Merge pull request #814 from oracle/config/adding-sbom-config

davidecorreu · web-flow · commit d4968c52e1df · 2024-07-05T16:00:52.000+02:00
SBOM creation
diff --git a/sbom_generation.yaml b/sbom_generation.yaml
@@ -0,0 +1,54 @@
+# Copyright (c) 2023, Oracle and/or its affiliates. All rights reserved.
+
+# This OCI DevOps build specification file [1] generates a Software Bill of Materials (SBOM) of the repository.
+# The file is needed to run checks for third-party vulnerabilities and business approval according to Oracle’s GitHub policies.
+# [1] https://docs.oracle.com/en-us/iaas/Content/devops/using/build_specs.htm
+
+version: 0.1
+component: build
+timeoutInSeconds: 1000
+shell: bash
+
+steps:
+  - type: Command
+    name: "Install npm"
+    command: |
+      # Install npm version 8.19.4
+      npm i -g npm@v8.19.4
+  - type: Command
+    name: "Install node-cli & unit-testing packages"
+    command: |
+      npm install --ignore-scripts
+  - type: Command
+    name: "Install cyclonedx globally"
+    command: |
+      npm install --ignore-scripts -g @cyclonedx/cyclonedx-npm
+  - type: Command
+    name: "Run cyclonedx for node-cli & unit-testing packages"
+    command: |
+      # For more details, visit https://github.com/CycloneDX/cyclonedx-node-npm/blob/main/README.md
+      npx @cyclonedx/cyclonedx-npm --omit dev --output-format JSON --output-file artifactSBOM_node-cli_unit-testing.json --spec-version 1.4
+  - type: Command
+    name: "Install vscode extension package"
+    command: |
+      cd packages/vscode-extension && npm install --ignore-scripts
+  - type: Command
+    name: "Run cyclonedx for vscode-extension package"
+    command: |
+      # For more details, visit https://github.com/CycloneDX/cyclonedx-node-npm/blob/main/README.md
+      cd packages/vscode-extension && npx @cyclonedx/cyclonedx-npm --omit dev --output-format JSON --output-file artifactSBOM_vscode-extension.json --spec-version 1.4
+  - type: Command
+    name: "Download CycloneDx-linux-cli executable and install dependencies"
+    command: |
+      wget https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.24.2/cyclonedx-linux-x64
+      yum install -y libicu
+  - type: Command
+    name: "Merge multiple SBOMs using CycloneDX-linux-cli"
+    command: |
+      # For more details, visit https://github.com/CycloneDX/cyclonedx-cli/blob/main/README.md
+      chmod +x cyclonedx-linux-x64
+      ./cyclonedx-linux-x64 merge --input-files artifactSBOM_node-cli_unit-testing.json packages/vscode-extension/artifactSBOM_vscode-extension.json --output-file artifactSBOM.json
+outputArtifacts:
+  - name: artifactSBOM
+    type: BINARY
+    location: ${OCI_PRIMARY_SOURCE_DIR}/artifactSBOM.json
