for sbom in /tmp/test/sbom/reports/*.html; do
            echo "Content of vulnerability result for SBOM: $sbom"
            cat $sbom
          done